TheTechGuide Forum

General Category => Tech Clinic => Topic started by: indigenous1 on January 03, 2006, 08:28:09 PM

Title: Can't get rid of viruses
Post by: indigenous1 on January 03, 2006, 08:28:09 PM

I downloaded avast antivirus on to my parents computer because it has been running very very slow lately. I ran it and removed countless infected files.  so this morning i start the computer up again and see if i can get IE to run but it still will not. my automatic update for windows comes up and i atart to run it (service pack 2) it is unable to install and all of a sudden the computer starts running very slow again.  so i run avast once again and there are even more viruses than last night.  so i need some help here.  
Here is the log file.
Logfile of HijackThis v1.99.1
Scan saved at 7:17:17 PM, on 1/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\winqg32.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\kerry and colleen\Local Settings\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {003156AA-B2AD-54C8-CF6D-1C992B937149} - C:\WINDOWS\system32\apifd.dll (file missing)
O2 - BHO: Class - {00317A0E-1167-6D33-BFED-F012365FE844} - C:\WINDOWS\system32\winkv.dll (file missing)
O2 - BHO: Class - {0032D506-4FE0-DF8E-EB48-201C0AF54F67} - C:\WINDOWS\system32\sdkay32.dll (file missing)
O2 - BHO: Class - {004CAE59-A6ED-EFA4-22CF-1C6730C6A2D5} - C:\WINDOWS\javaop.dll (file missing)
O2 - BHO: Class - {005BABB0-E95B-9CB5-BA39-5FD11B1F199C} - C:\WINDOWS\system32\mfcno.dll (file missing)
O2 - BHO: Class - {0063090B-13DF-4A70-B546-1B118D5A15E6} - C:\WINDOWS\apibb32.dll (file missing)
O2 - BHO: Class - {006822A7-054C-D4E1-5DD5-312044BEE60E} - C:\WINDOWS\system32\atlcc.dll (file missing)
O2 - BHO: Class - {007085F0-1707-524E-D27C-EE61D3E63E88} - C:\WINDOWS\system32\javajk32.dll (file missing)
O2 - BHO: Class - {0078391E-5E2C-E562-5F00-073BD75EB9F1} - C:\WINDOWS\mscm.dll (file missing)
O2 - BHO: Class - {007B911E-5570-A396-6F4A-A0CC235143DC} - C:\WINDOWS\d3dn.dll (file missing)
O2 - BHO: Class - {007DB292-112E-4F90-41EA-F1D4D83ADE09} - C:\WINDOWS\sdkxf.dll (file missing)
O2 - BHO: Class - {007FBB10-29F9-1035-4BC6-EADBD6D78464} - C:\WINDOWS\sysay32.dll (file missing)
O2 - BHO: Class - {008764D5-773A-A0CE-0E07-D1A50B2AEB9C} - C:\WINDOWS\system32\crtj32.dll (file missing)
O2 - BHO: Class - {0089926D-DE04-05DF-23E5-7BAF764D77DB} - C:\WINDOWS\system32\winqv.dll (file missing)
O2 - BHO: Class - {009057E0-E644-7B31-F576-A66A75B760A4} - C:\WINDOWS\system32\addfn32.dll (file missing)
O2 - BHO: Class - {00910FC8-0897-B399-2EF2-26EFF8788326} - C:\WINDOWS\system32\sdkqu32.dll
O2 - BHO: Class - {0092CB9E-A898-102E-13F0-85FC8AF2AD31} - C:\WINDOWS\sysbc.dll (file missing)
O2 - BHO: Class - {00A24B03-DD53-09FF-B089-5061C12D30FD} - C:\WINDOWS\system32\atlja.dll (file missing)
O2 - BHO: Class - {00A94FA3-6D7B-4318-1171-4B2F003FC38C} - C:\WINDOWS\ntie32.dll (file missing)
O2 - BHO: Class - {00AD3519-3F00-5087-FF3D-ADBC964ABCAE} - C:\WINDOWS\addkn.dll (file missing)
O2 - BHO: Class - {00B78A2F-66BE-9875-FBF9-E1F486C65401} - C:\WINDOWS\system32\crod32.dll (file missing)
O2 - BHO: Class - {00B90684-CDCB-5F04-FCA4-7F1DEE956606} - C:\WINDOWS\system32\javarl.dll (file missing)
O2 - BHO: Class - {00E97FF9-C2D5-30AF-2580-1DF6C99280CB} - C:\WINDOWS\system32\ipza.dll (file missing)
O2 - BHO: Class - {010A99FA-9882-49E3-F544-44129592A646} - C:\WINDOWS\javakc32.dll (file missing)
O2 - BHO: Class - {01150869-6EAA-DBD5-EC6D-97E0570E4D55} - C:\WINDOWS\system32\ipvp.dll (file missing)
O2 - BHO: Class - {011CA171-EE6B-EF0C-A0D7-D291FDD4ECAA} - C:\WINDOWS\addro.dll (file missing)
O2 - BHO: Class - {0124A396-AB83-9F02-38EC-4CC0C20602CC} - C:\WINDOWS\system32\mset32.dll (file missing)
O2 - BHO: Class - {01263BA8-DD90-3C6A-47E7-0FEAF30DB663} - C:\WINDOWS\system32\winbu32.dll (file missing)
O2 - BHO: Class - {0128CB6A-3BE0-896F-A8BF-286ECE71F3F1} - C:\WINDOWS\system32\winvy.dll (file missing)
O2 - BHO: Class - {012E3C96-088E-958B-C19D-772FA69FFB2A} - C:\WINDOWS\system32\d3ww32.dll (file missing)
O2 - BHO: Class - {013A22CB-C720-7FB1-F261-300904C98BFD} - C:\WINDOWS\system32\sdktj32.dll (file missing)
O2 - BHO: Class - {013F1D00-32FB-D06B-1419-6480DD6E1239} - C:\WINDOWS\winrq.dll (file missing)
O2 - BHO: Class - {0144BFA4-0B7F-AD08-70B4-D0CB8681927E} - C:\WINDOWS\system32\syshz32.dll (file missing)
O2 - BHO: Class - {01455E70-B6DC-DF81-8323-ADC8CB9B6016} - C:\WINDOWS\system32\atlyx32.dll (file missing)
O2 - BHO: Class - {01459542-C37E-C5EA-05BA-1A515DC8EE34} - C:\WINDOWS\system32\ielc.dll (file missing)
O2 - BHO: Class - {014A827D-E04B-4100-86CC-AA5FBCB8F577} - C:\WINDOWS\system32\ntlb.dll (file missing)
O2 - BHO: Class - {0152093B-52C0-D7E8-FBD3-2B2966BDB4FC} - C:\WINDOWS\netpi32.dll (file missing)
O2 - BHO: Class - {0155D68B-7071-FAF3-02DB-27C5446BD84B} - C:\WINDOWS\system32\javaop32.dll (file missing)
O2 - BHO: Class - {01760CDC-D77E-6490-7E10-7131683D9C12} - C:\WINDOWS\winjl32.dll (file missing)
O2 - BHO: Class - {017A0FF7-26F5-7344-C985-64575DDA97DD} - C:\WINDOWS\appld32.dll (file missing)
O2 - BHO: Class - {01C3675A-742C-F571-C549-9B7E893FC5E9} - C:\WINDOWS\system32\javami32.dll (file missing)
O2 - BHO: Class - {01D2AB2E-F21F-B5AE-9B4D-2760FBB33C6D} - C:\WINDOWS\system32\msxp.dll (file missing)
O2 - BHO: Class - {01DD0E35-D044-4315-C8F3-594EFE0AAF3B} - C:\WINDOWS\system32\sdkyi32.dll (file missing)
O2 - BHO: Class - {01EBCE5B-9CE3-6F54-707D-17AF4A43EA22} - C:\WINDOWS\system32\ipqe32.dll (file missing)
O2 - BHO: Class - {01F3905D-2042-3016-19C2-68533992D798} - C:\WINDOWS\appns.dll (file missing)
O2 - BHO: Class - {01F91520-9F2B-B84B-1458-DF849EFEAEE8} - C:\WINDOWS\system32\mfcml32.dll (file missing)
O2 - BHO: Class - {0207AE86-DEC5-5CC1-9C0F-FF84E29A81F5} - C:\WINDOWS\system32\syshq32.dll (file missing)
O2 - BHO: Class - {022B05B8-2B04-C6AA-AF23-E6174F8F7AEB} - C:\WINDOWS\system32\syskv32.dll (file missing)
O2 - BHO: Class - {027602E2-163B-E675-169C-61D11C7D6D27} - C:\WINDOWS\system32\addbg32.dll (file missing)
O2 - BHO: Class - {0283E400-BF96-1C65-2C3F-9441F31430C2} - C:\WINDOWS\ieot32.dll (file missing)
O2 - BHO: Class - {0286A45F-27C1-EAF6-004E-A147DE178896} - C:\WINDOWS\system32\d3aj32.dll (file missing)
O2 - BHO: Class - {029FBD34-C8B2-9002-2C1A-6F854F82041A} - C:\WINDOWS\winla.dll (file missing)
O2 - BHO: Class - {02A69FBB-7B0E-C07B-30E9-E43203460F06} - C:\WINDOWS\system32\addiy32.dll (file missing)
O2 - BHO: Class - {02AC2B1F-8EDC-D35D-97A9-9E5B4B8A9DB3} - C:\WINDOWS\javaxw32.dll (file missing)
O2 - BHO: Class - {02B010E6-F55E-18F9-AFDC-5F03CBD884E6} - C:\WINDOWS\sdkes32.dll (file missing)
O2 - BHO: Class - {02B1DD18-286C-7339-2831-1E97FFBF8C58} - C:\WINDOWS\sysys.dll (file missing)
O2 - BHO: Class - {02B55B9A-C396-BC1A-9595-FA210D9AEEA0} - C:\WINDOWS\netfh.dll (file missing)
O2 - BHO: Class - {02C0DCC5-3CE6-0398-0598-65E2B62B528F} - C:\WINDOWS\system32\mshl32.dll (file missing)
O2 - BHO: Class - {02CAD123-9877-5EBB-1EA0-E44C595D1271} - C:\WINDOWS\atltx.dll (file missing)
O2 - BHO: Class - {02CD1EC1-58C9-24B1-C3D0-C7646C96F812} - C:\WINDOWS\addep.dll (file missing)
O2 - BHO: Class - {02D7653D-5083-4FED-0389-1E9D5735F0E5} - C:\WINDOWS\system32\msbp.dll (file missing)
O2 - BHO: Class - {02DA43E3-4040-4537-5E7E-2E3A20068395} - C:\WINDOWS\system32\ntoj32.dll (file missing)
O2 - BHO: Class - {02E461BD-30E0-5DFB-7437-1787679686CA} - C:\WINDOWS\system32\addsc32.dll (file missing)
O2 - BHO: Class - {02E5DA79-DA5C-C19C-1D4B-D80A9ABEFF86} - C:\WINDOWS\msun32.dll (file missing)
O2 - BHO: Class - {02FEB6C3-679F-85E9-7FF3-5BCF57122E2D} - C:\WINDOWS\netda.dll (file missing)
O2 - BHO: Class - {030916FE-6CC8-75D9-BFBF-4F3D1C97AF3E} - C:\WINDOWS\atlwq32.dll (file missing)
O2 - BHO: Class - {0313D293-F8C5-AF26-E8D6-0687874060FB} - C:\WINDOWS\addur32.dll (file missing)
O2 - BHO: Class - {0315F317-B483-4A2F-BA76-568F3D29FB28} - C:\WINDOWS\ntba.dll (file missing)
O2 - BHO: Class - {03180DE2-F6E2-6009-8992-9DA5DEF05B55} - C:\WINDOWS\system32\javasy32.dll (file missing)
O2 - BHO: Class - {032F02E7-5716-7D60-3E88-9B6309146D54} - C:\WINDOWS\system32\atlek32.dll (file missing)
O2 - BHO: Class - {032FD310-B05A-9CD7-D30D-E062B48F330F} - C:\WINDOWS\atlsb.dll (file missing)
O2 - BHO: Class - {03370B54-7064-0AB4-E47D-570A8BB29E0D} - C:\WINDOWS\ievp32.dll (file missing)
O2 - BHO: Class - {033935E4-A208-AB9E-DD2A-6A9B7E426D04} - C:\WINDOWS\mfcuw.dll (file missing)
O2 - BHO: Class - {03403984-3210-E5B7-4E13-5458BD540092} - C:\WINDOWS\system32\d3bw.dll (file missing)
O2 - BHO: Class - {03433DF4-52B3-D7BA-CE65-5B6EADF47ABE} - C:\WINDOWS\system32\apils.dll (file missing)
O2 - BHO: Class - {034878B2-7EF9-405E-54C5-AB064A6B6481} - C:\WINDOWS\mfclf.dll (file missing)
O2 - BHO: Class - {035AB507-A454-30C0-7879-F028430BA8A3} - C:\WINDOWS\system32\ipah.dll (file missing)
O2 - BHO: Class - {035B4815-86B1-8C80-8C98-8825BFEDD4A9} - C:\WINDOWS\sdkic32.dll (file missing)
O2 - BHO: Class - {035B9D9B-1F54-732E-6BC9-8636A0AC6460} - C:\WINDOWS\sysbh32.dll (file missing)
O2 - BHO: Class - {035E66F7-FD55-5690-77E4-55B4D846010E} - C:\WINDOWS\netxa.dll (file missing)
O2 - BHO: Class - {0372BF75-CDA2-BD24-2D6F-BCCFC6A8E85C} - C:\WINDOWS\ntqp32.dll (file missing)
O2 - BHO: Class - {0374CA48-A799-5108-7C38-BAC7CF481D17} - C:\WINDOWS\javabb32.dll (file missing)
O2 - BHO: Class - {037FA2F8-372A-C652-77FF-F23198522B67} - C:\WINDOWS\winew32.dll (file missing)
O2 - BHO: Class - {038102A8-6BBF-3523-E9F7-013C8EC35F4A} - C:\WINDOWS\system32\atlie32.dll (file missing)
O2 - BHO: Class - {0394B35E-2AC9-655E-57E6-D9C208651426} - C:\WINDOWS\system32\sysgs.dll (file missing)
O2 - BHO: Class - {03985CE5-1795-ADB0-4881-ECE4DF4553EA} - C:\WINDOWS\windk32.dll (file missing)
O2 - BHO: Class - {039B7C13-F237-757B-D633-29FC992B6EB7} - C:\WINDOWS\system32\javasp32.dll (file missing)
O2 - BHO: Class - {03A2D7B5-7F29-C057-69BA-28A6D6BFD1C8} - C:\WINDOWS\system32\sysbq32.dll (file missing)
O2 - BHO: Class - {03C7E373-5AAC-63DE-1204-203615E7FEB8} - C:\WINDOWS\system32\ntcx32.dll (file missing)
O2 - BHO: Class - {0402ED77-6A3E-935E-AC06-95ADD3F1EC13} - C:\WINDOWS\apptn32.dll (file missing)
O2 - BHO: Class - {0408BD9F-FBE0-566C-EBDA-DBC97DA7E144} - C:\WINDOWS\ntvf.dll (file missing)
O2 - BHO: Class - {04194DC1-FE3C-EB9E-862A-625742602CF4} - C:\WINDOWS\msfn.dll (file missing)
O2 - BHO: Class - {041D1EC3-6007-E092-7365-E16CBCAE9E0B} - C:\WINDOWS\crap32.dll (file missing)
O2 - BHO: Class - {04253698-01F7-A6BE-9E31-AEAA3D1A199F} - C:\WINDOWS\ntae32.dll (file missing)
O2 - BHO: Class - {0426289E-C3E9-C13A-ED9A-FA21D3758986} - C:\WINDOWS\ieeu32.dll (file missing)
O2 - BHO: Class - {04280B5C-D8EC-8CBA-64C0-902824D9E96E} - C:\WINDOWS\system32\ntlq.dll (file missing)
O2 - BHO: Class - {042DBEF5-EE80-F569-CAC1-C25AEDCADB03} - C:\WINDOWS\addyp.dll (file missing)
O2 - BHO: Class - {04324C8A-2846-9CDA-7AE9-6D0D763453AE} - C:\WINDOWS\addjx32.dll (file missing)
O2 - BHO: Class - {0435B265-2FA6-A319-F52C-9B10427ADF8D} - C:\WINDOWS\system32\ieiu.dll (file missing)
O2 - BHO: Class - {043F02AD-CD1E-97CC-ADFC-0D6EFF6BCAC5} - C:\WINDOWS\system32\sysis.dll (file missing)
O2 - BHO: Class - {0442E405-0105-7F0E-EF25-907454BCBB4D} - C:\WINDOWS\system32\ntvz.dll (file missing)
O2 - BHO: Class - {0457DBF9-CCA3-26EC-6311-BF8B9C15E2C2} - C:\WINDOWS\system32\apict32.dll (file missing)
O2 - BHO: Class - {04586809-C5E8-A2F8-EDA5-6597DA0AD199} - C:\WINDOWS\system32\atlhb.dll (file missing)
O2 - BHO: Class - {04A2CA19-69CB-6234-29E3-85CCFE6F5405} - C:\WINDOWS\system32\javaaf32.dll (file missing)
O2 - BHO: Class - {04CABB8A-1C34-EAB8-A8CB-9FFB336540D4} - C:\WINDOWS\atlrs.dll (file missing)
O2 - BHO: Class - {04D30BC2-BAAC-DF6B-6F8B-0149E0564B1D} - C:\WINDOWS\system32\ntzi32.dll (file missing)
O2 - BHO: Class - {04D536A8-BE6C-6283-AD25-18CADEF98984} - C:\WINDOWS\sysdw32.dll (file missing)
O2 - BHO: Class - {04D84A7E-AF1A-27B3-7174-33D2BABA7210} - C:\WINDOWS\apijk32.dll (file missing)
O2 - BHO: Class - {04E19B1B-1EAE-FFA4-6D31-B92152BEDCC9} - C:\WINDOWS\system32\apihj.dll (file missing)
O2 - BHO: Class - {04E44D61-38BB-E8B2-A1A9-21ADD21CA485} - C:\WINDOWS\system32\winsj32.dll (file missing)
O2 - BHO: Class - {04FA0937-0930-1006-31A1-535AEA9649FE} - C:\WINDOWS\netzh.dll (file missing)
O2 - BHO: Class - {04FC9658-0375-8D02-BA36-0965398A38C5} - C:\WINDOWS\system32\crsk32.dll (file missing)
O2 - BHO: Class - {0535FF3D-8B14-0B58-1F20-E93989E72FB0} - C:\WINDOWS\system32\d3lj32.dll (file missing)
O2 - BHO: Class - {05429DE5-9AEC-4A99-3592-2D986ECF6294} - C:\WINDOWS\system32\iecw.dll (file missing)
O2 - BHO: Class - {054F5E50-28A8-4816-3209-EFF9B61A1BEC} - C:\WINDOWS\system32\javaei32.dll (file missing)
O2 - BHO: Class - {05563232-5F02-763A-E92E-D32E0B4BF53F} - C:\WINDOWS\crjx.dll (file missing)
O2 - BHO: Class - {0566E16E-2A99-5084-E121-5895960CC230} - C:\WINDOWS\system32\javayj32.dll (file missing)
O2 - BHO: Class - {0573961B-FD45-7838-DF47-E4F51430CAF7} - C:\WINDOWS\appan.dll (file missing)
O2 - BHO: Class - {057AA07B-6035-C977-C4F6-22C3007CC2F8} - C:\WINDOWS\sdkmx32.dll (file missing)
O2 - BHO: Class - {058680EF-4C0E-9D88-7204-989DB27DFD59} - C:\WINDOWS\javacc32.dll (file missing)
O2 - BHO: Class - {059571E8-E486-1B82-E2B1-5E7F1A56B1E8} - C:\WINDOWS\sysqm.dll (file missing)
O2 - BHO: Class - {059AB543-4789-E145-BA9A-9825AEACF11B} - C:\WINDOWS\system32\ieno.dll (file missing)
O2 - BHO: Class - {05A88A23-B9D1-7899-EB64-F4AEB6601F25} - C:\WINDOWS\system32\netoa32.dll (file missing)
O2 - BHO: Class - {05B54EEA-CBAB-75C1-8A21-34789E39A7D5} - C:\WINDOWS\system32\sdkor32.dll (file missing)
O2 - BHO: Class - {05B92FED-4D76-7AC5-786D-B39C086729FC} - C:\WINDOWS\sdkba.dll (file missing)
O2 - BHO: Class - {05BA99FE-B9FE-C1A4-557E-880036A20118} - C:\WINDOWS\syscv.dll (file missing)
O2 - BHO: Class - {05C13EB5-7881-2B00-7C2C-BE433C3C51A6} - C:\WINDOWS\system32\sdkyh.dll (file missing)
O2 - BHO: Class - {05C2CD81-24FE-5D99-8F9B-7B4071451E4E} - C:\WINDOWS\system32\javagp32.dll (file missing)
O2 - BHO: Class - {05D28462-944E-6985-69CD-AF3E4EABB1C8} - C:\WINDOWS\system32\d3ft32.dll (file missing)
O2 - BHO: Class - {05DBFB5A-148E-655D-A543-649DA7D51173} - C:\WINDOWS\system32\mfcvs32.dll (file missing)
O2 - BHO: Class - {05DF759A-7AB8-74F8-1007-762880E7156C} - C:\WINDOWS\atlfc.dll (file missing)
O2 - BHO: Class - {05E7E2E5-A44B-22B2-1B14-3168021210A7} - C:\WINDOWS\ntwf32.dll (file missing)
O2 - BHO: Class - {05EDEE7D-0B9D-F21C-6066-1E94044BD1BC} - C:\WINDOWS\system32\cryd32.dll (file missing)
O2 - BHO: Class - {05F6F6EC-DA71-D6F9-3745-C8D289B4EDEF} - C:\WINDOWS\appft32.dll (file missing)
O2 - BHO: Class - {0602B01F-0C23-2945-B36B-FD4B02C0B514} - C:\WINDOWS\system32\appaw.dll (file missing)
O2 - BHO: Class - {060E35E9-E407-EE2E-E95E-803984534324} - C:\WINDOWS\system32\netjw.dll (file missing)
O2 - BHO: Class - {06197E31-50B6-4043-D6C9-8E70AAB849E5} - C:\WINDOWS\system32\windh.dll (file missing)
O2 - BHO: Class - {061C880C-9214-661C-A5E5-D5955C8EB912} - C:\WINDOWS\apptb32.dll (file missing)
O2 - BHO: Class - {0631CBDA-7F99-C68B-C89A-E8A19DA73BEE} - C:\WINDOWS\system32\addra32.dll (file missing)
O2 - BHO: Class - {063D279E-A38A-A210-36D9-149D77FEE32B} - C:\WINDOWS\system32\cren.dll (file missing)
O2 - BHO: Class - {063F0059-A1A5-3C34-2788-9C85F54F8033} - C:\WINDOWS\system32\msbv32.dll (file missing)
O2 - BHO: Class - {063FF24F-53A7-58B0-86E1-F81C9BAAFF3A} - C:\WINDOWS\windx32.dll (file missing)
O2 - BHO: Class - {064905B7-0C45-8757-3090-1BEF98713F25} - C:\WINDOWS\javase.dll (file missing)
O2 - BHO: Class - {064B07E4-3062-F9A9-AD59-69604F8C8F77} - C:\WINDOWS\system32\msqd32.dll (file missing)
O2 - BHO: Class - {064CE72F-402C-6FA9-72C8-ADF5FEC210AD} - C:\WINDOWS\addil32.dll
O2 - BHO: Class - {06511831-9B79-0A9B-0C92-991F58C5B4A7} - C:\WINDOWS\crmo.dll (file missing)
O2 - BHO: Class - {0652D47D-1C86-4A6E-368E-FC2CE7424D23} - C:\WINDOWS\system32\addcf32.dll (file missing)
O2 - BHO: Class - {065681BC-006E-9E35-5DC5-EF4FEF1D58C6} - C:\WINDOWS\atljx32.dll (file missing)
O2 - BHO: Class - {065FC1F3-9ED6-83E8-0595-519D9C0E43FF} - C:\WINDOWS\system32\nthn32.dll (file missing)
O2 - BHO: Class - {0661D7C2-371C-C623-4982-2277DF99E129} - C:\WINDOWS\addma32.dll (file missing)
O2 - BHO: Class - {066D61E7-31BC-C0E4-CE4E-F5740253643A} - C:\WINDOWS\mfcxk32.dll (file missing)
O2 - BHO: Class - {0678BD57-7926-2CB9-09D4-78CBB306F3AF} - C:\WINDOWS\system32\iefg32.dll (file missing)
O2 - BHO: Class - {068489CE-C742-D99D-0B6E-1D0E454D2566} - C:\WINDOWS\system32\apphh.dll (file missing)
O2 - BHO: Class - {069FEA99-1168-7949-95DD-D064A827ABDC} - C:\WINDOWS\sdkkp.dll (file missing)
O2 - BHO: Class - {06E9293B-0874-4C97-3FF4-7898452B2624} - C:\WINDOWS\system32\netmn.dll (file missing)
O2 - BHO: Class - {06F2F9D7-CBB7-3A1B-945B-B55C3958B32A} - C:\WINDOWS\system32\addko32.dll (file missing)
O2 - BHO: Class - {07058BA3-7AA4-113B-9631-087033B78712} - C:\WINDOWS\system32\d3bl.dll (file missing)
O2 - BHO: Class - {0706338B-9CE7-5994-DFBC-88F6A678A984} - C:\WINDOWS\system32\mser32.dll (file missing)
O2 - BHO: Class - {070A9AF7-732E-A801-646D-0D9F1C0626F9} - C:\WINDOWS\system32\addzq.dll (file missing)
O2 - BHO: Class - {070C3EB7-6F3B-2B33-71B8-05AA17347B31} - C:\WINDOWS\system32\atlpm32.dll (file missing)
O2 - BHO: Class - {0713F490-5897-74D3-8736-456602C0D47B} - C:\WINDOWS\system32\ntwa.dll (file missing)
O2 - BHO: Class - {07146AF0-7FF5-EAB9-8DF4-A761A47B6EC0} - C:\WINDOWS\mfcda.dll (file missing)
O2 - BHO: Class - {072CAE8C-38F2-5B21-58C7-3F1949B30C0E} - C:\WINDOWS\system32\msoa.dll (file missing)
O2 - BHO: Class - {072E4343-D602-0ADF-C47C-83BCE94CC13E} - C:\WINDOWS\ntbn32.dll (file missing)
O2 - BHO: Class - {0743DA68-0E28-C684-9FC4-83C242C144CB} - C:\WINDOWS\system32\ntyh32.dll (file missing)
O2 - BHO: Class - {077B6257-5FF2-99E2-4271-626F5736BD18} - C:\WINDOWS\addle32.dll (file missing)
O2 - BHO: Class - {07850CE3-1044-C87E-2D7E-A3B83871E631} - C:\WINDOWS\atlma32.dll (file missing)
O2 - BHO: Class - {0785E382-D842-E060-C164-DD3F0FB832F7} - C:\WINDOWS\system32\ipcl.dll (file missing)
O2 - BHO: Class - {079FC989-AC41-02CB-5596-5A02A41BB70E} - C:\WINDOWS\addlz32.dll (file missing)
O2 - BHO: Class - {07AEE7F2-1978-9E11-ECC0-B7E565673770} - C:\WINDOWS\system32\ntfe.dll (file missing)
O2 - BHO: Class - {07C26786-AEB9-D008-6BFF-7402FA16E391} - C:\WINDOWS\system32\sysco.dll (file missing)
O2 - BHO: Class - {07D9AB78-38D2-24CF-7AAF-10AB9B60E030} - C:\WINDOWS\sysxf.dll (file missing)
O2 - BHO: Class - {07D9FD4D-6D4C-4A65-72AC-9B3400AF232F} - C:\WINDOWS\sdkyq.dll (file missing)
O2 - BHO: Class - {07DABBD5-6266-88F3-4EEF-7DCA2FA9AB12} - C:\WINDOWS\sdkxl32.dll (file missing)
O2 - BHO: Class - {07DCD1F0-3431-2061-572B-9CC2066EF30E} - C:\WINDOWS\system32\addhr.dll (file missing)
O2 - BHO: Class - {07E3A13B-657F-5210-C8A4-A2F729B41F82} - C:\WINDOWS\ntjh.dll (file missing)
O2 - BHO: Class - {07E65FDF-2A73-7925-24D8-A81B2D818986} - C:\WINDOWS\mfcef32.dll (file missing)
O2 - BHO: Class - {07F1BD9C-F6EB-D4B5-02B4-8ADA6FA20652} - C:\WINDOWS\system32\sysut32.dll (file missing)
O2 - BHO: Class - {07F58C42-E5B8-EA0E-6CBA-AA7738739A02} - C:\WINDOWS\winxj.dll (file missing)
O2 - BHO: Class - {07FB823E-F9DE-12D2-61F9-F3BC18F30BF8} - C:\WINDOWS\system32\systd.dll
O2 - BHO: Class - {07FFA67A-712E-10CA-AB2F-005BE3833F6F} - C:\WINDOWS\nthx32.dll (file missing)
O2 - BHO: Class - {082FA205-CF3A-E156-F50C-35DEC1A41A0F} - C:\WINDOWS\ipbz.dll (file missing)
O2 - BHO: Class - {083A00C1-8BB2-5BD6-D3E8-27ADF3D597CA} - C:\WINDOWS\msns.dll (file missing)
O2 - BHO: Class - {083BB3F1-97E9-86D9-D6D7-D82343AADC7D} - C:\WINDOWS\system32\sdkpq32.dll (file missing)
O2 - BHO: Class - {08484541-BCCD-C18F-32D6-EB815B6DEC10} - C:\WINDOWS\system32\ntim.dll (file missing)
O2 - BHO: Class - {0849D85E-9E3A-1D4E-46F5-738EC7501816} - C:\WINDOWS\system32\netpf.dll (file missing)
O2 - BHO: Class - {08672C48-A150-AFA8-7101-3AF575D1EB75} - C:\WINDOWS\system32\addfa32.dll (file missing)
O2 - BHO: Class - {086A2B10-CBD6-9425-CAB7-630B339588D1} - C:\WINDOWS\apisj32.dll (file missing)
O2 - BHO: Class - {08742320-7B91-B041-BB02-54EE6347959B} - C:\WINDOWS\system32\apiqx.dll (file missing)
O2 - BHO: Class - {0877A705-CF0F-9B04-E7FC-376A8A21A172} - C:\WINDOWS\system32\javazk32.dll (file missing)
O2 - BHO: Class - {087899FB-71F1-C680-3656-92E12F8C1179} - C:\WINDOWS\syspq32.dll (file missing)
O2 - BHO: Class - {088042C1-CF32-5709-F987-88BB55DF78A1} - C:\WINDOWS\system32\crdj32.dll (file missing)
O2 - BHO: Class - {089822DD-A09F-FC5F-3372-8ED9AEC3F610} - C:\WINDOWS\system32\sdkce32.dll (file missing)
O2 - BHO: Class - {089852EF-DA68-EB82-3233-986283B60FCC} - C:\WINDOWS\system32\mfcbx.dll (file missing)
O2 - BHO: Class - {0899151F-E69F-1686-3512-49E8D49B547E} - C:\WINDOWS\ieps.dll (file missing)
O2 - BHO: Class - {08A16CBA-2D4A-CD2A-AC68-B1289A8DFA47} - C:\WINDOWS\system32\mshj32.dll (file missing)
O2 - BHO: Class - {08AA5DB2-A44F-8F76-711C-956A8C663487} - C:\WINDOWS\crcq.dll (file missing)
O2 - BHO: Class - {08B37597-543F-3682-9CE8-5399FDD1AF1B} - C:\WINDOWS\iemx.dll (file missing)
O2 - BHO: Class - {08BCB911-27A7-446C-4557-9FF6E0AB08B2} - C:\WINDOWS\system32\mfcrc32.dll (file missing)
O2 - BHO: Class - {08CC5E40-8C58-29E6-174D-52D53EB571EA} - C:\WINDOWS\system32\ipqc32.dll (file missing)
O2 - BHO: Class - {08D7DCB9-A18D-AF6B-AF0D-4A3C5AC6A8F1} - C:\WINDOWS\d3dq.dll (file missing)
O2 - BHO: Class - {090277E5-E08B-F02D-EFC4-EC18EF57335C} - C:\WINDOWS\javays32.dll (file missing)
O2 - BHO: Class - {09130DA4-2602-1DD5-DB25-F69DD7B9CD2A} - C:\WINDOWS\iend32.dll (file missing)
O2 - BHO: Class - {091F1994-2589-E2A5-3267-A7E14CC24368} - C:\WINDOWS\system32\winru32.dll (file missing)
O2 - BHO: Class - {092C0E63-121E-FA9D-1E4E-5DDAA0E963DB} - C:\WINDOWS\system32\addnm32.dll (file missing)
O2 - BHO: Class - {092CC6AA-538B-D8B7-4D6D-94C9785175B6} - C:\WINDOWS\system32\msvl32.dll (file missing)
O2 - BHO: Class - {093090BA-B1FE-72F7-A6A9-7CF6C4D3393E} - C:\WINDOWS\system32\ntnn32.dll (file missing)
O2 - BHO: Class - {09344CF2-F3E4-9C52-6F87-02823733C5DA} - C:\WINDOWS\ntvh32.dll (file missing)
O2 - BHO: Class - {093585F1-45A2-F3FD-5DC8-CE8C707B844B} - C:\WINDOWS\iprq.dll (file missing)
O2 - BHO: Class - {0940292B-4CA0-70A8-794E-09E449B611D4} - C:\WINDOWS\system32\netff.dll (file missing)
O2 - BHO: Class - {094C8991-D4CA-2D16-BFB0-B84ABF8D27DA} - C:\WINDOWS\appvv.dll (file missing)
O2 - BHO: Class - {094D3C6B-0FD5-85DB-7DA2-55DE1550FD2B} - C:\WINDOWS\system32\atlkh32.dll (file missing)
O2 - BHO: Class - {0958BFE2-0B32-DB04-80FC-3F165E4F5062} - C:\WINDOWS\crto.dll (file missing)
O2 - BHO: Class - {095AE626-BAC9-8D23-E652-D32FB0624101} - C:\WINDOWS\netby32.dll (file missing)
O2 - BHO: Class - {095AEAC7-0EE3-5E2C-CE96-56983CF29ED9} - C:\WINDOWS\system32\apici32.dll (file missing)
O2 - BHO: Class - {0972EE38-5F19-0CDC-F8F2-205E91929353} - C:\WINDOWS\apizi.dll (file missing)
O2 - BHO: Class - {097FEAC8-2F66-1ADA-699F-2838B1F22928} - C:\WINDOWS\winyt32.dll (file missing)
O2 - BHO: Class - {09A44D23-36D4-1C12-AD2A-E655F1C400AD} - C:\WINDOWS\javajg32.dll (file missing)
O2 - BHO: Class - {09D5204A-874B-9DCA-CD74-A138A4451225} - C:\WINDOWS\system32\sdkii32.dll (file missing)
O2 - BHO: Class - {09D6E9D5-A43E-FBA5-1F3C-92CDA7424EE9} - C:\WINDOWS\system32\iprw32.dll (file missing)
O2 - BHO: Class - {09FB32FD-A37F-80FB-81BA-E5E7A992B7C6} - C:\WINDOWS\addmd32.dll (file missing)
O2 - BHO: Class - {0A0FF6B2-F037-E653-9B2C-9C1544FD844C} - C:\WINDOWS\system32\ntrx.dll (file missing)
O2 - BHO: Class - {0A261981-5087-4BD5-BB1C-2E35FF54882F} - C:\WINDOWS\system32\d3gw32.dll (file missing)
O2 - BHO: Class - {0A66CBAA-236D-B89D-CD83-DE127147DC70} - C:\WINDOWS\atlhy32.dll (file missing)
O2 - BHO: Class - {0A70899B-4378-E095-99F0-F4E37E5E8CA5} - C:\WINDOWS\system32\netxm.dll (file missing)
O2 - BHO: Class - {0A89880E-AC76-CE92-49C2-EBA9B61044FE} - C:\WINDOWS\atlvu.dll (file missing)
O2 - BHO: Class - {0A8D0092-6F79-27C0-3B9C-D542A7FC6907} - C:\WINDOWS\system32\javaoj32.dll (file missing)
O2 - BHO: Class - {0A8F9DA2-68AE-94CC-C521-8B5DF5E048DD} - C:\WINDOWS\msvz32.dll (file missing)
O2 - BHO: Class - {0A970907-E04F-2619-61D4-DA07C2C0D521} - C:\WINDOWS\system32\addmd.dll (file missing)
O2 - BHO: Class - {0A9AC70B-D55C-F5E0-B29D-89941C454F9E} - C:\WINDOWS\apigc32.dll (file missing)
O2 - BHO: Class - {0AA3F3DE-030A-E239-79EC-175ABD7AC2CC} - C:\WINDOWS\system32\javang.dll (file missing)
O2 - BHO: Class - {0AB844A3-59F7-B49D-2CE3-649396BA8F19} - C:\WINDOWS\atlkm.dll (file missing)
O2 - BHO: Class - {0ABA38C6-4006-515B-E705-1E8AF3205F52} - C:\WINDOWS\system32\netmu.dll (file missing)
O2 - BHO: Class - {0ABBF74F-5521-80E9-A448-F010122AC646} - C:\WINDOWS\system32\msin32.dll (file missing)
O2 - BHO: Class - {0ABDB1DF-2316-1A30-4569-3C2CBA8172F0} - C:\WINDOWS\system32\addza32.dll (file missing)
O2 - BHO: Class - {0AC5D5FC-CDEA-D4D6-2A99-1B6A091210B5} - C:\WINDOWS\system32\netvg.dll (file missing)
O2 - BHO: Class - {0AC7FED9-E4EE-4D4E-1A19-CDEB6C66C58A} - C:\WINDOWS\system32\msxl32.dll (file missing)
O2 - BHO: Class - {0ADC4EA8-88E9-0336-6EB6-BF9DB04B13C0} - C:\WINDOWS\system32\addas32.dll (file missing)
O2 - BHO: Class - {0ADD29EE-5803-289D-3949-C714A97C2D55} - C:\WINDOWS\system32\javamh.dll (file missing)
O2 - BHO: Class - {0ADEE711-8B02-83DC-B2AE-86A9DD5436D7} - C:\WINDOWS\system32\javaga.dll (file missing)
O2 - BHO: Class - {0AE873A4-EE46-DEE5-FB05-2379630ADDE8} - C:\WINDOWS\d3rr.dll (file missing)
O2 - BHO: Class - {0AF23546-627B-E7D6-AEB6-CBB4FC91EBE4} - C:\WINDOWS\system32\ntvx32.dll (file missing)
O2 - BHO: Class - {0B01EADD-4EEA-1744-7321-45BB28A5E86A} - C:\WINDOWS\system32\javabq32.dll (file missing)
O2 - BHO: Class - {0C53C50B-D818-F1CB-C013-1D3F181EDD6C} - C:\WINDOWS\ntec32.dll (file missing)
O2 - BHO: Class - {0CEEC41A-54F9-F1D2-230D-B4B044ECC202} - C:\WINDOWS\atlyi32.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Class - {53B83EBA-809F-C983-5C07-4CB6E85D8F3A} - C:\WINDOWS\system32\javart.dll
O2 - BHO: Class - {8CC2DB24-461E-930B-0400-42B4EFEC2D77} - C:\WINDOWS\system32\d3db.dll (file missing)
O2 - BHO: Class - {DFA66CB8-38A2-958B-E335-DF82AF8300E8} - C:\WINDOWS\system32\netid.dll
O2 - BHO: Class - {ED83DE83-1A0E-2A73-D318-B4BD3272FB28} - C:\WINDOWS\system32\d3pr32.dll (file missing)
O2 - BHO: Class - {F514A8BE-BE2B-3710-CB9C-43C461BF044F} - C:\WINDOWS\ntcj32.dll (file missing)
O2 - BHO: Class - {F5155F20-FF52-9C3B-B02B-CF48E85DA740} - C:\WINDOWS\system32\appmj.dll (file missing)
O2 - BHO: Class - {F51732EE-1445-46BB-3740-655F49B0F738} - C:\WINDOWS\appts.dll (file missing)
O2 - BHO: Class - {F5175406-F001-516B-847A-DA5FC41F90DC} - C:\WINDOWS\system32\javarg32.dll (file missing)
O2 - BHO: Class - {F521300B-AC38-427A-A225-491396604012} - C:\WINDOWS\system32\atlys32.dll (file missing)
O2 - BHO: Class - {F52146BB-9F0F-599F-26EC-9C244299A684} - C:\WINDOWS\system32\ntme32.dll (file missing)
O2 - BHO: Class - {F52A683D-86BC-5DC9-8231-5370AB157678} - C:\WINDOWS\system32\ipua.dll (file missing)
O2 - BHO: Class - {F52DCF2D-8EF0-1BEE-927B-FD01E6180063} - C:\WINDOWS\system32\iefj.dll (file missing)
O2 - BHO: Class - {F52E2033-83A1-5DFD-596F-100DD7ACA4B6} - C:\WINDOWS\system32\atlsx.dll (file missing)
O2 - BHO: Class - {FD4A74BF-5712-24E2-4DA7-6711D4FD291B} - C:\WINDOWS\system32\cruv32.dll
O2 - BHO: Class - {FFCDF546-F480-31CB-7C6B-5F25BAA47B24} - C:\WINDOWS\system32\msof.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/117c70534a8403...ip/RdxIE601.cab (http://\"http://software-dl.real.com/117c70534a8403d9c217/netzip/RdxIE601.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winqg32.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SAVScan - Unknown owner - c:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)

Thanks for any input

Title: Can't get rid of viruses
Post by: guestolo on January 03, 2006, 10:59:26 PM

Can you do the following please
Try and do it all

==Redownload Hijackthis from my Signature below and save it too a permanent folder on your harddrive
ONLY run hijackthis from this new location

==Download and Install
Windows Cleanup! 4.0 (http://\"http://downloads.stevengould.org/cleanup/CleanUp40.exe\")
Don't run it yet

==Download CWShredder.exe (http://\"http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe\") and save to your desktop
Don't run it yet

==Download and then Install
Ewido anti-malware 3.5 (http://\"http://download.ewido.net/ewido-setup.exe\")

When installing, under "Additional Options" Uncheck "Install background guard" and "Install scan via context menu".

From the main ewido screen, click on Update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Close out Ewido for now, we'll need it later
If for some reason the Updater won't work can you manually download the
Updates from this link after you have Ewido installed
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")

Download and Install Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Don't run a scan yet

==Create a New folder on your desktop, call it Aboutbuster
(Right click an empty spot on the desktop and select NEW>>FOLDER)
Download to desktop About:Buster.zip (http://\"http://www.malwarebytes.org/ccount/click.php?id=1\")
by RubbeR Ducky
Unzip it to that new folder so you now have AboutBuster.exe(and included Readme.rtf) extracted to the Aboutbuster folder
Don't run it yet

Now that we have the tools
Save the rest of these instructions to a Notepad file saved to your desktop or Print them out for use in safe mode
Close all open windows, including this one

Open CWShredder.exe, click on the FIX button
Let it Fix what it finds

RESTART your Computer in SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
At the Startup menu select Safe mode

In safe mode
==Open the AboutBuster folder and double click on About:Buster.exe
Click the Begin Removal button
Yes to the prompt
Let it finish it's scan, then Exit
Please run About:buster again with the same instructions

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

    * Empty Recycle Bins
    * Delete Cookies
    * Delete Prefetch files
    * Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido
While Ewido is running, refrain from using the computer, please let it do it's job with no interference

Remain in safe mode
Do a "System scan only" with Hijackthis and put a check next to these entries
Any of the below found

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\rawvm.dll/sp.html#37049%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing

All the "02 BHO entries" with one exception
DON'T put a tick next to this one
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
Remember Don't tick the 02 entry related too Spybot, but check all the other
O2 - BHO: Class entries

Then tick the next ones too
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/117c70534a8403...ip/RdxIE601.cab (http://\"http://software-dl.real.com/117c70534a8403...ip/RdxIE601.cab\")

O23 - Service: Network Security Service ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\system32\winqg32.exe

After you have ticked the above entries, close All other open windows
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Ad-Aware SE 1.06
Click START
Click the radio button to Perform a Full system scan then click NEXT
When it's finished scanning
At this point you should either right click on the screen and and choose the "Select All" Objects option or individually put a checkmark in each objects checkbox
click on the Next button. Ad-Aware SE will now present you with a confirmation box as to whether or not you would like to remove the objects you have just selected. Press the "OK" button

RESTART your computer back into Normal mode

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the General tab---Reset home page

I need to see the following please

1. Run a Scan and savelogfile with hijackthis and post a fresh log
2. Post the whole report from Ewido's
3. Post the contents of the "Ab LogFile.txt" located in the same folder as About:Buster.exe
4. Also, open Hijackthis>>Open Misc tools section>>Open Hosts file manager
If prompted to create a hosts file, do so
Click the "Open In Notepad" button
A text file should open, copy and paste this back here too please

Title: Can't get rid of viruses
Post by: indigenous1 on January 04, 2006, 04:57:41 PM

I did everything as you said except when i run aboutbuster in safe mode it comes up with a runtime"6" error overflow. so i'm not sure what to do next.

Title: Can't get rid of viruses
Post by: guestolo on January 05, 2006, 12:04:55 AM

Please carry on with the rest of the instructions, we'll deal with it later

Title: Can't get rid of viruses
Post by: indigenous1 on January 06, 2006, 05:32:46 AM

i think i did it all correctly. here it is.


Logfile of HijackThis v1.99.1
Scan saved at 4:18:05 AM, on 1/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\kerry and colleen\Local Settings\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SAVScan - Unknown owner - c:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)


---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         5:06:14 PM, 1/5/2006
 + Report-Checksum:      B92F296A

 + Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{00564D9E-6D4B-1BA6-3369-3CA152EDA8CE} -> Spyware.CoolWebSearch : Cleaned with backup
   C:\Documents and Settings\kerry and colleen\Application Data\tizupd.bin -> Trojan.Scapur.b : Cleaned with backup
   C:\Program Files\apsi\wtta.exe -> Downloader.PurityScan.an : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106533757.ssb/C:\Program Files\ISTsvc\istsvc.exe -> Downloader.IstBar.gm : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106533757.ssb/C:\Program Files\BullsEye Network\bin\bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106533757.ssb/C:\WINDOWS\system32\SahAgent.exe -> Adware.SAHA : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106533757.ssb/C:\WINDOWS\system32\DwsSz1lp.exe -> Downloader.VB.em : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106533757.ssb/C:\WINDOWS\system32\Eola9.exe -> Downloader.VB.em : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Program Files\BullsEye Network\bin\bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Documents and Settings\Owner\Local Settings\Temp\asmfiles.cab/asmps.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Documents and Settings\Owner\Local Settings\Temp\optimize.exe -> Downloader.Dyfuca.ds : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Documents and Settings\Owner\Local Settings\Temp\powerscan.exe -> Spyware.PowerScan : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Documents and Settings\Owner\Local Settings\Temp\__unin__.exe -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\ezStub.exe -> Adware.eZula : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Program Files\BullsEye Network\bin\bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Program Files\eZula\CHCON.dll -> Adware.eZula : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Program Files\PerfectNav\BHO\PerfectNav150c.dll -> Spyware.eUniverse : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\Program Files\Web Offer\apev.exe -> Adware.eZula : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\SEPinst.exe -> Trojan.Septic.a : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Downloaded Program Files\lsp_.dll -> Adware.SAHA : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Downloaded Program Files\SAHAgent_.exe -> Adware.SAHA : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Downloaded Program Files\SahHtml_.exe -> Adware.SAHA : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Downloaded Program Files\SAHUninstall_.exe -> Adware.SAHA : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\SAHUninstall.exe -> Adware.SAHA : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\angelex.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\exdl.exe -> Adware.eXact : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\exdl0.exe -> Adware.eXact : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\exdl1.exe -> Adware.eXact : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\exul1.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\ezPopStub.exe -> Adware.eZula : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\lsp.dll -> Adware.SAHA : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\mqexdlm.srg -> Adware.eXact : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\SahHtml.exe -> Adware.SAHA : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\SearchBar.htm -> Spyware.TwainTech : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\system32\Searchx.htm -> Spyware.TwainTech : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\adm.exe -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\adm25.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\adm4.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\admdloader.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\admfdi.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\admprog.dll -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\dmfiles.cab/AltnetUninstall.exe -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\dmfiles.cab/asmend.exe -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\pmexe.cab/Points Manager.exe -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\pmfiles.cab/setup.cab/PMuninstall.bde -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\pmfiles.cab/sysdetect.dll -> Adware.BrilliantDigital : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\Temp\Altnet\Setup.exe -> Spyware.Altnet : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106610638.ssb/C:\WINDOWS\zeta.exe -> Spyware.BargainBuddy : Cleaned with backup
   C:\Program Files\InterMute\SpySubtract\Backup\Clean Session  - 1106611010.ssb/C:\WINDOWS\system32\lsp.dll -> Adware.SAHA : Cleaned with backup
   C:\Program Files\Netscape\Communicator\Program\Plugins\MyWayPluginProxy.class -> Spyware.MyWay : Cleaned with backup
   C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup
   C:\WINDOWS\addcn.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addco.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\adddj.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\addep.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addfl.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\addfm32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addfs.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addjz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addkf.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addkm32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addmn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addnb32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\addnw.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\addph32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\adduy32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\addxo.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\addzg.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apicn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apidk32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\apidl.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apied.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\apign.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apigq.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\apihj.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\apijv.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apikl32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\apisa.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apisq.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apitp32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\apitq32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apiux.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apivp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\apivv32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\appfp32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\appjv32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\appmv32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\appsn32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\appuq32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\appve32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\appvz32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\appzr.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\atlbg.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlbg32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\atldn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlgg.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlgn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlnh.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\atlof32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\atloo.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\atlpj32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\atlpy32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\atlql.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlrm32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlsk32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlvo32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\atlxk32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlym.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\atlyo.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\atlzp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\crda.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\crdp.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\cree32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\crfo32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\crgk.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\crgn.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\crhj.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\criq32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\crkx.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\crlq.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\crmd.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\crtd32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\crtl32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\crup.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\crva32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\crzp.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3at32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3cr32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3cw.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3cx.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3dk32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3dp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3ea32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3ej32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3el.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3fu32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3ge.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3id32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3jk.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3kz.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3mj32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3mo.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3mq.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3na32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3pn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3pt32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3sa.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3se.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3tv.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3uh32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\d3wd32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3zf.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\d3zp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieaa.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieew.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\ieez32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\iefd.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieib.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ieji.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\iejx.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieko.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ielk32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ielu.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieny.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\iepc32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\iepz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieqg.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\iesq.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ieti.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\iety.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieuf.dll -> Downloader.Agent.jb : Cleaned with backup
   C:\WINDOWS\iewu.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\iewx.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieya32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieyb.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\ieyr32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ieza32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipax32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipdb32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ipdh.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipeu.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipfm.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipgg.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ipgg32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\iphe.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ipnr32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipqv32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ipte32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\iptj32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipvr32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipwl.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipwn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipxr32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipyi32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ipzq32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\javafm32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\javage.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javahe32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javahi32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javair32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javajc.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javajh32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\javala32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javaoi32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javapy32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\javaqu.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\javaqx.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javarz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javauc32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javaue.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javavs.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javawa.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javaxb.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\javayd32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\javayu.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcam32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\mfcbo.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcca32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcgy.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfchm.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcht32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\mfcjp32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\mfckq.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcle32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfclp.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcmb.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcoh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcqf32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcrq.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\mfcry.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcsp.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfctr32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfctu32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcuy32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcvx32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\mfcwo32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\mfcwv32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mfcyu32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\mscs32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\msdi.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msed32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msgh.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msgu.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mshq32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\mshw.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\msib.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msix.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msja.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\msmd32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\msmi.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msnn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msob.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msqk.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\msqs.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\msvn32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\mswe.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\mswn.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msxn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msya32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\msyf.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netaq32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netaw.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netdt.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\netha.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netho32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\netju32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\netkg.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netkz32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\netlx32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netmx32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netnb.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netoh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netrn.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\netrq.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\netsb.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\netsh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\nettb32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netud.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\netup.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\netuw32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netvq.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\netxu32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\netxy.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netyl32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\netym.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\ntal.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ntbr.dll -> Downloader.Agent.jb : Cleaned with backup
   C:\WINDOWS\ntch.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntfy.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntic32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntjg32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ntmp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntoc.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntpl.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\ntpp32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ntqv.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntrb.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ntsp.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntuq.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ntvc32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\ntvv32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntww.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\ntze.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\n_dllnkf.dat -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\n_gedkbq.dat -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\n_hcrnvr.txt -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\n_hieksx.log -> Downloader.Agent.bc : Cleaned with backup
   C:\WINDOWS\n_icmhxu.txt -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\n_mawpxu.dat -> Downloader.Agent.bc : Cleaned with backup
   C:\WINDOWS\n_taukbi.dat -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\n_ycgxyf.txt -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\n_yjzwgh.dat -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\n_yrfyme.log -> Downloader.Agent.bc : Cleaned with backup
   C:\WINDOWS\n_zvfmid.dat -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sdkam32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sdkcy.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sdkej32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sdkjy32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sdkkd.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sdkkq32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sdkpq.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sdkqt.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sdkux32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sdkwo.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sdkye32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sdkyx32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sdkzp.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sdkzp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sysaf.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sysbg32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sysci32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\syscr.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\syscv32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\sysdn.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\syseh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sysfh.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\syshj.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sysjx.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\syskd32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\syslp.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\syslz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sysol32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\sysot32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\syspr32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\syssg.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\a3d98631.exe -> Spyware.VB : Cleaned with backup
   C:\WINDOWS\system32\addae32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addba.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\addcc.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\addcr.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addcw.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addcy32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\addfb32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\addga32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addjl.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addon32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\addoy.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addqu32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addsk32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addwc.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addwc32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addxe32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\addyy.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\addze.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\addzh.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apiak32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apidl32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apieh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apiey.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apifd32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apifw.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apiga32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apigv32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apigy32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apijz.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apikd.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apikg32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apimt.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apiqz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apirp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apirx.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apisj32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apite.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apius.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apiwa.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apixf32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apiyd32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apizb.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appai.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appbo32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appcz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appdm32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appfg32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appgh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apphu.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\apphw.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appiv32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appkh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appkp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apppf32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apppk32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apprp.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\apptj.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\appxa.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appyt.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appyz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\appzx.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlcr.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlct32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlec32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlew.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atllc32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atllu32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlme.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\atlns32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlnx32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\atlpa.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlpo.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\atlre.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\atlrw32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlsx32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atltn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atltv32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atluk32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlvz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlyd.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlyz32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\atlzd32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\atlzz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\Cache\s4Sept.exe -> Spyware.MyWay : Cleaned with backup
   C:\WINDOWS\system32\catsrvut.exe -> Spyware.AdSrve : Cleaned with backup
   C:\WINDOWS\system32\cmdial32.exe -> Spyware.AdSrve : Cleaned with backup
   C:\WINDOWS\system32\crdu32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\cred.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\crfw.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\crjf32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\crnh.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\crod32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\crux32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\crxc.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\crxj32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\d3cd.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3ea32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3ez.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\d3kn32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\d3ko32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\d3nq32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3ph32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3qh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3qw.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3rs32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3rw.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3td32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\d3th.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\d3tk32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3tq.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3tu.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3vd.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\d3yj32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\d3zh.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ieao.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iebe.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iedr32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iegd32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iekl32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ielg.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iell32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ielz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ienr.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ient32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ieow.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iepx.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\iero.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ieum.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ievl32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iewk.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iewo.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ieyp.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ipad.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\ipbs32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ipcb.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ipct32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ipgt.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\iphf32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ipif32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ipiz.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ipjc.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ipkb32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\iplb32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ipot32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\ippu.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ipti32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ipts.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ipve32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javaan32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\javaei32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\javafg32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javait32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\javakc32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javakq32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\javami32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javamn.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javaoj32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javaop32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javapg32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javaqi.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\javasm32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\javasn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javaty.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\javauh.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\javauv.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javaxl.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\javaxn32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\javazd.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfccm.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfccp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcdh.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcdo.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcel32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcim.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\mfciz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcjk32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\mfcjz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcla.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcmj32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\mfcmo.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcnr32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\mfcoz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcqe.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcrf.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\mfcsf.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\mfcsy32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfctl.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\mfcts32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcuy.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcvw32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mfcwl.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msah.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\msby32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mscw.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mscy32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msdu32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msfe32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\mshp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msic32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msik.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\msit32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msiz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msja32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msnx32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\mspj.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\mssv.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msts32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msty.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\msyh.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\netad32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netbs32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\netdi.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netdz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netfg32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\netgq32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netgs.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netgu.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netgy32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\nethe32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netjm.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netkt32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netlj32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\netlr.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netnx.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\netoj.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netol32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netum32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\netvi.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\netwi.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netwr32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\netxo.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netxr.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netzv.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netzz32.exe -> D

Title: Can't get rid of viruses
Post by: guestolo on January 06, 2006, 08:03:15 PM

Sorry for the delay

Quote

i think i did it all correctly. here it is.

Not quite, I asked you too redownload Hijackthis from my signature below and save it too a permanent folder on your drive
You are still running hijackthis from a Temporary folder
We cleaned that folder, if you ran hijackthis from there earlier, all backups are now lost

Also, I asked for the following
Open Hijackthis>>Open Misc tools section>>Open Hosts file manager
If prompted to create a hosts file, do so
Click the "Open In Notepad" button
A text file should open, copy and paste this back here too please

Additionally
You cut off the bottom part of the Ewido Report
Can you please do the following

Don't repost the top of the Ewido report
But post anything below this line
  C:\WINDOWS\system32\netzv.exe -> Downloader.Agent.bq : Cleaned with backup

AFTER you have posted the above text file from Hosts file manager
and the remainder of the Ewido report
I need you to also do the following

Download DelDomains.inf from HERE (http://\"http://www.mvps.org/winhelp2002/DelDomains.inf\")
Save it to your desktop
==Right Click on DelDomains.inf>>Choose Install from the menu bar
This will delete all your Trusted and Ranges entries

After you have done that
Do another "Scan and Save logfile" with Hijackthis and repost a fresh log please

Title: Can't get rid of viruses
Post by: indigenous1 on January 07, 2006, 06:08:24 PM

# Copyright © 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

127.0.0.1       localhost

C:\WINDOWS\system32\netzv.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\netzz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntax.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ntbb32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\ntdw32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ntin.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntip32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntjy32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntka32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntki.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntkr32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ntnb.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntng32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntoi.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ntpj32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntps.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntqc.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntqe32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntqm.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ntqs.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntuf32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntuh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntuj.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntvn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\ntyb.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\ntyq.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\sdkcn32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkdo.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkex32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkey32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkez.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkgb.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\sdkjf.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\sdkmq32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkmt.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkob.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\sdkpc.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkqa32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkqu32.dll -> Downloader.Agent.bc : Cleaned with backup
   C:\WINDOWS\system32\sdkre32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\sdktb32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\sdkub32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkuk.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkun.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkzb32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sdkzy32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sysaa32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sysaz32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\sysbs.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\syser.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sysfc.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sysfi.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\sysfr32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sysjd32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\sysjn.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sysnl.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\sysrw32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\systd.dll -> Downloader.Agent.bc : Cleaned with backup
   C:\WINDOWS\system32\sysyf32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winbz.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\wince32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\windl32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\winer32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winfu32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winhm32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winlh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winmh32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winmy32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\winnd.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\winnf32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winnz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winot32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winpk.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\winqf32.dll -> Downloader.Agent.jb : Cleaned with backup
   C:\WINDOWS\system32\winqg32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\system32\winrf32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winug32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winup32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winuq.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winwr32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\system32\winxs32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\system32\winyf.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\systl32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\syswu.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sysyg32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\sysze32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\syszk.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\winaj32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\winax32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\winbd.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\wincz32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\winfa.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\winhb.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\winhf.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\winoi32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\winrz32.exe -> Trojan.Agent.bi : Cleaned with backup
   C:\WINDOWS\winuq32.exe -> Downloader.Agent.td : Cleaned with backup
   C:\WINDOWS\winvp32.exe -> Downloader.Agent.bq : Cleaned with backup
   C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
   C:\WINDOWS\_detmp.4:bfdni -> Downloader.Agent.bc : Cleaned with backup
   C:\WINDOWS\_MSI5166._IS:dmajd -> Downloader.Agent.bc : Cleaned with backup
   C:\WINDOWS\_MSI5166._IS:ofltz -> Downloader.Agent.td : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 5:01:27 PM, on 1/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: SAVScan - Unknown owner - c:\Program Files\Norton AntiVirus\SAVScan.exe (file missing)


ok, well sorry about not getting it right before.  when you say to save Hijackthis to a permanent folder i assume you mean to create a folder (hjt) in the program files and save it to this folder. that is what i did.  i did some web surfing earlier just to check out my IE because it seems to be working now and i'm getting a lot of pop ups. so i did a virus scan and i still had a lot of infected files including coolwebsearch.

Title: Can't get rid of viruses
Post by: guestolo on January 07, 2006, 06:18:17 PM

Can you try something please
Delete your copy of About:Buster

Redownload it from here
http://www.malwarebytes.org/ccount/click.php?id=1 (http://\"http://www.malwarebytes.org/ccount/click.php?id=1\")

Save it and UNZIP it
Run the Begin Removal and see if it runs

Additionally, Avast may not be running properly, as indicated by your log
The 04 entry is missing

Did you uninstall Norton's completely?
I see it still in your log
What version of Norton's were you running?

Title: Can't get rid of viruses
Post by: indigenous1 on January 07, 2006, 06:38:43 PM

About buster will not run. i get a run time error 6 overflow.  do i need to run this in safe mode? it also says that i should extract all files before running.  also, i'm not sure about the nortons. this is my parents computer and i just started deleting things that i didn't think they needed. i did a search for any norton files and nothing came up.

Title: Can't get rid of viruses
Post by: guestolo on January 07, 2006, 06:47:39 PM

Yes, it's definitely has to be extracted (Unzipped) first
Did you see my Instructions before

Quote

Create a New folder on your desktop, call it Aboutbuster
(Right click an empty spot on the desktop and select NEW>>FOLDER)
Download to desktop About:Buster.zip
by RubbeR Ducky
Unzip it to that new folder so you now have AboutBuster.exe(and included Readme.rtf) extracted to the Aboutbuster folder
Don't run it yet

Here's how to run the built in utility in XP
http://consumer.installshield.com/kb.asp?id=Q108326 (http://\"http://consumer.installshield.com/kb.asp?id=Q108326\")

Don't run About:Buster yet
But we must rid you of Norton's if your going to use Avast
I prefer Avast
but you must make sure you uninstall Norton's completely

Quote

his is my parents computer and i just started deleting things that i didn't think they needed. i did a search for any norton files and nothing came up.

STOP just deleting things, they must be properly uninstalled!!!!

Find out what version it was/is

Title: Can't get rid of viruses
Post by: indigenous1 on January 07, 2006, 07:08:31 PM

just called my dad. he said he doesn't think he installed nortons, so it might have already been installed when he got the computer. i'm going to stop over there sometime tomorrow (i have to work tonight) to see if i can find any discs or anything.

Title: Can't get rid of viruses
Post by: guestolo on January 07, 2006, 07:19:55 PM

That's a good call, there are uninstall utilities from Symantec's to run on the computer
But you must know what version you have installed
Also, was it just Norton's AV or Nortons Internet Security?
When did Dad get the computer, that might help to know
Has he reinstalled his Operating system since he has owned the computer?

I have to step out for a bit
But can you open Hijackthis>>Open Misc tools section>>Open uninstaller manager
Click the SAVE LIST button>>Save the list to desktop and then copy and paste the info back here

We will later try and remove Norton's(Symantec's) completely later
We might also have to reinstall Avast
Don't do it now

I want to do this in steps to make sure the system is running good!

Can you also do me the following
Look for a file called shell.dll in your C:\Windows\system32 folder
If you find it, it's legit, I just want to make sure it is present

Title: Can't get rid of viruses
Post by: indigenous1 on January 07, 2006, 07:23:54 PM

Ad-Aware SE Personal
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
Ameritech.net SpeedPath DSL Internet Service
avast! Antivirus
ccCommon
CleanUp!
Compaq Connections
DirectX Hotfix - KB825116
EPSON Printer Software
ewido anti-malware
HijackThis 1.99.1
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - Photosmart Cameras
I.E. Host
IntelliMover Data Transfer Demo
iPod for Windows 2005-09-06
Java 2 Runtime Environment, SE v1.4.2_03
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Visual J# .NET Redistributable Package 1.1
Microsoft Word Viewer 97
Microsoft Works 7.0
Napster
Napster Burn Engine
Norton AntiVirus 2004
OIN
QuickTime
RecordNow!
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905495)
Security Update for Windows XP (KB905749)
Sonic Update Manager
Spy Sweeper
Spybot - Search & Destroy 1.4
Tweakui Powertoy for Windows XP
Update for Windows XP (KB835409)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
USB Storage Driver
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB810217
Windows XP Hotfix - KB821431
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB828028
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB905915
Windows XP Hotfix (SP2) Q327979
Windows XP Hotfix (SP2) Q329112
Windows XP Hotfix (SP2) Q331958
Windows XP Hotfix (SP2) Q811789
Windows XP Hotfix (SP2) Q814995
Windows XP Hotfix (SP2) Q815485
Windows XP Hotfix (SP2) Q817357

Title: Can't get rid of viruses
Post by: guestolo on January 08, 2006, 12:52:41 AM

It appears Norton 2004 was installed
Also, I wouldn't try installing Service pack 2 from Windows until after we have you clean
The install will not usually go that well, while there are infections on the computer

Please follow the instruction outlined by Symantec's to remove your Norton's product
 from this link
Click here (http://\"http://service1.symantec.com/SUPPORT/nav.nsf/docid/2003090415405206?OpenDocument&ExpandSection=1.1&Src=#_Section1.1\")
Use Add/Remove programs to remove Norton AV 2004
You should be able to also remove LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
ccCommon

If add/remove programs won't work for you, be sure to check out this link or run the utility anyways
I think you should run the following regardless
Click Here (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2004020909040706&nsf=tsgeninfo.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=&seg=\")

After the above is done, be sure to reboot the computer

Back in Windows

Can you do the following please
Be sure you have AboutBuster unzipped
I'm not sure what version of Ad-Aware you have installed, be sure it SE Personal 1.06
If it isn't
You can  Download and Install from here
Ad-Aware SE Personal 1.06 (http://\"ftp://ftp.download.com/pub/win95/utilities/aawsepersonal.exe\")
Allow to remove the old version if applicable
In the event you have the newest version of Ad-aware
Open Ad-Aware, ensure to click the  check for updates now link and Connect to download the latest updates
Don't run a scan yet

Your version of Avast looks corrupt, can you please redownload the installer to Avast from here and save it too your desktop
Here's the download location
http://www.avast.com/eng/download-avast-home.html (http://\"http://www.avast.com/eng/download-avast-home.html\")
Do not install it yet, we have to uninstall your other version first

Next: Download and save to your desktop
Avast Uninstall utility (http://\"http://www.avast.com/eng/avast_uninstall_util.html\")
Don't run this yet, we'll need it in a bit

==Download and save Cwsserviceremove.zip (http://\"http://www.thetechguide.com/forum/index.php?act=Attach&type=post&id=431\")
UNZIP to your desktop so you now have Cwsserviceremove.reg extracted
We'll need it later

Can you recheck for updates with Ewido please
If for some reason the Updater won't work can you manually download the
Updates from this link
http://www.ewido.net/en/download/updates/ (http://\"http://www.ewido.net/en/download/updates/\")
Install the updates but don't run a scan yet

Can you also do the following
Follow the link to download and install
VX2 Cleaner Plug-in (http://\"http://www.lavasoft.de/software/addons/vx2cleaner.shtml\").
After the plugin is installed
restart Ad-Aware before running the VX2 Cleaner.

Run the VX2 Cleaner. If you computer is infected with VX2, a dialog box with text such as “New VX2 variant found” or “VX2 variant 1 found” will appear.

 Press "Clean" and a dialog box with text “The first phase completed. Please reboot and perform a Smart Scan" will appear. After saving your work, reboot your system manually.

 Repeat this until the VX2 Cleaner reports "System clean". Press "Close” to exit.

 Run Ad-Aware one more time and scan your computer to make sure VX2 has been found and removed.

Access your Add/Remove programs and remove
avast! Antivirus

Reboot into safe mode at this time

==Run CWShredder and click the FIX button, let it fix what it finds

==Open the AboutBuster folder and double click on About:Buster.exe
Make sure you unzipped this
Click the Begin Removal button
Yes to the prompt
Let it finish it's scan, then Exit
Please run About:buster again with the same instructions

==Double click on cwserviceremove.reg and allow to add or merge to the registry

==Open Ewido Security Suite
Click on the Scanner button on the left menu
Select Complete System Scan
*If Ewido finds something it will prompt you with "Infected Object found"
Ensure the following are Selected
  *1. Perform Action = Remove
  *2. Create Encrypted Backup in Quarantine (Recommended)
  *3. Perform action with all infections
  Then click OK
When Ewido has finished it's scan click the "Save Report" button
Save the report to desktop
Exit Ewido

Run the Avast Uninstall utility
Follow the prompts

Reboot back to normal mode
The installer you downloaded earlier for Avast!
Can you now reinstall AVAST and follow the promps
Run a complete system scan
Reboot afterwards back to Normal windows
Back in Windows

Access Internet Options via Control Panel
Under the Programs tab "Reset Web Settings"
Under the Security tab | Custom Level
Check ActiveX security settings:
Make sure that the following settings are correct:
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Script ActiveX controls marked safe for scripting (Prompt)

I need to see the following please
1. Post back a fresh hijackthis log
2. Post the whole contents of the Ewido report
3. Post the contents of the "Ab LogFile.txt" located in the same folder as About:Buster.exe
Additonally, Look for a file called shell.dll in your C:\Windows\system32 folder
If you find it, it's legit, I just want to make sure it is present

Title: Can't get rid of viruses
Post by: indigenous1 on January 08, 2006, 05:18:56 PM

Logfile of HijackThis v1.99.1
Scan saved at 4:01:59 PM, on 1/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         5:37:56 AM, 1/8/2006
 + Report-Checksum:      9CF21C82

 + Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
   HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Error during cleaning
   C:\Documents and Settings\kerry and colleen\Cookies\kerry and [email protected][2].txt -> Spyware.Cookie.Overture : Cleaned with backup
   C:\Documents and Settings\kerry and colleen\Cookies\kerry and [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
   C:\WINDOWS\system32\qpkky.dat -> Downloader.Qoologic.be : Cleaned with backup


::Report End
I followed the instructions to remove nortons with liveupdate, not sure if it worked. i couldn't understand if they wanted me to reinstall nortons. I stopped at the point where they wanted me to reinstall nortons. about buster still will not run. i still get the overfow error. i found the file shell.dll in the windows/system folder. now i also get some kind of script prompt everytime i go to a web site.

Title: Can't get rid of viruses
Post by: guestolo on January 08, 2006, 05:38:10 PM

Can you open Spybot 1.4 please
Click on IMMUNIZE>>OK>>Immunize at the top green cross
Close spybot

The script prompt at websites
For now can you check to make sure the following are true
In Internet Explorer click on TOOLS>>Internet Options
Under the ADVANCED tab
CHECK>>Disable Script debugging
UNCHECK>>Display a notification of every script error
Apply and close out of there

Can you also go to
START>>>RUN>>>type in services.msc
Hit OK
In the next window, look on the right hand side for this service
name---- Messenger<-this is not the same as Messenger chat

Double click on it--- STOP the service--If running
In the drop down menu, change the startup type to Disabled
Do the same for Alerter as well
This should help stop unwanted popups from the Messenger service
This is disable by default in SP2

Can you also make sure that the Windows Firewall is enabled, it's not by default
But is in SP2
You can install SP2 once your clear of all nasties
This link will show you how to enable the Firewall
http://www.arnoldco.com/help/html/enable_xp_firewall.html (http://\"http://www.arnoldco.com/help/html/enable_xp_firewall.html\")

Can you download and save too your desktop
FxWebsch.exe (http://\"http://securityresponse.symantec.com/avcenter/FxWebsch.exe\")
from Symantec's

I suggest that you return to safe mode

Before you do
Run another scan only with hijackthis, with all other windows closed
and fix checked this entry please
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML

Then boot to safe mode
Double click to open FxWebsch.exe
Click START
Let it run a scan and fix what it finds

It should make a log afterwards, I'll want to see it later

Reboot back to Normal mode
Post a new hijackthis log, and the log created by FxWebsch.exe
Can you also let me know what you were able to accomplish in my last steps
No, don't reinstall Norton's
Did you run the uninstall utility I linked you too for Norton's? It doesn't look like it
Did you uninstall and reinstall Avast!? It doesn't look like it
Do what I posted in this reply and then come back to me with these please

Title: Can't get rid of viruses
Post by: indigenous1 on January 09, 2006, 05:40:07 AM

ok, sorry if my last post was kinda vague. i was in a rush to get this done before work.
when i say that i deleted files that i didn't think they needed on their computer i meant to say that i uninstalled programs that i didn't think they needed. i don't want you to think that i just go around deleting random files. so nortons was actually uninstalled properly. i don't know how it's still on my log. it has not been listed on my add/remove programs list since i uninstalled it.  i did download and run the avast uninstall utility. i also downloaded avast from the link you provided.  i installed and ran the vx2 cleaner plugin to ad-aware and everything came up clean.  cwshredder came up with nothing also. about buster still gives me the error when running. when i ran ewido it seems like it came up with the same viruses that it was supposed to have deleted the first time that i ran it. i immunized with spybot. when i went to enable the windows firewall i got an error saying "the specific service does not exist as an installed service"  so i could not complete that task. ran fxwebsch and it found nothing. here are the logs that you requested.

Symantec Adware.Websearch Removal Tool 1.0.0

Adware.Websearch has not been found on your computer.

Logfile of HijackThis v1.99.1
Scan saved at 6:05:07 PM, on 1/8/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Title: Can't get rid of viruses
Post by: guestolo on January 09, 2006, 11:35:06 PM

Just for a double check
Could you Download GetServices.zip (http://\"http://www.bleepingcomputer.com/files/spyware/getservices.zip\")
Unzip it to a folder
Double click on the Getservice.bat file to run it. This will create and open a text file named getservice.txt in the same folder.
getservice.txt will list all active Services

Post the getservices.txt

Could you also, Open Hijackthis>>Open Misc tools section
Put a check in the following

List all minor sections (full)
and
List empty sections (complete)

Then afterwards click the "Generate startup listlog"

A text file will open
Can you copy and paste the whole contents back here please

Title: Can't get rid of viruses
Post by: indigenous1 on January 09, 2006, 11:42:13 PM

here they are.

PsService v1.1 - local and remote services viewer/controller
Copyright © 2001-2003 Mark Russinovich
Sysinternals - www.sysinternals.com

SERVICE_NAME: Alerter
Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Alerter
   DEPENDENCIES     : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: ALG
Provides support for 3rd party protocol plug-ins for Internet Connection Sharing and the Internet Connection Firewall
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\alg.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Application Layer Gateway Service
   DEPENDENCIES     :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: AppMgmt
Provides software installation services such as Assign, Publish, and Remove.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Application Management
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: aspnet_state
Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : ASP.NET State Service
   DEPENDENCIES     :
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: aswUpdSv
Provides automatic updating for the avast! antivirus.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : avast! iAVS4 Control Service
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: AudioSrv
Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : AudioGroup
   TAG        : 0
   DISPLAY_NAME     : Windows Audio
   DEPENDENCIES     : PlugPlay
           : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: avast! Antivirus
Manages and implements avast! antivirus services for this computer. This includes the resident protection, the virus chest and the scheduler.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\Program Files\Alwil Software\Avast4\ashServ.exe"
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : avast! Antivirus
   DEPENDENCIES     : aswMon2
           : RpcSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: avast! Mail Scanner
Implements mail scanning for avast! antivirus.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : avast! Mail Scanner
   DEPENDENCIES     : avast! Antivirus
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: avast! Web Scanner
Implements web (HTTP) scanning for avast! antivirus.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : avast! Web Scanner
   DEPENDENCIES     : avast! Antivirus
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: BITS
Uses idle network bandwidth to transfer data.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Background Intelligent Transfer Service
   DEPENDENCIES     : Rpcss
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Browser
Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Computer Browser
   DEPENDENCIES     : LanmanWorkstation
           : LanmanServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: CiSvc
Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\cisvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Indexing Service
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ClipSrv
Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\clipsrv.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : ClipBook
   DEPENDENCIES     : NetDDE
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: COMSysApp
Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : COM+ System Application
   DEPENDENCIES     : rpcss
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 30 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 1000 seconds
           : Restart   DELAY: 5000 seconds
           : None   DELAY: 1000 seconds

SERVICE_NAME: CryptSvc
Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Cryptographic Services
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dhcp
Manages network configuration by registering and updating IP addresses and DNS names.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : TDI
   TAG        : 0
   DISPLAY_NAME     : DHCP Client
   DEPENDENCIES     : Tcpip
           : Afd
           : NetBT
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmadmin
Configures hard disk drives and volumes. The service only runs for configuration processes and then stops.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\dmadmin.exe /com
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Logical Disk Manager Administrative Service
   DEPENDENCIES     : RpcSs
           : PlugPlay
           : DmServer
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: dmserver
Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Logical Disk Manager
   DEPENDENCIES     : RpcSs
           : PlugPlay
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Dnscache
Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k NetworkService
   LOAD_ORDER_GROUP  : TDI
   TAG        : 0
   DISPLAY_NAME     : DNS Client
   DEPENDENCIES     : Tcpip
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: EpsonBidirectionalService
(null)
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
   LOAD_ORDER_GROUP  : EBAPIServiceGroup
   TAG        : 2
   DISPLAY_NAME     : EpsonBidirectionalService
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EPSONStatusAgent2
(null)
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : EPSON Printer Status Agent2
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ERSvc
Allows error reporting for services and applictions running in non-standard environments.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Error Reporting Service
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Eventlog
Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP  : Event log
   TAG        : 0
   DISPLAY_NAME     : Event Log
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: EventSystem
Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : Network
   TAG        : 0
   DISPLAY_NAME     : COM+ Event System
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ewido security suite control
(null)
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\Program Files\ewido anti-malware\ewidoctrl.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : ewido security suite control
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: FastUserSwitchingCompatibility
Provides management for applications that require assistance in a multiple user environment.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Fast User Switching Compatibility
   DEPENDENCIES     : TermService
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Fax
Enables you to send and receive faxes, utilizing fax resources available on this computer or on the network.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\fxssvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Fax
   DEPENDENCIES     : TapiSrv
           : RpcSs
           : PlugPlay
           : Spooler
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: helpsvc
Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Help and Support
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 100 seconds
           : Restart   DELAY: 100 seconds
           : None   DELAY: 100 seconds

SERVICE_NAME: HidServ
Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : HID Input Service
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ImapiService
Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\imapi.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : IMAPI CD-Burning COM Service
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: iPodService
(null)
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\Program Files\iPod\bin\iPodService.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : iPodService
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanserver
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Server
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: lanmanworkstation
Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : NetworkProvider
   TAG        : 0
   DISPLAY_NAME     : Workstation
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LiveUpdate
LiveUpdate Core Engine
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE"
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : LiveUpdate
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: LmHosts
Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  : TDI
   TAG        : 0
   DISPLAY_NAME     : TCP/IP NetBIOS Helper
   DEPENDENCIES     : NetBT
           : Afd
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Messenger
Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Messenger
   DEPENDENCIES     : LanmanWorkstation
           : NetBIOS
           : PlugPlay
           : RpcSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: mnmsrvc
Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\mnmsrvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : NetMeeting Remote Desktop Sharing
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSDTC
Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\msdtc.exe
   LOAD_ORDER_GROUP  : MS Transactions
   TAG        : 0
   DISPLAY_NAME     : Distributed Transaction Coordinator
   DEPENDENCIES     : RPCSS
           : SamSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: MSIServer
Installs, repairs and removes software according to instructions contained in .MSI files.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\msiexec.exe /V
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows Installer
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDE
Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP  : NetDDEGroup
   TAG        : 0
   DISPLAY_NAME     : Network DDE
   DEPENDENCIES     : NetDDEDSDM
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NetDDEdsdm
Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\netdde.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Network DDE DSDM
   DEPENDENCIES     :
           : EGrLocalSystem
           : Network DDE DSDM
           : etwork DDE
           : ributed Transaction Coordinator
           : r
           : ice
           : e Service
           : ion
           : ings\kern
           : 
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netlogon
Supports pass-through authentication of account logon events for computers in a domain.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP  : RemoteValidation
   TAG        : 0
   DISPLAY_NAME     : Net Logon
   DEPENDENCIES     : LanmanWorkstation
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Netman
Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Network Connections
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Nla
Collects and stores network configuration and location information, and notifies applications when this information changes.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Network Location Awareness (NLA)
   DEPENDENCIES     : Tcpip
           : Afd
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtLmSsp
Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : NT LM Security Support Provider
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: NtmsSvc
(null)
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Removable Storage
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ose
Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Office Source Engine
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PlugPlay
Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\services.exe
   LOAD_ORDER_GROUP  : PlugPlay
   TAG        : 0
   DISPLAY_NAME     : Plug and Play
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: PolicyAgent
Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\lsass.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : IPSEC Services
   DEPENDENCIES     : RPCSS
           : Tcpip
           : IPSec
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ProtectedStorage
Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Protected Storage
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasAuto
Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Remote Access Auto Connection Manager
   DEPENDENCIES     : RasMan
           : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RasMan
Creates a network connection.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Remote Access Connection Manager
   DEPENDENCIES     : Tapisrv
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RDSessMgr
Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\sessmgr.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Remote Desktop Help Session Manager
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RemoteAccess
Offers routing services to businesses in local area and wide area network environments.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 4  DISABLED
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Routing and Remote Access
   DEPENDENCIES     : RpcSS
           : +NetBIOSGroup
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: RpcLocator
Manages the RPC name service database.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\locator.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Remote Procedure Call (RPC) Locator
   DEPENDENCIES     : LanmanWorkstation
   SERVICE_START_NAME: NT AUTHORITY\NetworkService

SERVICE_NAME: RpcSs
Provides the endpoint mapper and other miscellaneous RPC services.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost -k rpcss
   LOAD_ORDER_GROUP  : COM Infrastructure
   TAG        : 0
   DISPLAY_NAME     : Remote Procedure Call (RPC)
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 0 seconds
   FAILURE_ACTIONS     : Reboot   DELAY: 60000 seconds

SERVICE_NAME: RSVP
Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\rsvp.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : QoS RSVP
   DEPENDENCIES     : TcpIp
           : Afd
           : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SamSs
Stores security information for local user accounts.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\lsass.exe
   LOAD_ORDER_GROUP  : LocalValidation
   TAG        : 0
   DISPLAY_NAME     : Security Accounts Manager
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SCardDrv
Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Smart Card Helper
   DEPENDENCIES     : +Smart Card Reader
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: SCardSvr
Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\SCardSvr.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Smart Card
   DEPENDENCIES     : PlugPlay
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: Schedule
Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : SchedulerGroup
   TAG        : 0
   DISPLAY_NAME     : Task Scheduler
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: seclogon
Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 120 WIN32_SHARE_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Secondary Logon
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SENS
Tracks system events such as Windows logon, network, and power events.  Notifies COM+ Event System subscribers of these events.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : Network
   TAG        : 0
   DISPLAY_NAME     : System Event Notification
   DEPENDENCIES     : EventSystem
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: ShellHWDetection
(null)
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : ShellSvcGroup
   TAG        : 0
   DISPLAY_NAME     : Shell Hardware Detection
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Spooler
Loads files to memory for later printing.
   TYPE        : 110 WIN32_OWN_PROCESS INTERACTIVE_PROCESS  
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\spoolsv.exe
   LOAD_ORDER_GROUP  : SpoolerGroup
   TAG        : 0
   DISPLAY_NAME     : Print Spooler
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 60000 seconds
           : Restart   DELAY: 60000 seconds
           : None   DELAY: 0 seconds

SERVICE_NAME: srservice
Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : System Restore Service
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SSDPSRV
Enables discovery of UPnP devices on your home network.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : SSDP Discovery Service
   DEPENDENCIES     :
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: stisvc
Provides image acquisition services for scanners and cameras.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k imgsvc
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows Image Acquisition (WIA)
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SwPrv
Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\System32\dllhost.exe /Processid:{27F2F9F1-D427-4562-B368-0E3DDB2CAF31}
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : MS Software Shadow Copy Provider
   DEPENDENCIES     : rpcss
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: SysmonLog
Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\smlogsvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Performance Logs and Alerts
   DEPENDENCIES     :
   SERVICE_START_NAME: NT Authority\NetworkService

SERVICE_NAME: TapiSrv
Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Telephony
   DEPENDENCIES     : PlugPlay
           : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: TermService
Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Terminal Services
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: Themes
Provides user experience theme management.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : UIGroup
   TAG        : 0
   DISPLAY_NAME     : Themes
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 60000 seconds
           : Restart   DELAY: 60000 seconds
           : None   DELAY: 0 seconds

SERVICE_NAME: TrkWks
Maintains links between NTFS files within a computer or across computers in a network domain.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Distributed Link Tracking Client
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: UMWdf
Enables Windows user mode drivers.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\wdfmgr.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows User Mode Driver Framework
   DEPENDENCIES     : RpcSs
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: uploadmgr
Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Upload Manager
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 100 seconds
           : Restart   DELAY: 100 seconds
           : None   DELAY: 100 seconds

SERVICE_NAME: upnphost
Provides support to host Universal Plug and Play devices.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Universal Plug and Play Device Host
   DEPENDENCIES     : SSDPSRV
   SERVICE_START_NAME: NT AUTHORITY\LocalService
   FAIL_RESET_PERIOD : -1 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 0 seconds

SERVICE_NAME: UPS
Manages an uninterruptible power supply (UPS) connected to the computer.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\ups.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Uninterruptible Power Supply
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: VSS
Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\vssvc.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Volume Shadow Copy
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: W32Time
Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.


   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows Time
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WebClient
Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k LocalService
   LOAD_ORDER_GROUP  : NetworkProvider
   TAG        : 0
   DISPLAY_NAME     : WebClient
   DEPENDENCIES     : MRxDAV
   SERVICE_START_NAME: NT AUTHORITY\LocalService

SERVICE_NAME: winmgmt
Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 0  IGNORE
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Windows Management Instrumentation
   DEPENDENCIES     : RPCSS
           : Eventlog
   SERVICE_START_NAME: LocalSystem
   FAIL_RESET_PERIOD : 86400 seconds
   FAILURE_ACTIONS     : Restart   DELAY: 60000 seconds
           : Restart   DELAY: 60000 seconds

SERVICE_NAME: WmdmPmSN
Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Portable Media Serial Number Service
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WmiApSrv
Provides performance library information from WMI HiPerf providers.
   TYPE        : 10 WIN32_OWN_PROCESS
   START_TYPE     : 3  DEMAND_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\wbem\wmiapsrv.exe
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : WMI Performance Adapter
   DEPENDENCIES     : RPCSS
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: wuauserv
Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site.
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\system32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  :
   TAG        : 0
   DISPLAY_NAME     : Automatic Updates
   DEPENDENCIES     :
   SERVICE_START_NAME: LocalSystem

SERVICE_NAME: WZCSVC
Provides automatic configuration for the 802.11 adapters
   TYPE        : 20 WIN32_SHARE_PROCESS
   START_TYPE     : 2  AUTO_START
   ERROR_CONTROL     : 1  NORMAL
   BINARY_PATH_NAME  : C:\WINDOWS\System32\svchost.exe -k netsvcs
   LOAD_ORDER_GROUP  : TDI
   TAG        : 0
   DISPLAY_NAME     : Wireless Zero Configuration
   DEPENDENCIES     : RpcSs
           : Ndisuio
   SERVICE_START_NAME: LocalSystem

StartupList report, 1/9/2006, 10:40:36 PM
StartupList version: 1.52.2
Started from : C:\Program Files\hjt\hijackthis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\kerry and colleen\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[3d784421-21ac-4abc-a2fb-8e1d51d4e9a9] *
StubPath = C:\WINDOWS\System32\cbmmqoo.exe

[3d784421-21ac-4abc-a2fb-8e1d51d4e9a9
] *
StubPath = C:\WINDOWS\System32\cbmmqoo.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not

Title: Can't get rid of viruses
Post by: guestolo on January 09, 2006, 11:59:50 PM

You didn't post the bottom part of Hijackthis Startup list
Could you do that please

Your also missing the Shared access key, that's why the firewall won't start

Can I get you to also do the following
Download Trackqoo.zip (http://\"http://www.bleepingcomputer.com/files/mosaic1/Trackqoo.zip\")
Save it to the Desktop

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post

Also, Download Find-Qoologic.zip (http://\"http://downloads.subratam.org/Find-Qoologic.zip\")  and save it to your Desktop.

UNZIP the files inside into their own folder called FindQoologic to the desktop

Open the FindQoologic folder.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1  for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply

Title: Can't get rid of viruses
Post by: indigenous1 on January 10, 2006, 12:44:25 AM

this is what i got when i selected  "generate startup list" from HJT it's the same thing i posted in my lost post. i must have somehow not posted the whole thing b/c i see that it gets cut off in my last post.  i downloaded and ran trackqoo and qoologic. the results are posted.

StartupList report, 1/9/2006, 11:28:56 PM
StartupList version: 1.52.2
Started from : C:\Program Files\hjt\hijackthis.EXE
Detected: Windows XP SP1 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe
C:\WINDOWS\System32\notepad.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\kerry and colleen\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[3d784421-21ac-4abc-a2fb-8e1d51d4e9a9] *
StubPath = C:\WINDOWS\System32\cbmmqoo.exe

[3d784421-21ac-4abc-a2fb-8e1d51d4e9a9
] *
StubPath = C:\WINDOWS\System32\cbmmqoo.exe

[>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{306D6C21-C1B6-4629-986C-E59E1875B8AF}]
StubPath = "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Messenger\msgsc.dll",ShowIconsUser

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp10.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINDOWS\System32\Rundll32.exe C:\WINDOWS\System32\mscories.dll,Install

[{8b15971b-5355-4c82-8c07-7e181ea07608}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=*Registry value not found*

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[SupportSoft SmartIssue]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsi.dll
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")

[SupportSoft Script Runner Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\tgctlsr.dll
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")

[LSSupCtl Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\LSSupCtl.dll
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab (http://\"http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab\")

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yahoo.com/dl/installs/yab_af.cab (http://\"http://download.yahoo.com/dl/installs/yab_af.cab\")

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/products/plugin/autodl...indows-i586.cab (http://\"http://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab\")

[ActiveDataInfo Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\SymAData.dll
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\Common\YPhotos.dll
CODEBASE = http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll
Protocol #16: C:\WINDOWS\system32\mswsock.dll
Protocol #17: C:\WINDOWS\system32\mswsock.dll
Protocol #18: C:\WINDOWS\system32\mswsock.dll
Protocol #19: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Agere Systems Soft Modem: System32\DRIVERS\AGRSM.sys (manual start)
Service for WDM 3D Audio Driver: system32\drivers\ALCXSENS.SYS (manual start)
Service for Realtek AC97 Audio (WDM): system32\drivers\ALCXWDM.SYS (manual start)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (disabled)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
ASP.NET State Service: %SystemRoot%\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
dmio: System32\drivers\dmio.sys (disabled)
dmload: System32\drivers\dmload.sys (disabled)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (autostart)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
EpsonBidirectionalService: C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe (autostart)
EPSON Printer Status Agent2: C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe (autostart)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido anti-malware\ewidoctrl.exe (autostart)
fasttx2k: System32\DRIVERS\fasttx2k.sys (system)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Fax: %systemroot%\system32\fxssvc.exe (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
VIA Rhine-Family Fast Ethernet Adapter Driver Service: System32\DRIVERS\fetnd5bv.sys (manual start)
VIA Rhine Family Fast Ethernet Adapter Driver Service: System32\DRIVERS\fetnd5b.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
HID Input Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
ialm: System32\DRIVERS\ialmnt5.sys (manual start)
CD-Burning Filter Driver: System32\DRIVERS\imapi.sys (system)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IntelIde: System32\DRIVERS\intelide.sys (system)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
LiveUpdate: "C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE" (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBT: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nv: System32\DRIVERS\nv4_mini.sys (manual start)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
VIA OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Office Source Engine: C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (manual start)
PalmUSBD: system32\drivers\PalmUSBD.sys (manual start)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
PortlUSB: System32\DRIVERS\yepp920.sys (manual start)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor Driver: System32\DRIVERS\processr.sys (system)
Protected Storage: %SystemRoot%\system32\lsass.exe (autostart)
PS2: System32\DRIVERS\PS2.sys (manual start)
QoS Packet Scheduler: System32\DRIVERS\psched.sys (manual start)
Direct Parallel Link Driver: System32\DRIVERS\ptilink.sys (manual start)
PxHelp20: System32\DRIVERS\PxHelp20.sys (system)
Remote Access Auto Connection Driver: System32\DRIVERS\rasacd.sys (system)
Remote Access Auto Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
WAN Miniport (L2TP): System32\DRIVERS\rasl2tp.sys (manual start)
Remote Access Connection Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Remote Access PPPOE Driver: System32\DRIVERS\raspppoe.sys (manual start)
Direct Parallel: System32\DRIVERS\raspti.sys (manual start)
Rdbss: System32\DRIVERS\rdbss.sys (system)
RDPCDD: System32\DRIVERS\RDPCDD.sys (system)
Remote Desktop Help Session Manager: C:\WINDOWS\system32\sessmgr.exe (manual start)
Digital CD Audio Playback Filter Driver: System32\DRIVERS\redbook.sys (system)
Routing and Remote Access: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
Remote Procedure Call (RPC) Locator: %SystemRoot%\System32\locator.exe (manual start)
Remote Procedure Call (RPC): %SystemRoot%\system32\svchost -k rpcss (autostart)
QoS RSVP: %SystemRoot%\System32\rsvp.exe (manual start)
Realtek RTL8139/810x Family Fast Ethernet NIC NT Driver: System32\DRIVERS\R8139n51.SYS (manual start)
Security Accounts Manager: %SystemRoot%\system32\lsass.exe (autostart)
Smart Card Helper: %SystemRoot%\System32\SCardSvr.exe (manual start)
Smart Card: %SystemRoot%\System32\SCardSvr.exe (manual start)
Task Scheduler: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Secdrv: System32\DRIVERS\secdrv.sys (manual start)
Secondary Logon: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
System Event Notification: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Serenum Filter Driver: System32\DRIVERS\serenum.sys (manual start)
Serial port driver: System32\DRIVERS\serial.sys (system)
Shell Hardware Detection: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
SiS315: System32\DRIVERS\sisgrp.sys (manual start)
SiS AGP Filter: System32\DRIVERS\SISAGPX.sys (system)
SiSkp: System32\DRIVERS\srvkp.sys (system)
Microsoft Kernel Audio Splitter: system32\drivers\splitter.sys (manual start)
Print Spooler: %SystemRoot%\system32\spoolsv.exe (autostart)
System Restore Filter Driver: System32\DRIVERS\sr.sys (system)
System Restore Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Srv: System32\DRIVERS\srv.sys (manual start)
SSDP Discovery Service: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Windows Image Acquisition (WIA): %SystemRoot%\System32\svchost.exe -k imgsvc (autostart)
Software Bus Driver: System32\DRIVERS\swenum.sys (manual start)
Microsoft Kernel GS Wavetable Synthesizer: system32\drivers\swmidi.sys (manual start)
MS Software Shadow Copy Provider: C:\WINDOWS\System32\dllhost.exe /Processid:{27F2F9F1-D427-4562-B368-0E3DDB2CAF31} (manual start)
Microsoft Kernel System Audio Device: system32\drivers\sysaudio.sys (manual start)
Performance Logs and Alerts: %SystemRoot%\system32\smlogsvc.exe (manual start)
Telephony: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
TCP/IP Protocol Driver: System32\DRIVERS\tcpip.sys (system)
Terminal Device Driver: System32\DRIVERS\termdd.sys (system)
Terminal Services: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Themes: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Distributed Link Tracking Client: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Windows User Mode Driver Framework: C:\WINDOWS\System32\wdfmgr.exe (autostart)
Microcode Update Driver: System32\DRIVERS\update.sys (manual start)
Upload Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Universal Plug and Play Device Host: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Uninterruptible Power Supply: %SystemRoot%\System32\ups.exe (manual start)
Microsoft USB Generic Parent Driver: System32\DRIVERS\usbccgp.sys (manual start)
Microsoft USB 2.0 Enhanced Host Controller Miniport Driver: System32\DRIVERS\usbehci.sys (manual start)
USB2 Enabled Hub: System32\DRIVERS\usbhub.sys (manual start)
Microsoft USB Open Host Controller Miniport Driver: System32\DRIVERS\usbohci.sys (manual start)
Microsoft USB PRINTER Class: System32\DRIVERS\usbprint.sys (manual start)
USB Scanner Driver: System32\DRIVERS\usbscan.sys (manual start)
USB Mass Storage Driver: System32\DRIVERS\USBSTOR.SYS (manual start)
Microsoft USB Universal Host Controller Miniport Driver: System32\DRIVERS\usbuhci.sys (manual start)
USB Remote NDIS Network Device Driver: System32\DRIVERS\usb8023.sys (manual start)
VgaSave: \SystemRoot\System32\drivers\vga.sys (system)
VIA AGP Filter: System32\DRIVERS\viaagp1.sys (system)
viagfx: System32\DRIVERS\vtmini.sys (manual start)
ViaIde: System32\DRIVERS\viaide.sys (system)
Volume Shadow Copy: %SystemRoot%\System32\vssvc.exe (manual start)
Windows Time: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Remote Access IP ARP Driver: System32\DRIVERS\wanarp.sys (manual start)
WAN Miniport (ATW): System32\DRIVERS\wanatw4.sys (manual start)
Microsoft WINMM WDM Audio Compatibility Driver: system32\drivers\wdmaud.sys (manual start)
WebClient: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Windows Management Instrumentation: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Portable Media Serial Number Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
WMI Performance Adapter: C:\WINDOWS\System32\wbem\wmiapsrv.exe (manual start)
Windows Socket 2.0 Non-IFS Service Provider Support Environment: \SystemRoot\System32\drivers\ws2ifsl.sys (disabled)
Automatic Updates: %systemroot%\system32\svchost.exe -k netsvcs (autostart)
Wireless Zero Configuration: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)


--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: *Registry value not found*

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

*No values found*

--------------------------------------------------

End of report, 32,732 bytes
Report generated in 0.078 seconds

Command line options:
   /verbose  - to add additional info on each section
   /complete - to include empty sections and unsuspicious data
   /full     - to include several rarely-important sections
   /force9x  - to include Win9x-only startups even if running on WinNT
   /forcent  - to include WinNT-only startups even if running on Win9x
   /forceall - to include all Win9x and WinNT startups, regardless of platform
   /history  - to list version history only
-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- avast
{472083B0-C522-11CF-8763-00608CC02F24}
C:\Program Files\Alwil Software\Avast4\ashShell.dll

Subkey --- gfxxkqqm
{323f66ba-4bd3-4b4a-bd72-46fb4e48585f}
C:\WINDOWS\System32\gfwwk.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
pxjj.exe
==============================
C:\Documents and Settings\kerry and colleen\Start Menu\Programs\Startup

Compaq Connections.lnk
desktop.ini
pxjj.exe
desktop.ini
==============================
C:\WINDOWS\system32 cpl files


access.cpl                    Microsoft Corporation
ALSNDMGR.CPL                  Realtek Semiconductor Corp.
appwiz.cpl                    Microsoft Corporation
desk.cpl                      Microsoft Corporation
hdwwiz.cpl                    Microsoft Corporation
inetcpl.cpl                   Microsoft Corporation
intl.cpl                      Microsoft Corporation
joy.cpl                       Microsoft Corporation
jpicpl32.cpl                  Sun Microsystems
main.cpl                      Microsoft Corporation
mmsys.cpl                     Microsoft Corporation
ncpa.cpl                      Microsoft Corporation
nusrmgr.cpl                   Microsoft Corporation
odbccp32.cpl                  Microsoft Corporation
powercfg.cpl                  Microsoft Corporation
QuickTime.cpl                 Apple Computer, Inc.
sysdm.cpl                     Microsoft Corporation
telephon.cpl                  Microsoft Corporation
timedate.cpl                  Microsoft Corporation
wuaucpl.cpl                   Microsoft Corporation

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):43,3a,5c,50,72,6f,67,72,61,6d,20,46,69,6c,65,73,5c,41,6c,77,69,6c,\
  20,53,6f,66,74,77,61,72,65,5c,41,76,61,73,74,34,5c,61,73,77,4d,6f,6e,56,64,\
  2e,64,6c,6c,00,00
.....
End vxd check
Please post this in the forum

Title: Can't get rid of viruses
Post by: guestolo on January 10, 2006, 12:50:13 AM

Can you do the following please

If you have Windows XP Home edition
Use this download and save it to your desktop
http://homepage.ntlworld.com/spencer.greys...XPHomeFiles.exe (http://\"http://homepage.ntlworld.com/spencer.greystrong/XPHomeFiles.exe\")

If you have Windows XP Pro edition
Use this download and save it to your desktop
http://homepage.ntlworld.com/spencer.greys.../XPProfiles.exe (http://\"http://homepage.ntlworld.com/spencer.greystrong/XPProfiles.exe\")

If your unsure go to START>>RUN>>type in winver
Hit OK

Once the correct file is saved
Double click on the file that you placed on your desktop and Run it
Let it self extract needed files to the
 C:\WINDOWS\system32 folder
By clicking the UNZIP button
Which should be set by default

Now try running FindQoologic again with the instructions I posted earlier and post the new log

EDIT>>We're almost there Indegnious, just have to clean some bad files and reg. entries

Title: Can't get rid of viruses
Post by: indigenous1 on January 10, 2006, 01:22:49 AM

downloaded the files. here is the new qoologic log.

Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\kerry and colleen\Desktop\findqoologic\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
C:\WINDOWS\SYSTEM32\LINKINFO.DLL
C:\WINDOWS\SYSTEM32\GFWWK.DLL
C:\WINDOWS\SYSTEM32\QENNUAA.DLL
C:\WINDOWS\SYSTEM32\KFDDBCC.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\PXJJ.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gfxxkqqm]
@="{323f66ba-4bd3-4b4a-bd72-46fb4e48585f}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

Title: Can't get rid of viruses
Post by: guestolo on January 10, 2006, 01:55:29 AM

Can you do the following please
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop, well need this later, don't run it yet
Ensure to include REGEDIT4 and below in the code box
 

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{3d784421-21ac-4abc-a2fb-8e1d51d4e9a9}]

[-HKEY_CLASSES_ROOT\CLSID\{323f66ba-4bd3-4b4a-bd72-46fb4e48585f}]

[-HKEY_CLASSES_ROOT\CLSID\{3d784421-21ac-4abc-a2fb-8e1d51d4e9a9}]

[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gfxxkqqm]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\AVAST4\\ashDisp.exe"

Download the Killbox by Option^Explicit (http://\"http://www.atribune.org/downloads/KillBox.exe\").
* Save it to your desktop or a folder

* Please double-click Killbox.exe to run it.
* Select "Delete on Reboot".

*Copy all the file paths below to the clipboard by highlighting ALL of them and pressing the 2 keys on your keyboard
CTRL + C

[color=\"purple\"]Killbox file paths to copy between dotted lines[/color]
===========================================
C:\WINDOWS\SYSTEM32\GFWWK.DLL
C:\WINDOWS\SYSTEM32\QENNUAA.DLL
C:\WINDOWS\SYSTEM32\KFDDBCC.EXE
C:\WINDOWS\System32\cbmmqoo.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pxjj.exe
C:\Documents and Settings\kerry and colleen\Start Menu\Programs\Startup\pxjj.exe

===================================================
*  Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

* Click the red-and-white "Delete File" button.  Click "Yes" at the Delete on Reboot prompt.  Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.  

Back in Windows, don't worry about any error messages

Double click on fix.reg and allow to add/merge to the registry

Reboot the computer one more time

Come back here
Run FindQoologic again and post a new log from it please

Title: Can't get rid of viruses
Post by: guestolo on January 10, 2006, 02:11:09 AM

Could you also post a fresh Hijackthis log along with the new Findqoologic log, sorry, forgot to ask for it in my last post

I hope to see the results tonight, but if I don't
We need to get a firewall on that system
I believe updating to Service pack 2 will replace what we need
But I definitely want to make sure we have you clean first

Being on the Internet without a firewall in place is not safe!

Title: Can't get rid of viruses
Post by: indigenous1 on January 10, 2006, 05:05:10 AM

i created the fix.reg file. the first time i didn't save as "all files" so i had to save it over. i copied the contents of the code box to it. i ran killbox and it would not paste all 6 files from the clip board. only the 1st, 2nd, 3rd, and 5th files on the list appeared in the dropdown box.  i ran killbox anyway and rebooted. i then tried to insert the remaining 2 files into the dropdown box by themselves by copy and pasting. i got an error saying that they had already been removed by another process. i then ran fix.reg. when i selected to add/merge to the registry i got another error saying"cannot input C:\docum~1\kerrya~\desktop\fix.reg: not all data was successfully written to the registry. some keys are open by the system or another process."



Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\kerry and colleen\Desktop\findqoologic\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
C:\WINDOWS\SYSTEM32\LINKINFO.DLL
C:\WINDOWS\SYSTEM32\GFWWK.DLL
C:\WINDOWS\SYSTEM32\QENNUAA.DLL
C:\WINDOWS\SYSTEM32\KFDDBCC.EXE
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\PXJJ.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
Logfile of HijackThis v1.99.1
Scan saved at 3:43:48 AM, on 1/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Title: Can't get rid of viruses
Post by: guestolo on January 10, 2006, 09:19:25 PM

That findqoologic log looks the same
Can you do the following to make sure we rid you of bad files

Please save these instruction too a notepad file on your desktop for reference

Reboot into safemode

In safe mode
Start Killbox.exe
Leave "Standard Kill file" selected
In the "Full path of File to Delete" copy and paste entry below in bold

C:\WINDOWS\SYSTEM32\GFWWK.DLL

Then click the Red Circle with the White X
Allow to make a backup and delete the file
Don't worry about no file found messages

Carry on with the same instructions with the rest of these

C:\WINDOWS\SYSTEM32\QENNUAA.DLL
C:\WINDOWS\SYSTEM32\KFDDBCC.EXE
C:\WINDOWS\System32\cbmmqoo.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pxjj.exe
C:\Documents and Settings\kerry and colleen\Start Menu\Programs\Startup\pxjj.exe


For any file that won't delete
Reenter the path to the file back into Killbox
This time use the "Delete File on Reboot" option

Allow killbox to delete on reboot, but don't allow to reboot until you have entered the last full path to the file
Then allow the computer to reboot back to Normal mode

Back in Windows
Double click on fix.reg and allow to add/merge to the registry

Reboot one more time

Back in Windows
Make sure you don't post an old log from FindQoologic
Please run FindQoologic
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply with a new Hijackthis log

Title: Can't get rid of viruses
Post by: indigenous1 on January 10, 2006, 09:51:20 PM

here is the new qoologic report. once again, files 4 and 6 could not be found in kill box. the other four got deleted.  when i run fix.reg i get the same error as yesterday "cannot input C:\docum~1\kerrya~\desktop\fix.reg: not all data was successfully written to the registry. some keys are open by the system or another process."

Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\kerry and colleen\Desktop\findqoologic\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
 
C:\WINDOWS\SYSTEM32\LINKINFO.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

Logfile of HijackThis v1.99.1
Scan saved at 8:50:18 PM, on 1/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: iPodService - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

Title: Can't get rid of viruses
Post by: guestolo on January 10, 2006, 10:18:11 PM

That's ok, can you do the following instead
Reboot into safe mode and try running the reg. fix again
I think most of the bad reg. entries are gone
If it won't completely merge, that's ok

Reboot back to Normal mode
Can you do the following please

Go to start>>run>>type in services.msc
hit OK
double click on and stop and disable the following service names if found
iPodService
LiveUpdate

Create a new restore point please, go to START>>Programs>>Accessories>>system tools>>System retore
Create a new restore
Name it and click Create

When that's done

We still should make sure we rid you of leftovers from Norton's 2004
From HERE (http://\"http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039?Open&src=&docid=2004020909040706&nsf=tsgeninfo.nsf&view=docid&dtype=&prod=&ver=&osv=&osv_lvl=&seg=\")
Download and save too desktop SymNRT.exe
Run the utility from desktop and the instruction posted by Symantec's
On the Windows desktop, double-click SymNRT.exe, and then follow the on-screen instructions. Restart the computer if asked.

Back in Windows, go back to that link, download the other 2 files they ask of you
Follow the instructions they have posted
   1. Follow the instructions for your Web browser:
          * Internet Explorer. Click the following link to download the first file:

            SYMMSICLEANUP.reg

            Save the file to the Windows desktop.
          * Firefox. Right-click the following link and then click Save Link As to download the first file:

            SYMMSICLEANUP.reg

            Save the file to the Windows desktop.

   2. On the Windows desktop, double-click SYMMSICLEANUP.reg,
   3. Click Yes when prompted, and then click OK.
   4. Follow the instructions for your Web browser:
          * Internet Explorer. Click the following link to begin the download of the first file:

            MSIFIX.bat

            Save the file to the Windows desktop.
          * Firefox. Right-click the following link and then click Save Link As to begin the download of the first file:

            MSIFIX.bat

            Save the file to the Windows desktop.

   5. On the Windows desktop, double-click MSIFIX.bat. A black window may appear very briefly.

Don't reinstall Liveupdate, instead reboot the computer one more time and let me know how things are running

Title: Can't get rid of viruses
Post by: indigenous1 on January 10, 2006, 10:49:40 PM

i stopped and disabled ipod and liveupdate and created a new restore point. ran SYMMSICLEANUP.reg and MSIFIX.bat.  everything seems to be running ok. is there a way for me to get rid of this prompt:"a script is accessing some software (an active x control) on this page which has been marked safe for scripting. do you want to allow this?"  not sure if you need a new HJT log but here it is anyway.

Logfile of HijackThis v1.99.1
Scan saved at 9:48:24 PM, on 1/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Title: Can't get rid of viruses
Post by: guestolo on January 10, 2006, 11:15:10 PM

Before we reset a setting that should help with that should help with one problem

Can you do the following please
Delete fix.reg on your desktop
From below download dpf.zip and unzip to desktop

Double click on the new fix.reg
Will it all merge?

Double click on dpf.bat
A text file will open, copy and paste back the contents please

Title: Can't get rid of viruses
Post by: indigenous1 on January 10, 2006, 11:23:58 PM

fix.reg worked. it all merged. here are the contents from dpf.

 Volume in drive C is PRESARIO
 Volume Serial Number is 0CFB-2073

 Directory of C:\WINDOWS\Downloaded Program Files

01/08/2006  04:18 AM    <DIR>          BUILTIN\Administrators .
01/08/2006  04:18 AM    <DIR>          BUILTIN\Administrators ..
04/02/2004  01:53 PM                65 BUILTIN\Administrators desktop.ini
10/15/1997  03:52 AM               697 BUILTIN\Administrators DirectAnimation Java Classes.osd
11/03/2005  08:24 PM               495 YOUR-2S4KN5K0H3\kerry aLegitCheckControl.inf
10/27/2004  02:10 PM           111,752 YOUR-2S4KN5K0H3\kerry aLSSupCtl.dll
10/27/2004  02:03 PM               302 YOUR-2S4KN5K0H3\kerry aLSSupCtl.inf
01/20/2000  03:25 PM             1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
09/21/2001  04:28 PM            16,202 YOUR-2S4KN5K0H3\kerry asdclicense.txt
01/19/2005  10:46 PM               264 ...                    sqdxbbmh.exe.js
11/14/2005  01:40 PM           161,384 YOUR-2S4KN5K0H3\kerry aSymAData.dll
06/17/2005  01:25 AM         1,069,056 YOUR-2S4KN5K0H3\kerry atgctlsi.dll
06/17/2005  12:41 AM               667 YOUR-2S4KN5K0H3\kerry atgctlsi.inf
06/17/2005  01:25 AM           413,696 YOUR-2S4KN5K0H3\kerry atgctlsr.dll
06/17/2005  12:41 AM               521 YOUR-2S4KN5K0H3\kerry atgctlsr.inf
05/26/2005  04:19 AM               291 YOUR-2S4KN5K0H3\kerry awuweb.inf
              14 File(s)      1,776,554 bytes
               2 Dir(s)  108,827,840,512 bytes free

Title: Can't get rid of viruses
Post by: guestolo on January 10, 2006, 11:41:39 PM

Can you go to start>>run>>type in
cmd
Hit OK

Come back here and leave the box open
Copy the next command in bold

cd C:\WINDOWS\Downloaded Program Files

At the command prompt right click in the box and select PASTE
Then Hit Enter on your keyboard

Then copy the next line and then back at the Command box select PASTE then hit enter on the keyboard
del sqdxbbmh.exe.js

Type in Exit and then hit Enter

Double click again on dpf.bat and post the contents of the text file that opens

Title: Can't get rid of viruses
Post by: indigenous1 on January 11, 2006, 12:02:06 AM

Volume in drive C is PRESARIO
 Volume Serial Number is 0CFB-2073

 here it is
Directory of C:\WINDOWS\Downloaded Program Files

01/10/2006  11:00 PM    <DIR>          BUILTIN\Administrators .
01/10/2006  11:00 PM    <DIR>          BUILTIN\Administrators ..
04/02/2004  01:53 PM                65 BUILTIN\Administrators desktop.ini
10/15/1997  03:52 AM               697 BUILTIN\Administrators DirectAnimation Java Classes.osd
11/03/2005  08:24 PM               495 YOUR-2S4KN5K0H3\kerry aLegitCheckControl.inf
10/27/2004  02:10 PM           111,752 YOUR-2S4KN5K0H3\kerry aLSSupCtl.dll
10/27/2004  02:03 PM               302 YOUR-2S4KN5K0H3\kerry aLSSupCtl.inf
01/20/2000  03:25 PM             1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
09/21/2001  04:28 PM            16,202 YOUR-2S4KN5K0H3\kerry asdclicense.txt
11/14/2005  01:40 PM           161,384 YOUR-2S4KN5K0H3\kerry aSymAData.dll
06/17/2005  01:25 AM         1,069,056 YOUR-2S4KN5K0H3\kerry atgctlsi.dll
06/17/2005  12:41 AM               667 YOUR-2S4KN5K0H3\kerry atgctlsi.inf
06/17/2005  01:25 AM           413,696 YOUR-2S4KN5K0H3\kerry atgctlsr.dll
06/17/2005  12:41 AM               521 YOUR-2S4KN5K0H3\kerry atgctlsr.inf
05/26/2005  04:19 AM               291 YOUR-2S4KN5K0H3\kerry awuweb.inf
              13 File(s)      1,776,290 bytes
               2 Dir(s)  108,827,299,840 bytes free

Title: Can't get rid of viruses
Post by: guestolo on January 11, 2006, 12:22:30 AM

Good work indeginous

Can we do the following please
If everything is running better

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
When it's done, decline to log off or restart the computer

Can you do this now
For added protections
You should install this free tool
SpywareBlaster 3.5.1 by JavaCool (http://\"http://www.javacoolsoftware.com/spywareblaster.html\")
*Will block bad ActiveX Controls
*Block Malevolent cookies in Internet Explorer and Firefox
*Restrict actions of potentially dangerous sites in Internet Explorer
After installation, Check for updates and then click the "Enable all protection"

Check for updates every couple of weeks
after every update just simply click the "enable protection on all unprotected items"

Let's clear all those restore points to make sure you don't restore any nasties
Go to START>>RUN>>In the open field
type in msconfig
Click the "Launch System Restore" button
On the Left hand side click on "System Restore Settings"
Put a Check in "Turn off System Restore"

Apply it and OK out of there>>Reboot your computer

Back in Windows, Go back and take the check out of Turn off system restore
This will reenable the System Restore feature and creates a new restore point

Access Internet options via Control Panel
Under the Security tab>>Internet>>Select Default Level>>Click Custom level and ensure it's set to Medium
Apply it and OK out of there

We have a key to replace in the registry
I'm quite sure the install of SP2 will fix this, plus we must get some kind of Firewall in place
Can you try installing SP2 again, let's hope it all goes well, it should

I know we both work and have to do this on our off-times
So I may not be able to see your reply till tomorrow
But if everything goes good, can you post one last hijackthis log please, just to make sure it looks good, thanks

Title: Can't get rid of viruses
Post by: indigenous1 on January 11, 2006, 02:06:53 AM

bad news. sp2 still would not install.  i got 2 error prompts relating to backing up files, which i chose to ignore. i then got an install error and the download aborted.  i ran cleanup and installed spywareblaster. i also cleared the restore points and set security to zero. here is the hjt.

Logfile of HijackThis v1.99.1
Scan saved at 1:06:07 AM, on 1/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Title: Can't get rid of viruses
Post by: guestolo on January 11, 2006, 09:11:57 AM

Not sure what error prompts you got?

Quote

i got 2 error prompts relating to backing up files

Any clues?

I would backup any important files first
Try a System file check
Go to start>>run>>type in
sfc /scannow

Have your XP cd handy, just in case

Then try installing SP2

OR, try a repair on the system
Use the link and follow the directions closely
http://www.michaelstevenstech.com/XPrepairinstall.htm (http://\"http://www.michaelstevenstech.com/XPrepairinstall.htm\")

Title: Can't get rid of viruses
Post by: indigenous1 on January 11, 2006, 06:26:58 PM

i did the system file check and it came up with nothing. the error messages i get when installing sp2 are "SP2 setup could not backup registry value HKLM\software\microsoft\windows\currentversion\run,\'tabletwizard\'. 5: access is denied"  it then gave me the option to abort, retry or ignore. i chose to ignore.  i then got the same message except with 'bluetoothauthenticationagent\' instead of tablet wizard. i chose to ignore again. a short time later i got sp2 acces is denied and the install stopped.  i'll follow the link that you gave me and see what happens.

Title: Can't get rid of viruses
Post by: guestolo on January 11, 2006, 08:15:44 PM

Are you controlling entries on startup?
That wouldn't be good if I can't see everything

Can you do the following please,
==Download and save WinPFind.zip (http://\"http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip\")
UNZIP the contents to your desktop
Don't run it yet

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

In safe mode
Open the WinPFind folder you extracted to desktop
Double click on WinPFind.exe
Click START SCAN
This could take some time as it will scan your drive
Close out after

Go to start>>run>>type in msconfig
Hit OK
Under the Startup tab>>enable all
Under the General tab>>Select Normal startup
Apply it and close

Reboot back to Normal mode

Back in Windows
Post the results of the WindPFind.txt located in the WinPFind folder

Title: Can't get rid of viruses
Post by: indigenous1 on January 11, 2006, 10:32:30 PM

i don't know what you mean when you say "are you controlling entries on startup?" i downloaded winpfind and ran it in safe mode. when i ran msconfig the startup tab was already enabled and the general tab was already at normal setup. here are the results from winpfind.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 1    Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX!                 9/25/2003 3:20:04 AM        43391      C:\WINDOWS\browser.exe
UPX!                 12/14/2005 10:42:22 PM      32910      C:\WINDOWS\n_arfalz.txt
UPX!                 12/5/2005 12:47:56 AM       84660      C:\WINDOWS\n_bswlzp.dat
UPX!                 12/16/2005 5:01:56 PM       32910      C:\WINDOWS\n_clearc.log
UPX!                 6/16/2005 12:37:22 PM       84660      C:\WINDOWS\n_eruqgb.dat
UPX!                 6/30/2005 9:16:18 AM        32910      C:\WINDOWS\n_furjxm.txt
UPX!                 12/15/2005 1:43:52 PM       84642      C:\WINDOWS\n_futyio.log
UPX!                 7/17/2005 4:59:34 PM        84642      C:\WINDOWS\n_gflvby.dat
UPX!                 12/14/2005 8:40:58 PM       32910      C:\WINDOWS\n_ilpoey.txt
UPX!                 6/4/2005 11:52:48 AM        84642      C:\WINDOWS\n_ituoof.log
UPX!                 8/6/2005 6:42:30 AM         84642      C:\WINDOWS\n_jstpjt.log
UPX!                 8/11/2005 3:28:16 PM        84642      C:\WINDOWS\n_orapuf.dat
UPX!                 12/13/2005 5:44:22 PM       84642      C:\WINDOWS\n_prkmor.log
UPX!                 12/13/2005 1:26:50 PM       32910      C:\WINDOWS\n_rlwnld.txt
UPX!                 7/23/2005 5:35:42 PM        84642      C:\WINDOWS\n_rxofin.txt
UPX!                 6/6/2005 10:53:12 AM        84642      C:\WINDOWS\n_szbnfi.log
UPX!                 6/7/2005 12:46:14 PM        84642      C:\WINDOWS\n_uczkbl.dat
UPX!                 6/12/2005 2:11:54 PM        84660      C:\WINDOWS\n_wpbduc.dat
UPX!                 6/25/2005 7:03:08 AM        32892      C:\WINDOWS\n_wzdzzl.txt
UPX!                 6/14/2005 5:54:40 AM        84660      C:\WINDOWS\n_yjikbf.log
UPX!                 6/20/2005 1:03:54 PM        84642      C:\WINDOWS\n_ypnbvy.dat
UPX!                 6/30/2005 4:38:18 PM        84660      C:\WINDOWS\n_zoyzcd.txt

Checking %System% folder...
UPX!                 12/20/2005 6:21:38 AM       481280     C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2                 8/16/2003 1:40:04 AM        41397      C:\WINDOWS\SYSTEM32\dfrg.msc
PTech                11/4/2005 4:27:24 PM        534280     C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2           12/7/2005 1:38:52 PM        2714976    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               12/7/2005 1:38:52 PM        2714976    C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor             8/15/2003 8:52:22 PM        631808     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              8/15/2003 8:41:44 PM        1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor             8/15/2003 8:52:22 PM        631808     C:\WINDOWS\SYSTEM32\_003788_.tmp.dll
Umonitor             8/15/2003 8:52:22 PM        631808     C:\WINDOWS\SYSTEM32\_004055_.tmp.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     1/11/2006 9:01:26 PM      S 2048       C:\WINDOWS\bootstat.dat
                     12/7/2005 10:04:38 PM    HS 0          C:\WINDOWS\usuot.log
                     12/31/2005 12:27:02 AM   H  0          C:\WINDOWS\inf\oem37.inf
                     11/22/2005 6:12:02 PM     S 20273      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\kb905915-ie6sp1-20051122.175908.cat
                     12/1/2005 6:12:48 PM      S 10925      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
                     1/11/2006 9:01:44 PM     H  1024       C:\WINDOWS\system32\config\default.LOG
                     1/11/2006 9:01:36 PM     H  1024       C:\WINDOWS\system32\config\SAM.LOG
                     1/11/2006 9:01:44 PM     H  1024       C:\WINDOWS\system32\config\SECURITY.LOG
                     1/11/2006 9:03:10 PM     H  1024       C:\WINDOWS\system32\config\software.LOG
                     1/11/2006 9:01:50 PM     H  1024       C:\WINDOWS\system32\config\system.LOG
                     1/8/2006 5:42:32 AM      H  1024       C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
                     1/11/2006 5:16:32 PM      S 558        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
                     1/11/2006 5:16:32 PM      S 144        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
                     11/21/2005 8:35:36 AM    HS 388        C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\975c5b21-b843-4e26-8233-79a664e4b97a
                     11/21/2005 8:35:36 AM    HS 24         C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
                     12/31/2005 12:27:08 AM  RHS 13698      C:\WINDOWS\system32\Restore\filelist.xml
                     1/11/2006 8:59:32 PM     H  6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          8/15/2003 8:42:52 PM        66048      C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp.    9/20/2004 3:20:44 PM        16121856   C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation          8/15/2003 7:58:26 PM        578560     C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/16/2003 1:40:12 AM        129024     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/15/2003 8:42:30 PM        150016     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/15/2003 8:07:34 PM        292352     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/15/2003 8:24:02 PM        121856     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/15/2003 7:49:54 PM        65536      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems               4/2/2004 3:11:24 PM         61555      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/15/2003 7:49:58 PM        187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/15/2003 7:53:46 PM        559616     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/15/2003 7:57:52 PM        35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/15/2003 8:10:42 PM        256000     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation          8/15/2003 8:21:28 PM        36864      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/15/2003 8:01:48 PM        109056     C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc.           9/23/2004 5:57:40 PM        323072     C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation          8/15/2003 7:53:26 PM        268288     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/15/2003 8:04:26 PM        28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/15/2003 8:06:34 PM        90112      C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/15/2003 8:42:52 PM        66048      C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation          8/15/2003 7:58:26 PM        578560     C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation          8/16/2003 1:40:12 AM        129024     C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation          8/15/2003 8:42:30 PM        150016     C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation          8/15/2003 8:07:34 PM        292352     C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation          8/15/2003 8:24:02 PM        121856     C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation          8/17/2001 10:37:02 PM       48128      C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation          8/15/2003 7:49:54 PM        65536      C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation          8/15/2003 7:49:58 PM        187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/15/2003 7:53:46 PM        559616     C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation          8/15/2003 7:57:52 PM        35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/15/2003 8:10:42 PM        256000     C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation          8/15/2003 8:21:28 PM        36864      C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation          8/15/2003 8:01:48 PM        109056     C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation          8/15/2003 7:59:50 PM        147456     C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation          8/15/2003 7:53:26 PM        268288     C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation          8/15/2003 8:04:26 PM        28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation          8/15/2003 8:06:34 PM        90112      C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Intel Corporation              2/10/2004 7:53:24 PM        94208      C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp.    2/10/2004 2:19:32 AM        14224384   C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     9/29/2004 2:27:32 PM        1903       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
                     4/2/2004 1:55:28 PM      HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     4/2/2004 5:46:32 AM      HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini
                     11/8/2004 5:12:00 PM     H  0          C:\Documents and Settings\All Users\Application Data\hpothb07.dat
                     11/8/2004 5:12:00 PM     H  0          C:\Documents and Settings\All Users\Application Data\hpothb07.tif

Checking files in %USERPROFILE%\Startup folder...
                     4/2/2004 1:55:28 PM      HS 84         C:\Documents and Settings\kerry and colleen\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
                     4/2/2004 5:46:32 AM      HS 62         C:\Documents and Settings\kerry and colleen\Application Data\desktop.ini
                     11/8/2004 5:09:54 PM     H  0          C:\Documents and Settings\kerry and colleen\Application Data\hpothb07.dat
                     11/8/2004 5:09:54 PM     H  0          C:\Documents and Settings\kerry and colleen\Application Data\hpothb07.tif
                     3/13/2005 6:45:54 PM        75771      C:\Documents and Settings\kerry and colleen\Application Data\tizinf.xml

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
   {472083B0-C522-11CF-8763-00608CC02F24}    = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
   {472083B0-C522-11CF-8763-00608CC02F24}    = C:\Program Files\Alwil Software\Avast4\ashShell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {8E718888-423F-11D2-876E-00A0C9082467}    = &Radio   : C:\WINDOWS\system32\msdxm.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
   ButtonText    = AOL Toolbar   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
   ButtonText    = Research   :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
   Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption   
   legalnoticetext   
   shutdownwithoutlogon   1
   undockwithoutlogon   1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder                  {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn                            {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck                          {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray                           {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
    = igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs   


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/11/2006 9:12:24 PM

Title: Can't get rid of viruses
Post by: guestolo on January 11, 2006, 11:06:23 PM

You have several unidentified files

Can you go to this site please
Give this site time to load
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\browser.exe <--this file

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Do the same for files please

C:\WINDOWS\n_arfalz.txt
C:\WINDOWS\n_bswlzp.dat
C:\WINDOWS\n_clearc.log

Did you try the repair installation?

Title: Can't get rid of viruses
Post by: indigenous1 on January 12, 2006, 12:27:11 AM

here are the results from the scan. not sure if the 4th file is infected or not. i did not try the repair installation yet. it seems like it will take a while and i do not want to start it until i'm sure i will have the time to sit here and finish it.
File:  browser.exe  
Status:  MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.) (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)  
MD5  c675c46b9f4ba87de9da6551368945d6  
Packers detected:  UPX, AUTOIT
Scanner results  
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing
File:  n_arfalz.txt  
Status:  OK  
MD5  83843f2135064dcccc664a5175a5e390  
Packers detected:  -
Scanner results  
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing
File:  n_bswlzp.dat  
Status:  OK  
MD5  072ccc7c4a28924d1581792957bc34ef  
Packers detected:  -
Scanner results  
AntiVir  Found nothing
ArcaVir  Found nothing
Avast  Found nothing
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing
File:  n_clearc.log  
Status:  POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)  
MD5  25f7e1994c6defe706bfe82186e8b533  
Packers detected:  -
Scanner results  
AntiVir  Found Trojan/Dldr.Agent.bi.3  
ArcaVir  Found nothing
Avast  Found Win32:Trojano-1654  
AVG Antivirus  Found nothing
BitDefender  Found nothing
ClamAV  Found nothing
Dr.Web  Found nothing
F-Prot Antivirus  Found nothing
Fortinet  Found nothing
Kaspersky Anti-Virus  Found nothing
NOD32  Found nothing
Norman Virus Control  Found nothing
UNA  Found nothing
VBA32  Found nothing

Title: Can't get rid of viruses
Post by: guestolo on January 12, 2006, 12:49:54 AM

One of those files were found bad

Can you do the following, just to be safe
On your desktop, right click an empty spot and left click NEW>>Folder
Name it backups

Open the C:\WINDOWS folder

Can you right click on each of these files and CUT and PASTE them to the Backup folder
Don't just copy and paste them, we want to remove them from the Windows folder

FILES
n_arfalz.txt>>rename to n_arfalz.tx_
n_bswlzp.dat>>rename to n_bswlzp.da_
And so on
n_eruqgb.dat
n_furjxm.txt
n_futyio.log
n_gflvby.dat
n_ilpoey.txt
n_ituoof.log
n_jstpjt.log
n_orapuf.dat
n_prkmor.log
n_rlwnld.txt
n_rxofin.txt
n_szbnfi.log
n_uczkbl.dat
n_wpbduc.dat
n_wzdzzl.txt
n_yjikbf.log
n_ypnbvy.dat
n_zoyzcd.txt

You can delete n_clearc.log

Can you right click on any of the files in the backup folder and left click properties
Any info what there related too?
browser.exe, right click on it also, and click properties
Is there a version tab, do you know what's it's related too?

Additionally, can you scan these 2 files and Jotti's please
C:\WINDOWS\SYSTEM32\_003788_.tmp.dll
C:\WINDOWS\SYSTEM32\_004055_.tmp.dll

If found bad delete them
Reboot the computer

I'm confused about this
HKLM\software\microsoft\windows\currentversion\run,\'tabletwizard\'. 5: access is denied" it then gave me the option to abort, retry or ignore. i chose to ignore. i then got the same message except with 'bluetoothauthenticationagent"

Quote

Associated with BlueTooth software, designed to allow bluetooth mobile devices to authenticate to the computer, when connecting a PDA to your computer - necessary for the computer and the PDA to communicate.

tabletwizard

Quote

Microsoft Tablet PC Component

They don't appear in the log's or may be corrupt, do you have them installed and can you uninstall the device software for now

I would still opt to try a Repair install after the above
Afterwards, go directly and try and install SP1 for now from this link
Use the manual download
http://www.microsoft.com/windowsxp/downloa...1/expresso.mspx (http://\"http://www.microsoft.com/windowsxp/downloads/updates/sp1/expresso.mspx\")

Title: Can't get rid of viruses
Post by: indigenous1 on January 19, 2006, 05:00:54 AM

hey, i'm back.  sorry, it took so long for me to reply. really busy lately.  i still havent been able to install SP2. i went to the windows xp repair install web site where they say to use the XP CD which i do not have.  i have to go to my parents house and see if i can find it. i did install SP1 though.
  I created the backups folder on the desktop and cut and pasted the unidentified files that you listed.  not all of the files that you listed where in the windows folder. it was missing 4 of them. i also deleted the infected file.  there is really no information on them when i go to properties.  all but 2 (33KB) are 83 KB in size. there is also the created and modified dates.
  the browser.exe file has this information:  version 2.64.0.0  Description: Compiled Autolt Script  Comments: third party compiled autolt script.  I dont know what it is related to.
  I scanned these 2 files: C:\WINDOWS\SYSTEM32\_003788_.tmp.dll
                                    C:\WINDOWS\SYSTEM32\_004055_.tmp.dll  with Jotti's. they came up clean.
  About the 2 errors i get when installing SP2 i do not know what software the devices are related to.

here is a fresh HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 3:57:59 AM, on 1/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\system32\msdxm.ocx
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Title: Can't get rid of viruses
Post by: guestolo on January 19, 2006, 11:22:47 AM

I found some more info on your problem
Can you follow the instructions posted by Microsoft
It should be of some help
http://support.microsoft.com/default.aspx?...ct=windowsxpsp2 (http://\"http://support.microsoft.com/default.aspx?scid=kb;en-us;873148&Product=windowsxpsp2\")

Title: Can't get rid of viruses
Post by: indigenous1 on January 19, 2006, 02:27:36 PM

I installed SP2 with the help from your link. there are a few problems with it though.  first is when i restart the computer i get a message stating "error loading AUNPS2.DLL  The specific module could not be found."  then i also get "error loading c:\programfiles\wildtangent\apps\CDA\CDAengine0400.dll. The specific module could not be found." i just press OK at the prompts.
  Also, when i go the windows firewall in the controll panel it states "Due to an unidentified problem, windows cannot display firewall settings."

Title: Can't get rid of viruses
Post by: guestolo on January 19, 2006, 02:43:33 PM

Can I see a new hijackthis log please
I want to get caught back up on this thread
Also,
Can you go to START>>Run>>Type in
services.msc

Look for this service name
Windows Firewall/Internet Connection Sharing (ICS)

Double click on it and start the service
In the drop down menu set to Automatic

Title: Can't get rid of viruses
Post by: indigenous1 on January 20, 2006, 03:50:08 AM

went to services.msc and Windows Firewall/Internet Connection Sharing (ICS) was not on the list.

here is a fresh HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 2:43:47 AM, on 1/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [sysqk32.exe] C:\WINDOWS\sysqk32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Rcv6UMxQ] C:\documents and settings\owner\local settings\temp\Rcv6UMxQ.exe
O4 - HKLM\..\Run: [b78b327add10] C:\WINDOWS\System32\catsrvut.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\WhoUP8s0.exe
O4 - HKLM\..\Run: [TizzleTalk] C:\Program Files\TizzleTalk\TizzleTalk.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [66og7v3s] C:\Program Files\66og7v3s\66og7v3s.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rvkkln.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [zbkyybvo] c:\windows\system32\zbkyybvo.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hrgfjg.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Wwutsu.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteovy32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Title: Can't get rid of viruses
Post by: guestolo on January 20, 2006, 08:43:12 AM

This looks like a completely different log
What happened?
Some more cleaning, but we're just about there
Don't worry about the errors on startup right now, we'll fix that in a bit
Good thing is I don't see anything bad in the running processes

EDIT>>I need you to do this also, if you haven't started already
From the bottom of this reply box, download>>Save and then UNZIP to desktop share.zip
so you now have share.reg extracted to the desktop
We'll need this in a bit

Can you make sure you do updates with Ad-Aware
Run a full scan and fix all Criticals as instructed before

==Double click on share.reg and allow to add/merge to the registry
Restart the computer afterwards

Back in Windows
Check to see if the firewall is running and enabled
Go to services.msc>>Ensure it's set to Auto and started
Access the windows Control panel and double click to open Windows Firewall
Ensure it's ON

Check for updates with Spybot 1.4
Fix everything in RED
Reboot the computer if anything in Red was fixed

Check for updates with Ewido and do a complete system scan
Save a report when done do the desktop

Back in Windows
Do another scan with Hijackthis and put a check next to these entries:

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [WildTangent CDA] RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [sysqk32.exe] C:\WINDOWS\sysqk32.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [tibs3] C:\WINDOWS\System32\tibs3.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [SAHAgent] C:\WINDOWS\System32\SahAgent.exe
O4 - HKLM\..\Run: [Rcv6UMxQ] C:\documents and settings\owner\local settings\temp\Rcv6UMxQ.exe
O4 - HKLM\..\Run: [b78b327add10] C:\WINDOWS\System32\catsrvut.exe
O4 - HKLM\..\Run: [2P6WFAX43ZHE7C] C:\WINDOWS\System32\WhoUP8s0.exe
O4 - HKLM\..\Run: [TizzleTalk] C:\Program Files\TizzleTalk\TizzleTalk.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [SurfSideKick 2] C:\Program Files\SurfSideKick 2\Ssk.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [66og7v3s] C:\Program Files\66og7v3s\66og7v3s.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\rvkkln.exe
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [zbkyybvo] c:\windows\system32\zbkyybvo.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Hrgfjg.exe
O4 - HKLM\..\Run: [secure] C:\WINDOWS\System32\Wwutsu.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteovy32.exe
O4 - HKLM\..\Run: [salm] c:\temp\salm.exe
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow up to "Standard CleanUp!"

Click OK
Press the CleanUp! button to start the program.
Reboot the computer when it's done

Come back here and post a fresh hijackthis log and the new report from Ewido's

Also, do the following again
open Hijackthis>>Open Misc tools section>>Open uninstaller manager
Click the SAVE LIST button>>Save the list to desktop and then copy and paste the info back here

I edited some of my above instructions right after I posted, take another look and do what you missed, if you started before I edited please

Title: Can't get rid of viruses
Post by: indigenous1 on January 21, 2006, 02:31:55 AM

ran share.reg. also spybot, cleanup and ewido. here's the HJT log, uninstall list along with ewido report.  also the firewall is up and running.

Logfile of HijackThis v1.99.1
Scan saved at 1:22:15 AM, on 1/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         1:09:35 AM, 1/21/2006
 + Report-Checksum:      FA770021

 + Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
   HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Error during cleaning
   C:\Documents and Settings\kerry and colleen\Cookies\kerry and [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup


::Report End

Ad-Aware SE Personal
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
avast! Antivirus
CleanUp!
Compaq Connections
EPSON Printer Software
ewido anti-malware
Google Toolbar for Internet Explorer
HijackThis 1.99.1
HP Memories Disc
HP Photo and Imaging 2.0 - Photosmart Cameras
I.E. Host
iPod for Windows 2005-09-06
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
Lavasoft VX2 Cleaner
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Word Viewer 97
Microsoft Works 7.0
Napster
Napster Burn Engine
QuickTime
RecordNow!
S3 S3Display
S3 S3Gamma2
S3 S3Info2
S3 S3Overlay
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Sonic Update Manager
Spy Sweeper
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Tweakui Powertoy for Windows XP
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
USB Storage Driver
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2

Title: Can't get rid of viruses
Post by: guestolo on January 21, 2006, 03:43:35 PM

Access your add/remove programs via controll panel
Remove I.E. Host
You can also remove
Java 2 Runtime Environment, SE v1.4.2_03
as you have the latest version installed
Reboot the computer

Can you do the following again, I want to see if this will add to the registry now
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box to notepad, not including the word "code"
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to include REGEDIT4 and below in the code box
 

Code: [Select]

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\AVAST4\\ashDisp.exe"
Double click on fix.reg and allow to add to the registry

Not sure why Ewido keeps pegging spyware IBIS and Websearch

The tool from Symantec's should clean of cleaned out most/all of it
Can you run FxWebsch.exe from Symantec's and see if it finds anything please

Additionally, I see you have Spysweeper installed
Is it still capable of updating?
Or did you try uninstalling it?
Can you do the following please only if Spysweeper is still installed
In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer
or Restart the computer anyways

Back in Windows

I need to see these 2 logs
Copy and paste the SpySweeper log together with a fresh hijackthis log into this thread.

Title: Can't get rid of viruses
Post by: indigenous1 on January 22, 2006, 06:39:37 PM

I removed I.E. host along with Java 2. i also merged fix.reg into the registry. Fxwebsearch found nothing. i ran spysweeper. it was unable to update though. here are the logs that you requested.

05:11 PM:  |···  Start of Session, Sunday, 22 January 2006  ···|
05:11 PM:  Spy Sweeper 3.0.0  (Build 129) started
05:22 PM:  Sweep initiated using definitions version 507
05:22 PM:  Sweeping memory for active spyware.
05:22 PM:  Memory sweep has completed.  Elapsed time 00:00:05
05:22 PM:  Registry sweep initiated.
05:22 PM:    Found: 18 Agent.ay Downloader registry traces.
05:22 PM:    Found: 6 CWS_Hotoffers_DesktopHijacker registry traces.
05:22 PM:    Found: 36 IEPlugin registry traces.
05:22 PM:    Found: 28 Trojan-Downloader-BQAdSearch registry traces.
05:22 PM:    Found: 6 Trojan-Downloader-WinShow registry traces.
05:22 PM:    Found: 12 Trojan_Downloader_Tibser registry traces.
05:22 PM:    Found: 1 CWS_youriskalka.com Hijack registry traces.
05:22 PM:    Found: 18 TvMedia registry traces.
05:22 PM:    Found: 1 www.oneclicksearches.com Hijack registry traces.
05:22 PM:    Found: 27 WebSearch Toolbar registry traces.
05:22 PM:    Found: 20 CWS_NS3 registry traces.
05:22 PM:    Found: 6 CWS_TINY0 registry traces.
05:22 PM:  Registry sweep completed.  Elapsed time 00:00:11
05:22 PM:  Full sweep on all local drives initiated.
05:22 PM:    Now sweeping drive C:
05:23 PM:      Found Cookie: DomainSponsor Cookie, version 1, c:\documents and settings\kerry and colleen\cookies\kerry and [email protected][1].txt
05:25 PM:      Found Adware: Security iGuard, version 1, c:\windows\help\chmhelp.chm
05:29 PM:    Found: 2 file traces.
05:29 PM:  Full Sweep has completed.  Elapsed time 00:07:29
             38,549 files swept
             181 spyware traces located
05:30 PM:  Removal process initiated
05:30 PM:    Quarantining: Agent.ay Downloader
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md||data3
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md||data3
05:33 PM:    Quarantining: CWS_Hotoffers_DesktopHijacker
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data||(-default-)
05:33 PM:    Quarantining: DomainSponsor Cookie
05:33 PM:      Cookie: c:\documents and settings\kerry and colleen\cookies\kerry and [email protected][1].txt
05:33 PM:    Quarantining: IEPlugin
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md||data3
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data\md
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data\md||data3
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data\md
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data\md||data3
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md||data3
05:33 PM:    Quarantining: Security iGuard
05:33 PM:      File: c:\windows\help\chmhelp.chm
05:33 PM:    Quarantining: Trojan-Downloader-BQAdSearch
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md||data3
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md||data3
05:33 PM:    Quarantining: Trojan-Downloader-WinShow
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data||(-default-)
05:33 PM:    Quarantining: Trojan_Downloader_Tibser
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data||(-default-)
05:33 PM:    Quarantining: CWS_youriskalka.com Hijack
05:33 PM:      Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\searchurl||provider
05:33 PM:    Quarantining: TvMedia
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md||data3
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md||data3
05:33 PM:    Quarantining: www.oneclicksearches.com Hijack
05:33 PM:      Registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main||use search asst
05:33 PM:    Quarantining: WebSearch Toolbar
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\toolbar
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginconfig\clsid
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindown\clsid
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindownadd\clsid
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginevents\clsid
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugininst\clsid
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginserver\clsid
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.toolbarscript\clsid
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32||threadingmodel
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\progid
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\typelib
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\version
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\version||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\typelib||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\progid||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.toolbarscript\clsid||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginserver\clsid||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugininst\clsid||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginevents\clsid||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindownadd\clsid||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindown\clsid||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginconfig\clsid||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc\0000
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc||nextinstance
05:33 PM:    Quarantining: CWS_NS3
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\data\md
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32||threadingmodel
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\data\md||data3
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32||threadingmodel
05:33 PM:    Quarantining: CWS_TINY0
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data
05:33 PM:      Registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data||(-default-)
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data
05:33 PM:      Registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data||(-default-)
05:33 PM:    Cleaning Traces
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{e631a3af-2375-8d4c-66b1-aab77c548825}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data\md
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{6982c7d9-061e-aa2d-89cc-05af765683f2}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{38d49e75-22ad-792c-2e36-24f44a9a7e2d}\data\md
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data\md
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{21d26c8d-f485-1400-d908-54562044e0ff}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_CLASSES_ROOT\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc|| (nextinstance)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_wintoolssvc
05:33 PM:      Blasting registry: HKEY_LOCAL_MACHINE\software\toolbar
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.toolbarscript\clsid
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginserver\clsid
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugininst\clsid
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginevents\clsid
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindownadd\clsid
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.plugindown\clsid
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\tbps.pluginconfig\clsid
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ff731508-cd28-e0b0-3e85-0cf55fde9fba}\inprocserver32
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{fd3ea93f-bce8-a28b-aa76-2d55e711675b}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\localserver32
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{ef535cff-cb81-6cc3-a873-2f8c82aec371}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bd3b6d57-bb35-1cad-d1dc-ac5dd1b9d3de}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\version
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\typelib
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\progid
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{bbf122a7-8a4d-45b5-9e00-0f68bc87c904}\localserver32
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{a4589c07-991d-8034-c12e-69c0d5455dea}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\inprocserver32
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data\md
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{9ce68f0e-3b07-594f-b8a7-c0c9044ed9d4}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{646e0cf3-7459-b02d-6848-af1a15ea194e}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{375c6816-55d9-3eb5-0b65-51f231799585}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\inprocserver32
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data\md
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{1eb9a5c3-8be0-1184-bf52-28550086ec10}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\inprocserver32
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data\md
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{178ed832-5662-af21-dcb5-9071147c3af6}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\inprocserver32
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md|| (data3)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data\md
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}\data
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{17151197-586c-9ecf-1cc7-eaeda430efc7}
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32|| (threadingmodel)
05:33 PM:      Removing registry: HKEY_LOCAL_MACHINE\software\classes\clsid\{0cf849ed-e455-35c5-d9ad-0d802e5904a1}\inprocserver32
05:33 PM:      Replacing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\searchurl|| (provider) || ()
05:33 PM:      Removing registry: HKEY_CURRENT_USER\software\microsoft\internet explorer\main|| (use search asst)
05:33 PM:      Removing file: c:\windows\help\chmhelp.chm
05:33 PM:      Removing file: c:\documents and settings\kerry and colleen\cookies\kerry and [email protected][1].txt
05:33 PM:  Removal process completed.  Elapsed time 00:02:11
           14 items (179 traces) quarantined.

Logfile of HijackThis v1.99.1
Scan saved at 5:39:01 PM, on 1/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Title: Can't get rid of viruses
Post by: guestolo on January 23, 2006, 12:01:45 AM

It seems we're having better luck cleaning the registry now

I would do the following, SpySweeper appears to of cleaned out some reg. entries
But it is terribly out of date
I suggest that you access your add/remove programs and remove it
Reboot later
This may be the reason for our interference

We have updated tools on your computer,
Can you post a fresh hijackthis log after you uninstall it please
Let me know how things are running

Just some minor cleanup to do

Title: Can't get rid of viruses
Post by: indigenous1 on January 23, 2006, 04:43:24 AM

spysweeper will not uninstall.  when i go to add/remove programs is says that the uninstaller does not exist.  so i went to the spysweeper program in the webroot folder to try and use the uninstaller icon but it still will not work. the icon is there but it says that it does not exist. here is a fresh HJT log.


Logfile of HijackThis v1.99.1
Scan saved at 3:42:09 AM, on 1/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /0
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Title: Can't get rid of viruses
Post by: guestolo on January 24, 2006, 09:51:45 PM

Very sorry for the delay
I don't even think you can download that version of SpySweeper to replace the uninstaller

Can you try the following
Download and UNZIP this free registry cleaner
RegSeeker 1.45
http://www.hoverdesk.net/freeware.htm (http://\"http://www.hoverdesk.net/freeware.htm\")

Open SpySweeper
Open it click >Options over to the left then >program options >Uncheck "load at windows startup".
Over to the left click "shields" and uncheck all there.
Uncheck "home page shield".
Uncheck "automatically restore default without notification".

Open your taskmanager and end the process on
SpySweeper.exe


Open the RegSeeker Folder and double click on RegSeeker.exe
Click on "Install Applications"  in the left menu
Highlight SpySweeper and choose Delete
See if it will uninstall

If not, we could try to manually uninstall Spysweeper, but this may leave lot's behind
We could try installing the newer trial version over top of your old version and then try uninstalling it
But if we go this route, we won't uninstall it yet, may as well use it first

Title: Can't get rid of viruses
Post by: indigenous1 on January 25, 2006, 01:54:01 AM

Tried using regseeker to uninstall spysweeper.  would not work.  i ran housecall earlier today and it found a few more viruses.  i still have my old defender Pro antivirus CD.  i don't use it b/c a friend of mine says it takes up too much space on a computer.  should i install it if i can?

Title: Can't get rid of viruses
Post by: indigenous1 on January 25, 2006, 07:21:05 AM

Not sure if this is related to what we are trying to do here but i hope it is.  I ran ad aware a little while ago to see what it would find and an avast screen pops up saying that a virus was found.  so i delete the file and i restart the computer.  i run ad aware again and up pops the same avast screen with another virus in the same location deep within my C drive. it is in a file called AAWTMP.  i select delete again and restart my computer. i go to my computer to where this file is supposedly located and find nothing. so i run ad aware again and i get a virus in the same location again.  i dont do anyhting, but i go back to my computer to look for the file again and there it is, where i just looked!  i scan the AAWTMP folder with avast and a virus is found.  i press delete and a screen pops up saying virus cannot be found.  so i start killbox and select the AAWTMP file to be deleted.  it deletes the file and i restart.  but the virus is still present. it changes to a different name everytime and is hidden until found by avast.  what can i do about this?  i hate computers.



here is a fresh HJT log.

Logfile of HijackThis v1.99.1
Scan saved at 6:15:38 AM, on 1/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe

Title: Can't get rid of viruses
Post by: guestolo on January 25, 2006, 11:12:10 PM

It sounds like something is residing in the temp folders
Can you give me the location please?
Before you do, please do the following

RESTART your Computer into SAFE MODE
You can do this by tapping the F8 key as the system is restarting, just before Windows loads
Choose Safe mode from the startup menu and hit Enter

==Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Standard CleanUp!"

Click OK
Press the CleanUp! button to start the program.
When it's done reboot back to Normal mode

Download and install Spy Sweeper 4.5 (http://\"http://www.download.com/Webroot-Spy-Sweeper/3000-8022_4-10405877.html\")
Ensure to install to the old directory of
C:\Program Files\Webroot

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper)

You will be prompted to check for updated definitions, please do so.
(This may take several minutes)

In SpySweeper
Click on Options > Sweep Options and check Sweep all Folders on Selected drives
Ensure Local Disk C is checked
Under What to Sweep, check every box.

Click on Sweep and allow it to fully scan your system.

When the sweep has finished, click Remove. Click Select All and then Next

From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.

When prompted, allow Spy Sweeper to restart your computer
or Restart the computer anyways

Back in Windows

Please post the new SpySweeper log

Title: Can't get rid of viruses
Post by: indigenous1 on January 26, 2006, 01:34:20 AM

the location of the file is c:\documentsandsettings\kerryandcolleen\localsettings\temp\AAWTMP
here is the spysweeper log.

********
12:04 AM: |       Start of Session, Thursday, January 26, 2006       |
12:04 AM: Spy Sweeper started
12:04 AM: Sweep initiated using definitions version 605
12:04 AM: Starting Memory Sweep
12:06 AM: Memory Sweep Complete, Elapsed Time: 00:02:10
12:06 AM: Starting Registry Sweep
12:06 AM:   Found Adware: websearch toolbar
12:06 AM:   HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\  (7 subtraces) (ID = 146518)
12:06 AM:   HKLM\software\toolbar\  (4 subtraces) (ID = 646240)
12:06 AM:   Found Adware: cws_ns3
12:06 AM:   HKCR\clsid\{ee60feae-009f-5e4a-fb06-eb54ef18c29e}\  (2 subtraces) (ID = 888308)
12:06 AM:   Found Adware: cws_tiny0
12:06 AM:   HKCR\clsid\{9adc5b7c-f0fa-a733-e146-85ce8933dc68}\  (2 subtraces) (ID = 980881)
12:06 AM:   HKLM\software\classes\clsid\{9adc5b7c-f0fa-a733-e146-85ce8933dc68}\  (2 subtraces) (ID = 980889)
12:06 AM:   HKCR\clsid\{60fc6862-9261-c47d-0f11-1c5e5c1b1dd6}\  (2 subtraces) (ID = 1107842)
12:06 AM:   HKLM\software\classes\clsid\{60fc6862-9261-c47d-0f11-1c5e5c1b1dd6}\  (2 subtraces) (ID = 1107846)
12:06 AM: Registry Sweep Complete, Elapsed Time:00:00:07
12:06 AM: Starting Cookie Sweep
12:06 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
12:06 AM: Starting File Sweep
12:06 AM:   alcxmntr.exe:qebzeu (ID = 56287)
12:07 AM:   Warning: Failed to open file "c:\windows\". The system cannot find the path specified
12:07 AM:   agrsmdel.exe:yejtkj (ID = 56601)
12:12 AM:   Warning: Failed to open file "c:\windows\". The system cannot find the path specified
12:19 AM:   Found Adware: webhancer
12:19 AM:   ntsautodial.ini (ID = 188794)
12:19 AM:   Warning: Unhandled Archive Type
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:23 AM:   Warning: Invalid Stream
12:24 AM:   Warning: Invalid Stream
12:24 AM: File Sweep Complete, Elapsed Time: 00:17:44
12:24 AM: Full Sweep has completed.  Elapsed time 00:20:04
12:24 AM: Traces Found: 31
12:25 AM: Removal process initiated
12:25 AM:   Quarantining All Traces: cws_ns3
12:25 AM:   Quarantining All Traces: websearch toolbar
12:25 AM:   websearch toolbar is in use.  It will be removed on reboot.
12:25 AM:     HKLM: software\toolbar\ is in use.  It will be removed on reboot.
12:25 AM:   Quarantining All Traces: cws_tiny0
12:25 AM:   Quarantining All Traces: webhancer
12:25 AM: Removal process completed.  Elapsed time 00:00:33
********
12:02 AM: |       Start of Session, Thursday, January 26, 2006       |
12:02 AM: Spy Sweeper started
12:03 AM: Your spyware definitions have been updated.
12:04 AM: |       End of Session, Thursday, January 26, 2006       |

Title: Can't get rid of viruses
Post by: guestolo on January 26, 2006, 01:43:34 AM

Quote

the location of the file is c:\documentsandsettings\kerryandcolleen\localsettings\temp\AAWTMP

If you ran CleanUp! with the instructions I supplied earlier, the file should be gone now

I'm just on my way to bed
Can you do the additional please

Delete About:Buster and it's folder

Re-Download  About:Buster.zip (http://\"http://www.malwarebytes.org/ccount/click.php?id=1\")
and UNZIP the contents too desktop

Again, I would check for updates with both Ewido and Ad-Aware
Reboot to safe mode

Try running About:Buster.exe again
Also run the updated scans with Ewido and ad-Aware

Reboot back to Normal mode

Post back a fresh hijackthis log
Let me know how things are running

Title: Can't get rid of viruses
Post by: fishbone on January 26, 2006, 02:56:57 AM

LOG REMOVED
Please start your own post

Title: Can't get rid of viruses
Post by: indigenous1 on January 26, 2006, 06:08:19 AM

i ran cleanup twice with your instructions but the virus is still present in that same folder.  i also deleted my aboutbuster and redownloaded it. i ran it in safe mode and got the same "overflow" error.  i also ran ewido and ad aware in safe mode. ewido came up woth the same 29 files it always finds. ad aware came up with nothing. it's only when i'm in normal mode that the avast virus found screen comes up when running ad aware. here is a fresh hjt log


Logfile of HijackThis v1.99.1
Scan saved at 5:04:24 AM, on 1/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hjt\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdateManager] "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [EPSON Stylus CX5200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
O4 - HKLM\..\Run: [CMPDPSRV] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Compaq Connections.lnk = C:\Program Files\Compaq Connections\1940576\Program\BackWeb-1940576.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab\")
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab\")
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 (http://\"http://go.microsoft.com/fwlink/?linkid=39204\")
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab\")
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136010394515 (http://\"http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136010394515\")
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab (http://\"http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab\")
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab (http://\"http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab\")
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe

Title: Can't get rid of viruses
Post by: guestolo on January 27, 2006, 12:01:08 AM

Please make sure the realtime protections of SpySweeper are disabled

That file is in your temp folder
That error your getting with About:Buster is being looked into by the developer of the fix
No solution yet I don't believe
Can you do the following please

Download and UNZIP to your desktop from the bottom of this reply box
CWSserviceremove.zip, so you now have cwsserviceremove.reg extracted

Set Windows To Show Hidden Files and Folders
    * Click Start.
    * Open My Computer.
    * Select the Tools menu and click Folder Options.
    * Select the View Tab.
    * Under the Hidden files and folders heading select Show hidden files and folders.
    * Uncheck the Hide protected operating system files (recommended) option.
    * Uncheck the Hide Extensions for known file types
    * Click Yes to confirm.
    * Click OK.

Reboot back to safe mode

Manually navigate too, and delete the WHOLE contents of the temp folders (Including sub-folders)
Do not delete the temp directories themselves

# C:\Windows\Temp\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
# C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\

Run CleanUp! again in safe mode

Double click on cwsserviceremove.reg and allow to add/merge to the registry

Open RegSeeker.exe
Click on "Clean the registry"  in the left menu
Hit OK
Let it finish scanning and then ensure Backup before deletion is checked

Choose "Select all"
Right click and Delete all selected

Open Hijackthis>>Open Misc tools>>Open ADS Spy...
Click on SCAN, when it's done save the log to your desktop

Reboot back to Normal mode

Post the log from ADS Spy please

Title: Can't get rid of viruses
Post by: indigenous1 on January 27, 2006, 04:57:31 AM

Deleted all files in temp and temporary internet folders although 2 would not delete b/c the files were in use.ran cleanup and merged cwsserviceremove.reg. also ran regseeker. here is the ADS spy log. just ran ad aware again and the virus is still there.

C:\WINDOWS\_detmp.2 : aagjuq  (11736 bytes)
C:\WINDOWS\_detmp.2 : aaqmhk  (0 bytes)
C:\WINDOWS\_detmp.2 : abclxy  (0 bytes)
C:\WINDOWS\_detmp.2 : abfcuh  (0 bytes)
C:\WINDOWS\_detmp.2 : accrny  (0 bytes)
C:\WINDOWS\_detmp.2 : acrarp  (0 bytes)
C:\WINDOWS\_detmp.2 : aeayez  (11736 bytes)
C:\WINDOWS\_detmp.2 : aefkgw  (0 bytes)
C:\WINDOWS\_detmp.2 : aeinmg  (0 bytes)
C:\WINDOWS\_detmp.2 : aeutkn  (0 bytes)
C:\WINDOWS\_detmp.2 : afczin  (0 bytes)
C:\WINDOWS\_detmp.2 : afrime  (0 bytes)
C:\WINDOWS\_detmp.2 : agaube  (0 bytes)
C:\WINDOWS\_detmp.2 : agauzv  (0 bytes)
C:\WINDOWS\_detmp.2 : ahjsin  (0 bytes)
C:\WINDOWS\_detmp.2 : ahuhuc  (0 bytes)
C:\WINDOWS\_detmp.2 : ahvjfw  (0 bytes)
C:\WINDOWS\_detmp.2 : ahxkbl  (0 bytes)
C:\WINDOWS\_detmp.2 : aizolz  (11152 bytes)
C:\WINDOWS\_detmp.2 : ajckmh  (0 bytes)
C:\WINDOWS\_detmp.2 : ajfvsr  (0 bytes)
C:\WINDOWS\_detmp.2 : ajqtqy  (0 bytes)
C:\WINDOWS\_detmp.2 : ajtwwi  (0 bytes)
C:\WINDOWS\_detmp.2 : akejwf  (0 bytes)
C:\WINDOWS\_detmp.2 : akpatw  (0 bytes)
C:\WINDOWS\_detmp.2 : amcszw  (0 bytes)
C:\WINDOWS\_detmp.2 : amfvfg  (0 bytes)
C:\WINDOWS\_detmp.2 : amrbcn  (0 bytes)
C:\WINDOWS\_detmp.2 : amuejx  (0 bytes)
C:\WINDOWS\_detmp.2 : anoqee  (0 bytes)
C:\WINDOWS\_detmp.2 : anouyu  (11152 bytes)
C:\WINDOWS\_detmp.2 : aokbck  (4870 bytes)
C:\WINDOWS\_detmp.2 : aomlvm  (0 bytes)
C:\WINDOWS\_detmp.2 : aoxcrv  (0 bytes)
C:\WINDOWS\_detmp.2 : apbnme  (0 bytes)
C:\WINDOWS\_detmp.2 : apgyrt  (0 bytes)
C:\WINDOWS\_detmp.2 : apjjxd  (0 bytes)
C:\WINDOWS\_detmp.2 : apuatm  (0 bytes)
C:\WINDOWS\_detmp.2 : apuszm  (0 bytes)
C:\WINDOWS\_detmp.2 : apzbct  (0 bytes)
C:\WINDOWS\_detmp.2 : arjrna  (9237 bytes)
C:\WINDOWS\_detmp.2 : arncqn  (0 bytes)
C:\WINDOWS\_detmp.2 : asrmdh  (0 bytes)
C:\WINDOWS\_detmp.2 : atehuh  (11736 bytes)
C:\WINDOWS\_detmp.2 : atqubp  (0 bytes)
C:\WINDOWS\_detmp.2 : aulnfd  (11736 bytes)
C:\WINDOWS\_detmp.2 : aunjvf  (0 bytes)
C:\WINDOWS\_detmp.2 : aurjcz  (0 bytes)
C:\WINDOWS\_detmp.2 : auxoly  (9237 bytes)
C:\WINDOWS\_detmp.2 : auzpan  (0 bytes)
C:\WINDOWS\_detmp.2 : avqlmc  (11152 bytes)
C:\WINDOWS\_detmp.2 : awiuoe  (0 bytes)
C:\WINDOWS\_detmp.2 : awxvqx  (0 bytes)
C:\WINDOWS\_detmp.2 : axcojl  (0 bytes)
C:\WINDOWS\_detmp.2 : axneiv  (0 bytes)
C:\WINDOWS\_detmp.2 : axrhzm  (0 bytes)
C:\WINDOWS\_detmp.2 : axrpnc  (0 bytes)
C:\WINDOWS\_detmp.2 : ayoric  (11736 bytes)
C:\WINDOWS\_detmp.2 : azqhoj  (4870 bytes)
C:\WINDOWS\_detmp.2 : azybmw  (0 bytes)
C:\WINDOWS\_detmp.2 : babdet  (0 bytes)
C:\WINDOWS\_detmp.2 : baovaa  (0 bytes)
C:\WINDOWS\_detmp.2 : bavxst  (11736 bytes)
C:\WINDOWS\_detmp.2 : bazmxj  (0 bytes)
C:\WINDOWS\_detmp.2 : bblsur  (0 bytes)
C:\WINDOWS\_detmp.2 : bbvxvz  (11152 bytes)
C:\WINDOWS\_detmp.2 : bcozvz  (0 bytes)
C:\WINDOWS\_detmp.2 : bczrri  (0 bytes)
C:\WINDOWS\_detmp.2 : bdgdnp  (0 bytes)
C:\WINDOWS\_detmp.2 : bdsujy  (0 bytes)
C:\WINDOWS\_detmp.2 : bdytsd  (11152 bytes)
C:\WINDOWS\_detmp.2 : begeru  (0 bytes)
C:\WINDOWS\_detmp.4 : aoauxa  (0 bytes)
C:\WINDOWS\_detmp.4 : bfmtqz  (0 bytes)
C:\WINDOWS\_detmp.4 : bznuba  (0 bytes)
C:\WINDOWS\_detmp.4 : dsdffe  (0 bytes)
C:\WINDOWS\_detmp.4 : dvwnrt  (0 bytes)
C:\WINDOWS\_detmp.4 : dwfinc  (0 bytes)
C:\WINDOWS\_detmp.4 : egpigq  (0 bytes)
C:\WINDOWS\_detmp.4 : erhjsg  (0 bytes)
C:\WINDOWS\_detmp.4 : ewmjqj  (0 bytes)
C:\WINDOWS\_detmp.4 : faluce  (0 bytes)
C:\WINDOWS\_detmp.4 : frrrkv  (0 bytes)
C:\WINDOWS\_detmp.4 : ftrzxl  (0 bytes)
C:\WINDOWS\_detmp.4 : gpomuh  (0 bytes)
C:\WINDOWS\_detmp.4 : hblgxn  (0 bytes)
C:\WINDOWS\_detmp.4 : igephh  (0 bytes)
C:\WINDOWS\_detmp.4 : ilnwkr  (0 bytes)
C:\WINDOWS\_detmp.4 : iyihoh  (0 bytes)
C:\WINDOWS\_detmp.4 : jgvphx  (0 bytes)
C:\WINDOWS\_detmp.4 : jhphtu  (0 bytes)
C:\WINDOWS\_detmp.4 : jjuwxc  (0 bytes)
C:\WINDOWS\_detmp.4 : jpvivx  (0 bytes)
C:\WINDOWS\_detmp.4 : kclzxr  (0 bytes)
C:\WINDOWS\_detmp.4 : kkiqqj  (0 bytes)
C:\WINDOWS\_detmp.4 : kmorfq  (0 bytes)
C:\WINDOWS\_detmp.4 : kwgsqp  (0 bytes)
C:\WINDOWS\_detmp.4 : kwudlr  (0 bytes)
C:\WINDOWS\_detmp.4 : kwvtuy  (0 bytes)
C:\WINDOWS\_detmp.4 : kzlakb  (0 bytes)
C:\WINDOWS\_detmp.4 : lpreb  (0 bytes)
C:\WINDOWS\_detmp.4 : lqxdqw  (0 bytes)
C:\WINDOWS\_detmp.4 : lyiumf  (0 bytes)
C:\WINDOWS\_detmp.4 : mhxemm  (0 bytes)
C:\WINDOWS\_detmp.4 : moiuao  (0 bytes)
C:\WINDOWS\_detmp.4 : mtytdi  (0 bytes)
C:\WINDOWS\_detmp.4 : naujlu  (197761 bytes)
C:\WINDOWS\_detmp.4 : npintp  (0 bytes)
C:\WINDOWS\_detmp.4 : obdgtr  (0 bytes)
C:\WINDOWS\_detmp.4 : oespkx  (0 bytes)
C:\WINDOWS\_detmp.4 : ogfjco  (0 bytes)
C:\WINDOWS\_detmp.4 : pibbdc  (0 bytes)
C:\WINDOWS\_detmp.4 : ppelqn  (0 bytes)
C:\WINDOWS\_detmp.4 : ptrfuu  (0 bytes)
C:\WINDOWS\_detmp.4 : qanbdz  (0 bytes)
C:\WINDOWS\_detmp.4 : qcxnyr  (0 bytes)
C:\WINDOWS\_detmp.4 : qdfipp  (0 bytes)
C:\WINDOWS\_detmp.4 : qmsogi  (0 bytes)
C:\WINDOWS\_detmp.4 : qscjhq  (0 bytes)
C:\WINDOWS\_detmp.4 : rolvbm  (0 bytes)
C:\WINDOWS\_detmp.4 : rqrequ  (0 bytes)
C:\WINDOWS\_detmp.4 : rxxajf  (0 bytes)
C:\WINDOWS\_detmp.4 : sbelrp  (0 bytes)
C:\WINDOWS\_detmp.4 : sufbxq  (0 bytes)
C:\WINDOWS\_detmp.4 : svcqrh  (0 bytes)
C:\WINDOWS\_detmp.4 : tfmxkv  (0 bytes)
C:\WINDOWS\_detmp.4 : tgfykc  (0 bytes)
C:\WINDOWS\_detmp.4 : thiidu  (0 bytes)
C:\WINDOWS\_detmp.4 : ttlogh  (197761 bytes)
C:\WINDOWS\_detmp.4 : uagzek  (0 bytes)
C:\WINDOWS\_detmp.4 : ukjyqg  (0 bytes)
C:\WINDOWS\_detmp.4 : usupmp  (0 bytes)
C:\WINDOWS\_detmp.4 : vgvuil  (0 bytes)
C:\WINDOWS\_detmp.4 : vllamw  (0 bytes)
C:\WINDOWS\_detmp.4 : vorkbl  (0 bytes)
C:\WINDOWS\_detmp.4 : vtwkho  (0 bytes)
C:\WINDOWS\_detmp.4 : vvostd  (0 bytes)
C:\WINDOWS\_detmp.4 : vxxohe  (0 bytes)
C:\WINDOWS\_detmp.4 : whtmxb  (0 bytes)
C:\WINDOWS\_detmp.4 : wzowmt  (197761 bytes)
C:\WINDOWS\_detmp.4 : xbeieg  (0 bytes)
C:\WINDOWS\_detmp.4 : xcyurv  (0 bytes)
C:\WINDOWS\_detmp.4 : xkjloe  (0 bytes)
C:\WINDOWS\_detmp.4 : xrjemg  (0 bytes)

Title: Can't get rid of viruses
Post by: guestolo on January 27, 2006, 09:49:27 AM

Can you run Killbox.exe
Click on Tools>>>Delete Temp files

Main screen of Killbox
In the full path of file to delete, copy and paste the whole line below in bold

C:\WINDOWS\_detmp.2

Select the options to "Delete File on Reboot" and "End Explorer Shell While Killing File"

Click the Red Circle with the White X
Confirm to Delete but don't reboot yet
Instead, do the same for this one

C:\WINDOWS\_detmp.4

This time allow to reboot the computer
If you get a Pending operations message
Close it and Restart the computer manually

Back in Windows
Run Hijackthis' ADS Spy again
This time, before running the scan with ads spy
Can you remove the check from "Quick Scan" please

Post the new log

Title: Can't get rid of viruses
Post by: indigenous1 on January 28, 2006, 05:23:27 PM

ran killbox and deleted the 2 files and temp files. here is the ads log.  ran ad aware again. virus still present.

C:\!KillBox\_detmp.2 : aagjuq  (11736 bytes)
C:\!KillBox\_detmp.2 : aaqmhk  (0 bytes)
C:\!KillBox\_detmp.2 : abclxy  (0 bytes)
C:\!KillBox\_detmp.2 : abfcuh  (0 bytes)
C:\!KillBox\_detmp.2 : accrny  (0 bytes)
C:\!KillBox\_detmp.2 : acrarp  (0 bytes)
C:\!KillBox\_detmp.2 : aeayez  (11736 bytes)
C:\!KillBox\_detmp.2 : aefkgw  (0 bytes)
C:\!KillBox\_detmp.2 : aeinmg  (0 bytes)
C:\!KillBox\_detmp.2 : aeutkn  (0 bytes)
C:\!KillBox\_detmp.2 : afczin  (0 bytes)
C:\!KillBox\_detmp.2 : afrime  (0 bytes)
C:\!KillBox\_detmp.2 : agaube  (0 bytes)
C:\!KillBox\_detmp.2 : agauzv  (0 bytes)
C:\!KillBox\_detmp.2 : ahjsin  (0 bytes)
C:\!KillBox\_detmp.2 : ahuhuc  (0 bytes)
C:\!KillBox\_detmp.2 : ahvjfw  (0 bytes)
C:\!KillBox\_detmp.2 : ahxkbl  (0 bytes)
C:\!KillBox\_detmp.2 : aizolz  (11152 bytes)
C:\!KillBox\_detmp.2 : ajckmh  (0 bytes)
C:\!KillBox\_detmp.2 : ajfvsr  (0 bytes)
C:\!KillBox\_detmp.2 : ajqtqy  (0 bytes)
C:\!KillBox\_detmp.2 : ajtwwi  (0 bytes)
C:\!KillBox\_detmp.2 : akejwf  (0 bytes)
C:\!KillBox\_detmp.2 : akpatw  (0 bytes)
C:\!KillBox\_detmp.2 : amcszw  (0 bytes)
C:\!KillBox\_detmp.2 : amfvfg  (0 bytes)
C:\!KillBox\_detmp.2 : amrbcn  (0 bytes)
C:\!KillBox\_detmp.2 : amuejx  (0 bytes)
C:\!KillBox\_detmp.2 : anoqee  (0 bytes)
C:\!KillBox\_detmp.2 : anouyu  (11152 bytes)
C:\!KillBox\_detmp.2 : aokbck  (4870 bytes)
C:\!KillBox\_detmp.2 : aomlvm  (0 bytes)
C:\!KillBox\_detmp.2 : aoxcrv  (0 bytes)
C:\!KillBox\_detmp.2 : apbnme  (0 bytes)
C:\!KillBox\_detmp.2 : apgyrt  (0 bytes)
C:\!KillBox\_detmp.2 : apjjxd  (0 bytes)
C:\!KillBox\_detmp.2 : apuatm  (0 bytes)
C:\!KillBox\_detmp.2 : apuszm  (0 bytes)
C:\!KillBox\_detmp.2 : apzbct  (0 bytes)
C:\!KillBox\_detmp.2 : arjrna  (9237 bytes)
C:\!KillBox\_detmp.2 : arncqn  (0 bytes)
C:\!KillBox\_detmp.2 : asrmdh  (0 bytes)
C:\!KillBox\_detmp.2 : atehuh  (11736 bytes)
C:\!KillBox\_detmp.2 : atqubp  (0 bytes)
C:\!KillBox\_detmp.2 : aulnfd  (11736 bytes)
C:\!KillBox\_detmp.2 : aunjvf  (0 bytes)
C:\!KillBox\_detmp.2 : aurjcz  (0 bytes)
C:\!KillBox\_detmp.2 : auxoly  (9237 bytes)
C:\!KillBox\_detmp.2 : auzpan  (0 bytes)
C:\!KillBox\_detmp.2 : avqlmc  (11152 bytes)
C:\!KillBox\_detmp.2 : awiuoe  (0 bytes)
C:\!KillBox\_detmp.2 : awxvqx  (0 bytes)
C:\!KillBox\_detmp.2 : axcojl  (0 bytes)
C:\!KillBox\_detmp.2 : axneiv  (0 bytes)
C:\!KillBox\_detmp.2 : axrhzm  (0 bytes)
C:\!KillBox\_detmp.2 : axrpnc  (0 bytes)
C:\!KillBox\_detmp.2 : ayoric  (11736 bytes)
C:\!KillBox\_detmp.2 : azqhoj  (4870 bytes)
C:\!KillBox\_detmp.2 : azybmw  (0 bytes)
C:\!KillBox\_detmp.2 : babdet  (0 bytes)
C:\!KillBox\_detmp.2 : baovaa  (0 bytes)
C:\!KillBox\_detmp.2 : bavxst  (11736 bytes)
C:\!KillBox\_detmp.2 : bazmxj  (0 bytes)
C:\!KillBox\_detmp.2 : bblsur  (0 bytes)
C:\!KillBox\_detmp.2 : bbvxvz  (11152 bytes)
C:\!KillBox\_detmp.2 : bcozvz  (0 bytes)
C:\!KillBox\_detmp.2 : bczrri  (0 bytes)
C:\!KillBox\_detmp.2 : bdgdnp  (0 bytes)
C:\!KillBox\_detmp.2 : bdsujy  (0 bytes)
C:\!KillBox\_detmp.2 : bdytsd  (11152 bytes)
C:\!KillBox\_detmp.2 : begeru  (0 bytes)
C:\!KillBox\_detmp.4 : aoauxa  (0 bytes)
C:\!KillBox\_detmp.4 : bfmtqz  (0 bytes)
C:\!KillBox\_detmp.4 : bznuba  (0 bytes)
C:\!KillBox\_detmp.4 : dsdffe  (0 bytes)
C:\!KillBox\_detmp.4 : dvwnrt  (0 bytes)
C:\!KillBox\_detmp.4 : dwfinc  (0 bytes)
C:\!KillBox\_detmp.4 : egpigq  (0 bytes)
C:\!KillBox\_detmp.4 : erhjsg  (0 bytes)
C:\!KillBox\_detmp.4 : ewmjqj  (0 bytes)
C:\!KillBox\_detmp.4 : faluce  (0 bytes)
C:\!KillBox\_detmp.4 : frrrkv  (0 bytes)
C:\!KillBox\_detmp.4 : ftrzxl  (0 bytes)
C:\!KillBox\_detmp.4 : gpomuh  (0 bytes)
C:\!KillBox\_detmp.4 : hblgxn  (0 bytes)
C:\!KillBox\_detmp.4 : igephh  (0 bytes)
C:\!KillBox\_detmp.4 : ilnwkr  (0 bytes)
C:\!KillBox\_detmp.4 : iyihoh  (0 bytes)
C:\!KillBox\_detmp.4 : jgvphx  (0 bytes)
C:\!KillBox\_detmp.4 : jhphtu  (0 bytes)
C:\!KillBox\_detmp.4 : jjuwxc  (0 bytes)
C:\!KillBox\_detmp.4 : jpvivx  (0 bytes)
C:\!KillBox\_detmp.4 : kclzxr  (0 bytes)
C:\!KillBox\_detmp.4 : kkiqqj  (0 bytes)
C:\!KillBox\_detmp.4 : kmorfq  (0 bytes)
C:\!KillBox\_detmp.4 : kwgsqp  (0 bytes)
C:\!KillBox\_detmp.4 : kwudlr  (0 bytes)
C:\!KillBox\_detmp.4 : kwvtuy  (0 bytes)
C:\!KillBox\_detmp.4 : kzlakb  (0 bytes)
C:\!KillBox\_detmp.4 : lpreb  (0 bytes)
C:\!KillBox\_detmp.4 : lqxdqw  (0 bytes)
C:\!KillBox\_detmp.4 : lyiumf  (0 bytes)
C:\!KillBox\_detmp.4 : mhxemm  (0 bytes)
C:\!KillBox\_detmp.4 : moiuao  (0 bytes)
C:\!KillBox\_detmp.4 : mtytdi  (0 bytes)
C:\!KillBox\_detmp.4 : naujlu  (197761 bytes)
C:\!KillBox\_detmp.4 : npintp  (0 bytes)
C:\!KillBox\_detmp.4 : obdgtr  (0 bytes)
C:\!KillBox\_detmp.4 : oespkx  (0 bytes)
C:\!KillBox\_detmp.4 : ogfjco  (0 bytes)
C:\!KillBox\_detmp.4 : pibbdc  (0 bytes)
C:\!KillBox\_detmp.4 : ppelqn  (0 bytes)
C:\!KillBox\_detmp.4 : ptrfuu  (0 bytes)
C:\!KillBox\_detmp.4 : qanbdz  (0 bytes)
C:\!KillBox\_detmp.4 : qcxnyr  (0 bytes)
C:\!KillBox\_detmp.4 : qdfipp  (0 bytes)
C:\!KillBox\_detmp.4 : qmsogi  (0 bytes)
C:\!KillBox\_detmp.4 : qscjhq  (0 bytes)
C:\!KillBox\_detmp.4 : rolvbm  (0 bytes)
C:\!KillBox\_detmp.4 : rqrequ  (0 bytes)
C:\!KillBox\_detmp.4 : rxxajf  (0 bytes)
C:\!KillBox\_detmp.4 : sbelrp  (0 bytes)
C:\!KillBox\_detmp.4 : sufbxq  (0 bytes)
C:\!KillBox\_detmp.4 : svcqrh  (0 bytes)
C:\!KillBox\_detmp.4 : tfmxkv  (0 bytes)
C:\!KillBox\_detmp.4 : tgfykc  (0 bytes)
C:\!KillBox\_detmp.4 : thiidu  (0 bytes)
C:\!KillBox\_detmp.4 : ttlogh  (197761 bytes)
C:\!KillBox\_detmp.4 : uagzek  (0 bytes)
C:\!KillBox\_detmp.4 : ukjyqg  (0 bytes)
C:\!KillBox\_detmp.4 : usupmp  (0 bytes)
C:\!KillBox\_detmp.4 : vgvuil  (0 bytes)
C:\!KillBox\_detmp.4 : vllamw  (0 bytes)
C:\!KillBox\_detmp.4 : vorkbl  (0 bytes)
C:\!KillBox\_detmp.4 : vtwkho  (0 bytes)
C:\!KillBox\_detmp.4 : vvostd  (0 bytes)
C:\!KillBox\_detmp.4 : vxxohe  (0 bytes)
C:\!KillBox\_detmp.4 : whtmxb  (0 bytes)
C:\!KillBox\_detmp.4 : wzowmt  (197761 bytes)
C:\!KillBox\_detmp.4 : xbeieg  (0 bytes)
C:\!KillBox\_detmp.4 : xcyurv  (0 bytes)
C:\!KillBox\_detmp.4 : xkjloe  (0 bytes)
C:\!KillBox\_detmp.4 : xrjemg  (0 bytes)
C:\WINDOWS\system32 : pbaa.dll  (3584 bytes)
C:\WINDOWS\system32 : pbaa.dll  (3584 bytes)
C:\WINDOWS\system32\ReinstallBackups\0015\DriverFiles\AGRSMMSG.exe : cgwbwj  (3567 bytes)

Title: Can't get rid of viruses
Post by: guestolo on January 29, 2006, 12:53:51 PM

Sorry for the delay

Can you try the following please
From below, download and unzip to the desktop fix3.zip so you now have fix3.reg extracted

Check for updates with Ewido, don't run a scan yet
Check for updates with Ad-Aware, don't run a scan yet

Can you run Killbox.exe
Main screen of Killbox
In the full path of file to delete, copy and paste the whole line below in bold

C:\WINDOWS\system32\pbaa.dll

Select the options to "Delete File on Reboot"
"End Explorer Shell While Killing File"
"Unregister .dll before deleting"

Click the red circle white x button
Allow to delete on reboot
and then reboot now

Please boot into safe mode

In safe mode
Can you double click on fix.reg and allow to add/merge to the registry

Can you delete the folder created by Killbox
C:\!KillBox <-this folder

Run a complete scan with Ewido afterwards
Save the log when it's done

Can you open the Open the WinPFind folder you extracted to desktop earlier
Double click on WinPFind.exe
Click START SCAN
When it's done just close out

Reboot back to Normal mode

Can you run the scan with Ad-Aware again
When the scan is done Save A Report please

Come back here and post the report from ad-aware
Could you also post the report from Ewido's
Post the results of the WindPFind.txt located in the WinPFind folder
Can you also run ads-spy from hijackthis one more time and post the log

In addition: Can you run a search on this computer for
cgwbwj
Let me know if anything shows up please, if so, at what location

Title: Can't get rid of viruses
Post by: indigenous1 on January 29, 2006, 06:11:34 PM

downloaded and unzipped fix3. ran killbox and deleted the file. also deletd killbox folder. ran ad aware and it didn't find the file this time so we must've got it. also, searched for cgwbwj and it wasn't found. when i ran hjt ads the scan screen was blank and it wouldn't save a logfile so i assume it came up with nothing.
here are the logs you requested.

---------------------------------------------------------
 ewido anti-malware - Scan report
---------------------------------------------------------

 + Created on:         4:27:37 PM, 1/29/2006
 + Report-Checksum:      562370BB

 + Scan result:

   HKLM\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginConfig -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginDown -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginDownAdd -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginEvents -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginInst -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.PluginServer -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TBPS.ToolbarScript -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4} -> Spyware.IBIS : Error during cleaning
   HKLM\SOFTWARE\Toolbar -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Files -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Install -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\PlugIns -> Spyware.WebSearch : Error during cleaning
   HKLM\SOFTWARE\Toolbar\Server -> Spyware.WebSearch : Error during cleaning
   HKLM\SYSTEM\CurrentControlSet\Services\TBPSSvc -> Spyware.WebSearch : Error during cleaning
   C:\counter.cab/counter.exe -> Dropper.Agent.az : Cleaned with backup


::Report End

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP    Current Build: Service Pack 2    Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX!                 1/19/2006 12:56:46 AM       43391      C:\WINDOWS\browser.exe
UPX!                 6/4/2005 11:52:48 AM        84642      C:\WINDOWS\n_ituoof.log

Checking %System% folder...
UPX!                 12/20/2005 6:21:38 AM       481280     C:\WINDOWS\SYSTEM32\aswBoot.exe
PEC2                 8/16/2003 1:40:04 AM        41397      C:\WINDOWS\SYSTEM32\dfrg.msc
PTech                11/4/2005 4:27:24 PM        534280     C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2           1/4/2006 7:46:40 PM         2827616    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               1/4/2006 7:46:40 PM         2827616    C:\WINDOWS\SYSTEM32\MRT.exe
aspack               8/4/2004 1:56:36 AM         708096     C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor             8/4/2004 1:56:44 AM         657920     C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync              8/15/2003 8:41:44 PM        1309184    C:\WINDOWS\SYSTEM32\wbdbase.deu
Umonitor             8/15/2003 8:52:22 PM        631808     C:\WINDOWS\SYSTEM32\_003788_.tmp.dll
Umonitor             8/15/2003 8:52:22 PM        631808     C:\WINDOWS\SYSTEM32\_004055_.tmp.dll
Umonitor             8/15/2003 8:52:22 PM        631808     C:\WINDOWS\SYSTEM32\_004495_.tmp.dll

Checking %System%\Drivers folder and sub-folders...
PTech                8/3/2004 11:41:38 PM        1309184    C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
                     1/29/2006 1:21:30 PM      S 2048       C:\WINDOWS\bootstat.dat
                     12/7/2005 10:04:38 PM    HS 0          C:\WINDOWS\usuot.log
                     12/31/2005 12:27:02 AM   H  0          C:\WINDOWS\inf\oem37.inf
                     1/19/2006 11:27:50 AM   RHS 286777     C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_7.cab
                     11/30/2005 10:17:10 PM    S 21633      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905915.cat
                     12/1/2005 6:12:48 PM      S 10925      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB910437.cat
                     1/2/2006 5:09:36 PM       S 11223      C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB912919.cat
                     1/29/2006 1:21:38 PM     H  16384      C:\WINDOWS\system32\config\default.LOG
                     1/29/2006 1:21:40 PM     H  1024       C:\WINDOWS\system32\config\SAM.LOG
                     1/29/2006 1:21:30 PM     H  16384      C:\WINDOWS\system32\config\SECURITY.LOG
                     1/29/2006 1:41:34 PM     H  81920      C:\WINDOWS\system32\config\software.LOG
                     1/29/2006 1:21:42 PM     H  1122304    C:\WINDOWS\system32\config\system.LOG
                     1/19/2006 2:23:18 AM     H  1024       C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
                     1/19/2006 11:27:50 AM     S 558        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E6024EAC88E6B6165D49FE3C95ADD735
                     1/19/2006 11:27:50 AM     S 144        C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E6024EAC88E6B6165D49FE3C95ADD735
                     1/29/2006 1:20:34 PM     H  6          C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation          8/4/2004 1:56:58 AM         68608      C:\WINDOWS\SYSTEM32\access.cpl
Realtek Semiconductor Corp.    9/20/2004 3:20:44 PM        16121856   C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation          8/4/2004 1:56:58 AM         549888     C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         110592     C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         135168     C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         80384      C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         155136     C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         358400     C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         129536     C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         380416     C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         68608      C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc.         11/10/2005 1:03:50 PM       49265      C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation          8/15/2003 7:49:58 PM        187904     C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         618496     C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation          8/15/2003 7:57:52 PM        35840      C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         25600      C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         257024     C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         32768      C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         114688     C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         298496     C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation          8/15/2003 8:04:26 PM        28160      C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         94208      C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation          8/4/2004 1:56:58 AM         148480     C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation          5/26/2005 4:16:30 AM        174360     C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation          8/15/2003 7:49:58 PM        187904     C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation          8/15/2003 7:57:52 PM        35840      C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation          8/15/2003 8:04:26 PM        28160      C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Intel Corporation              2/10/2004 7:53:24 PM        94208      C:\WINDOWS\SYSTEM32\ReinstallBackups\0001\DriverFiles\igfxcpl.cpl
Realtek Semiconductor Corp.    2/10/2004 2:19:32 AM        14224384   C:\WINDOWS\SYSTEM32\ReinstallBackups\0016\DriverFiles\ALSNDMGR.CPL

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
                     9/29/2004 2:27:32 PM        1903       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Compaq Connections.lnk
                     4/2/2004 1:55:28 PM      HS 84         C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
                     1/24/2006 4:47:28 PM        1738       C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
                     4/2/2004 5:46:32 AM      HS 62         C:\Documents and Settings\All Users\Application Data\desktop.ini
                     11/8/2004 5:12:00 PM     H  0          C:\Documents and Settings\All Users\Application Data\hpothb07.dat
                     11/8/2004 5:12:00 PM     H  0          C:\Documents and Settings\All Users\Application Data\hpothb07.tif

Checking files in %USERPROFILE%\Startup folder...
                     4/2/2004 1:55:28 PM      HS 84         C:\Documents and Settings\kerry and colleen\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
                     4/2/2004 5:46:32 AM      HS 62         C:\Documents and Settings\kerry and colleen\Application Data\desktop.ini
                     11/8/2004 5:09:54 PM     H  0          C:\Documents and Settings\kerry and colleen\Application Data\hpothb07.dat
                     11/8/2004 5:09:54 PM     H  0          C:\Documents and Settings\kerry and colleen\Application Data\hpothb07.tif
                     3/13/2005 6:45:54 PM        75771      C:\Documents and Settings\kerry and colleen\Application Data\tizinf.xml

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
   SV1    =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
   {472083B0-C522-11CF-8763-00608CC02F24}    = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
   {09799AFB-AD67-11d1-ABCD-00C04FC30936}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
   Start Menu Pin    = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
   {472083B0-C522-11CF-8763-00608CC02F24}    = C:\Program Files\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
   {7C9D5882-CB4A-4090-96C8-430BFE8B795B}    = C:\PROGRA~1\Webroot\SPYSWE~1\SSCtxMnu.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
   {A470F8CF-A1E8-4f65-8335-227475AA5C46}    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
   {750fdf0e-2a26-11d1-a3ea-080036587f03}    = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
   {f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}    = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
    = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
    = %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
    = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
   SSVHelper Class = C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
   Google Toolbar Helper = c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
    =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
   &Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
   {2318C2B1-4965-11d4-9B18-009027A5CD4F}    = &Google   : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
   MenuText    = Sun Java Console   : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
   ButtonText    = AOL Toolbar   :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
   ButtonText    = Messenger   : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
    =
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
   File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
   Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
   {01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address   : %SystemRoot%\System32\browseui.dll
   {0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links   : %SystemRoot%\system32\SHELL32.dll
   {2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google   : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   hpsysdrv   c:\windows\system\hpsysdrv.exe
   Recguard   C:\WINDOWS\SMINST\RECGUARD.EXE
   VTTimer   VTTimer.exe
   AGRSMMSG   AGRSMMSG.exe
   UpdateManager   "c:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
   EPSON Stylus CX5200   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P19 "EPSON Stylus CX5200" /O6 "USB001" /M "Stylus CX5200"
   SunJavaUpdateSched   C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
   avast!   C:\PROGRA~1\ALWILS~1\AVAST4\ashDisp.exe
   CMPDPSRV   C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\CMPDPSRV.EXE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
   IMAIL   Installed = 1
   MAPI   Installed = 1
   MSFS   Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   MSMSGS   "C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
   system.ini   0
   win.ini   0
   bootini   0
   services   0
   startup   0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
   {BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
   {6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
   {0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
   dontdisplaylastusername   0
   legalnoticecaption   
   legalnoticetext   
   shutdownwithoutlogon   1
   undockwithoutlogon   1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
   NoDriveTypeAutoRun   145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
   PostBootReminder                  {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
   CDBurn                            {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
   WebCheck                          {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
   SysTray                           {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   UserInit   = C:\WINDOWS\system32\userinit.exe,
   Shell      = Explorer.exe
   System      =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
    = crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
    = cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
    = cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
    = igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
    = sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
    = WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
    = wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
    = WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
   Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
   AppInit_DLLs   


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1   - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 1/29/2006 4:34:11 PM

Ad-Aware SE Build 1.06r1
Logfile Created on:Sunday, January 29, 2006 4:46:19 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R89 24.01.2006
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
MRU List(TAC index:0):15 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


1-29-2006 4:46:19 PM - Scan started. (Full System Scan)

 MRU List Object Recognized!
    Location:          : C:\Documents and Settings\kerry and colleen\Application Data\microsoft\office\recent
    Description        : list of recently opened documents using microsoft office


 MRU List Object Recognized!
    Location:          : C:\Documents and Settings\kerry and colleen\recent
    Description        : list of recently opened documents


 MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct3d


 MRU List Object Recognized!
    Location:          : software\microsoft\direct3d\mostrecentapplication
    Description        : most recent application to use microsoft direct X


 MRU List Object Recognized!
    Location:          : software\microsoft\directdraw\mostrecentapplication
    Description        : most recent application to use microsoft directdraw


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\internet explorer
    Description        : last download directory used in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\internet explorer\typedurls
    Description        : list of recently entered addresses in microsoft internet explorer


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\microsoft management console\recent file list
    Description        : list of recent snap-ins used in the microsoft management console


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\office\10.0\common\open find\microsoft word\settings\open\file name mru
    Description        : list of recent documents opened by microsoft word


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\office\10.0\common\open find\microsoft word\settings\save as\file name mru
    Description        : list of recent documents saved by microsoft word


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\search assistant\acmru
    Description        : list of recent search terms used with the search assistant


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\windows\currentversion\applets\wordpad\recent file list
    Description        : list of recent files opened using wordpad


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
    Description        : list of recent programs opened


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
    Description        : list of recently saved files, stored according to file extension


 MRU List Object Recognized!
    Location:          : S-1-5-21-833561583-498507320-2471684171-1008\software\microsoft\windows\currentversion\explorer\recentdocs
    Description        : list of recent documents opened


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
    FilePath           : \SystemRoot\System32\
    ProcessID          : 560
    ThreadCreationTime : 1-29-2006 10:44:29 PM
    BasePriority       : Normal


#:2 [csrss.exe]
    FilePath           : \??\C:\WINDOWS\system32\
    ProcessID          : 616
    ThreadCreationTime : 1-29-2006 10:44:31 PM
    BasePriority       : Normal


#:3 [winlogon.exe]
    FilePath           : \??\C:\WINDOWS\system32\
    ProcessID          : 640
    ThreadCreationTime : 1-29-2006 10:44:31 PM
    BasePriority       : High


#:4 [services.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 684
    ThreadCreationTime : 1-29-2006 10:44:32 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Services and Controller app
    InternalName       : services.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : services.exe

#:5 [lsass.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 696
    ThreadCreationTime : 1-29-2006 10:44:32 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : LSA Shell (Export Version)
    InternalName       : lsass.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : lsass.exe

#:6 [svchost.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 852
    ThreadCreationTime : 1-29-2006 10:44:32 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:7 [svchost.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 928
    ThreadCreationTime : 1-29-2006 10:44:32 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:8 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1020
    ThreadCreationTime : 1-29-2006 10:44:32 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:9 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1080
    ThreadCreationTime : 1-29-2006 10:44:33 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:10 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1172
    ThreadCreationTime : 1-29-2006 10:44:33 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:11 [explorer.exe]
    FilePath           : C:\WINDOWS\
    ProcessID          : 1428
    ThreadCreationTime : 1-29-2006 10:44:34 PM
    BasePriority       : Normal
    FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 6.00.2900.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Explorer
    InternalName       : explorer
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : EXPLORER.EXE

#:12 [spoolsv.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1528
    ThreadCreationTime : 1-29-2006 10:44:34 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2696 (xpsp_sp2_gdr.050610-1519)
    ProductVersion     : 5.1.2600.2696
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Spooler SubSystem App
    InternalName       : spoolsv.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : spoolsv.exe

#:13 [hpsysdrv.exe]
    FilePath           : C:\windows\system\
    ProcessID          : 1660
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal
    FileVersion        : 1, 7, 0, 0
    ProductVersion     : 1, 7, 0, 0
    ProductName        : hpsysdrv
    CompanyName        : Hewlett-Packard Company
    FileDescription    : hpsysdrv
    InternalName       : hpsysdrv
    LegalCopyright     : Copyright © 1998
    OriginalFilename   : hpsysdrv.exe

#:14 [vttimer.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 1676
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal
    FileVersion        : 1.04.06-1020
    ProductVersion     : 1.04.06-1020
    ProductName        : S3 Graphics, Inc. Utilities
    CompanyName        : S3 Graphics, Inc.
    InternalName       : S3Timer
    LegalCopyright     : Copyright © 2001-2004 S3 Graphics, Inc.
    LegalTrademarks    : S3 is a registered trademark of S3 Incorporated

#:15 [agrsmmsg.exe]
    FilePath           : C:\WINDOWS\
    ProcessID          : 1684
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal
    FileVersion        : 2.1.41.10 2.1.41.10 06/29/2004 09:06:35
    ProductVersion     : 2.1.41.10 2.1.41.10 06/29/2004 09:06:35
    ProductName        : Agere SoftModem Messaging Applet
    CompanyName        : Agere Systems
    FileDescription    : SoftModem Messaging Applet
    InternalName       : smdmstat.exe
    LegalCopyright     : Copyright © Agere Systems 1998-2000
    OriginalFilename   : smdmstat.exe

#:16 [sgtray.exe]
    FilePath           : C:\Program Files\Common Files\Sonic\Update Manager\
    ProcessID          : 1692
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal
    FileVersion        : 1.01.32a
    CompanyName        : Sonic Solutions
    FileDescription    : Sonic Update Manager
    LegalCopyright     : Copyright © 2002 Sonic Solutions

#:17 [e_s10ic2.exe]
    FilePath           : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
    ProcessID          : 1700
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal
    FileVersion        : 3.05
    ProductVersion     : 3.05
    ProductName        : EPSON Status Monitor 3
    CompanyName        : SEIKO EPSON CORPORATION
    FileDescription    : EPSON Status Monitor 3
    InternalName       : E_S10IC2
    LegalCopyright     : Copyright © SEIKO EPSON CORP. 2002
    OriginalFilename   : E_S10IC2.EXE

#:18 [jusched.exe]
    FilePath           : C:\Program Files\Java\jre1.5.0_06\bin\
    ProcessID          : 1708
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal


#:19 [ashdisp.exe]
    FilePath           : C:\PROGRA~1\ALWILS~1\AVAST4\
    ProcessID          : 1720
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal
    FileVersion        : 4, 6, 739, 0
    ProductVersion     : 4, 6, 0, 0
    ProductName        : avast! Antivirus
    FileDescription    : avast! service GUI component
    InternalName       : aswDisp
    LegalCopyright     : Copyright © 2005 ALWIL Software
    OriginalFilename   : aswDisp.exe

#:20 [cmpdpsrv.exe]
    FilePath           : C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\
    ProcessID          : 1732
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal
    FileVersion        : 1.0.0.137
    ProductVersion     : 1.0.0.137
    ProductName        : Printer Driver Plus
    CompanyName        : Conexant Systems, Inc.
    FileDescription    : PDP RPC Server
    InternalName       : PDPserver
    LegalCopyright     : Copyright© Conexant Systems, Inc. 1996-2001
    OriginalFilename   : PDPserve.dll

#:21 [msmsgs.exe]
    FilePath           : C:\Program Files\Messenger\
    ProcessID          : 1756
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal
    FileVersion        : 4.7.3001
    ProductVersion     : Version 4.7.3001
    ProductName        : Messenger
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows Messenger
    InternalName       : msmsgs
    LegalCopyright     : Copyright © Microsoft Corporation 2004
    LegalTrademarks    : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
    OriginalFilename   : msmsgs.exe

#:22 [backweb-1940576.exe]
    FilePath           : C:\Program Files\Compaq Connections\1940576\Program\
    ProcessID          : 1808
    ThreadCreationTime : 1-29-2006 10:44:35 PM
    BasePriority       : Normal


#:23 [aswupdsv.exe]
    FilePath           : C:\Program Files\Alwil Software\Avast4\
    ProcessID          : 424
    ThreadCreationTime : 1-29-2006 10:44:42 PM
    BasePriority       : Normal


#:24 [ashserv.exe]
    FilePath           : C:\Program Files\Alwil Software\Avast4\
    ProcessID          : 436
    ThreadCreationTime : 1-29-2006 10:44:42 PM
    BasePriority       : High
    FileVersion        : 4, 6, 739, 0
    ProductVersion     : 4, 6, 0, 0
    ProductName        : avast! Antivirus
    FileDescription    : avast! antivirus service
    InternalName       : aswServ
    LegalCopyright     : Copyright © 2005 ALWIL Software
    OriginalFilename   : aswServ.exe

#:25 [eebsvc.exe]
    FilePath           : C:\Program Files\Common Files\EPSON\EBAPI\
    ProcessID          : 468
    ThreadCreationTime : 1-29-2006 10:44:42 PM
    BasePriority       : Normal


#:26 [sagent2.exe]
    FilePath           : C:\Program Files\Common Files\EPSON\EBAPI\
    ProcessID          : 484
    ThreadCreationTime : 1-29-2006 10:44:42 PM
    BasePriority       : Normal
    FileVersion        : 2, 3, 0, 0
    ProductVersion     : 1, 0, 0, 0
    ProductName        : EPSON Bidirectional Printer
    CompanyName        : SEIKO EPSON CORPORATION
    FileDescription    : EPSON Printer Status Agent
    InternalName       : SAgent2
    LegalCopyright     : Copyright © SEIKO EPSON CORP. 2000-2001
    OriginalFilename   : SAgent2.exe

#:27 [ewidoctrl.exe]
    FilePath           : C:\Program Files\ewido anti-malware\
    ProcessID          : 516
    ThreadCreationTime : 1-29-2006 10:44:43 PM
    BasePriority       : Normal
    FileVersion        : 3, 0, 0, 1
    ProductVersion     : 3, 0, 0, 1
    ProductName        : ewido control
    CompanyName        : ewido networks
    FileDescription    : ewido control
    InternalName       : ewido control
    LegalCopyright     : Copyright © 2004
    OriginalFilename   : ewidoctrl.exe

#:28 [svchost.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 1148
    ThreadCreationTime : 1-29-2006 10:44:46 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Generic Host Process for Win32 Services
    InternalName       : svchost.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : svchost.exe

#:29 [wrsssdk.exe]
    FilePath           : C:\Program Files\Webroot\Spy Sweeper\
    ProcessID          : 1668
    ThreadCreationTime : 1-29-2006 10:44:47 PM
    BasePriority       : Normal
    FileVersion        : 2,0,9,509
    ProductVersion     : 2, 0
    ProductName        : Spy Sweeper SDK
    CompanyName        : Webroot Software, Inc.
    FileDescription    : Spy Sweeper SDK
    LegalCopyright     : Copyright © 2002 - 2005, All Rights Reserved.
    LegalTrademarks    : Spy Sweeper is a trademark of Webroot Software, Inc.
    OriginalFilename   : SpySweeper.exe

#:30 [wdfmgr.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 2056
    ThreadCreationTime : 1-29-2006 10:44:53 PM
    BasePriority       : Normal
    FileVersion        : 5.2.3790.1230 built by: DNSRV(bld4act)
    ProductVersion     : 5.2.3790.1230
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Windows User Mode Driver Manager
    InternalName       : WdfMgr
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : WdfMgr.exe

#:31 [ashmaisv.exe]
    FilePath           : C:\Program Files\Alwil Software\Avast4\
    ProcessID          : 2332
    ThreadCreationTime : 1-29-2006 10:44:54 PM
    BasePriority       : Normal


#:32 [ashwebsv.exe]
    FilePath           : C:\Program Files\Alwil Software\Avast4\
    ProcessID          : 2380
    ThreadCreationTime : 1-29-2006 10:44:55 PM
    BasePriority       : Normal


#:33 [alg.exe]
    FilePath           : C:\WINDOWS\System32\
    ProcessID          : 2676
    ThreadCreationTime : 1-29-2006 10:44:55 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Application Layer Gateway Service
    InternalName       : ALG.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : ALG.exe

#:34 [notepad.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 3160
    ThreadCreationTime : 1-29-2006 10:45:05 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Notepad
    InternalName       : Notepad
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : NOTEPAD.EXE

#:35 [iexplore.exe]
    FilePath           : C:\Program Files\Internet Explorer\
    ProcessID          : 3196
    ThreadCreationTime : 1-29-2006 10:45:17 PM
    BasePriority       : Normal
    FileVersion        : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 6.00.2900.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Internet Explorer
    InternalName       : iexplore
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : IEXPLORE.EXE

#:36 [wuauclt.exe]
    FilePath           : C:\WINDOWS\system32\
    ProcessID          : 3416
    ThreadCreationTime : 1-29-2006 10:45:39 PM
    BasePriority       : Normal
    FileVersion        : 5.8.0.2469 built by: lab01_n(wmbla)
    ProductVersion     : 5.8.0.2469
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : Automatic Updates
    InternalName       : wuauclt.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : wuauclt.exe

#:37 [wmiprvse.exe]
    FilePath           : C:\WINDOWS\System32\wbem\
    ProcessID          : 3520
    ThreadCreationTime : 1-29-2006 10:46:01 PM
    BasePriority       : Normal
    FileVersion        : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
    ProductVersion     : 5.1.2600.2180
    ProductName        : Microsoft® Windows® Operating System
    CompanyName        : Microsoft Corporation
    FileDescription    : WMI
    InternalName       : Wmiprvse.exe
    LegalCopyright     : © Microsoft Corporation. All rights reserved.
    OriginalFilename   : Wmiprvse.exe

#:38 [ad-aware.exe]
    FilePath           : C:\Program Files\Lavasoft\Ad-Aware SE Personal\
    ProcessID          : 3588
    ThreadCreationTime : 1-29-2006 10:46:12 PM
    BasePriority       : Normal
    FileVersion        : 6.2.0.236
    ProductVersion     : SE 106
    ProductName        : Lavasoft Ad-Aware SE
    CompanyName        : Lavasoft Sweden
    FileDescription    : Ad-Aware SE Core application
    InternalName       : Ad-Aware.exe
    LegalCopyright     : Copyright © Lavasoft AB Sweden
    OriginalFilename   : Ad-Aware.exe
    Comments           : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Deep scanning and examining files (D:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for D:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 15




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 15

5:04:25 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:18:05.281
Objects scanned:168188
Objects identified:0
Objects ignored:0
New critical objects:0

Title: Can't get rid of viruses
Post by: guestolo on January 29, 2006, 07:27:37 PM

Can you move this file too that backup folder you made awhile ago
C:\WINDOWS\n_ituoof.log <-this file

I also don't know what this one is related too
Can you right click on it and left click properties
Do you know what it's related too?
C:\WINDOWS\usuot.log
If not move it too the Backup folder

Create a new system restore point so we have something to fall back on if something goes wrong

I'm curious if those registry entries found by Ewido's actually exist
Can you do the following please, one last download
Download and install Registrar Lite
http://www.resplendence.com/reglite (http://\"http://www.majorgeeks.com/downloadget.php?id=469&file=10&evp=99920ce30ba0a7f4dddc1c3d163fe982\")

Save the rest of these instructions please
Reboot into safe mode
In safe mode, go to START>>RUN>>Type in the following
sc stop TBPSSvc


Open Registrar Lite shortcut
Copy and paste the following line in bold into the top address bar of  Registrar Lite and then hit GO

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TBPSSvc

Reglite should now of Highlighted the key and be purple in color
right click on TBPSSvc and select 'Delete'.

If you can't delete it, select 'Security' >> 'Edit Permissions' from the pull down menu at the top (with the key still highlighted). Make sure 'Read' and 'Full Control' are selected for your account(in the top pane), click 'Ok' and try to delete it again.
If they are selected and it won't delete

Again in Edit Permissions>>Click the Advanced button
Check the following if unchecked
"Inherit from parent the permission entries that apply to child objects."
OK it and OK again
Then try and delete the key

Do the same for these ones, some may be expanded entries of another key
But I'll include everthing as it's easier that way
If your unsure about an entry don't remove it

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2C4E6D22-B71F-491F-AAD3-B6972A650D50}

Take note: When you enter that entry:
If the CLSID >>>>{2C4E6D22-B71F-491F-AAD3-B6972A650D50} is not found
RegLite will probably highlight HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID <-this entry
DO NOT try and delete that entry, your after {2C4E6D22-B71F-491F-AAD3-B6972A650D50}

Carry on with these ones
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{310CC549-4541-46A9-940F-52B342A6E682}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6E21F428-5617-47F7-AED8-B2E1D8FBA711}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{708BE496-E202-497B-BC31-9CF47E3BF8D6}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8B0FA130-0C3D-4CB1-AEB7-2C29DA5509A3}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{BBF122A7-8A4D-45B5-9E00-0F68BC87C904}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CAE0999F-78C5-49DC-9F30-13142AAAABA4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{365B9A54-E613-46E5-9DB1-4F91A9DE80BD}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{618BE527-B7F5-417C-BC51-98FDC2D6DE61}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{66C22569-F05C-4A70-A142-763B337E1002}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{7B8BD940-B1EF-460C-85A2-9ACAAF7F9303}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{99AA88D1-D9D3-410A-BE9E-044F94C183DA}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{C380566D-F343-42AB-987B-6B38A1A35747}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{D1951679-1D52-43FC-9585-0737143585F5}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{F273D4EA-2025-4410-8408-251A0CD46BE7}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{B23B3ADD-84B1-414A-92B9-0CABE5A781F4}

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginConfig

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginDow

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginDownAdd

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginEvents

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginInst

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.PluginServer

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TBPS.ToolbarScript

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Files

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\Install

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar\PlugIns

HKEY_LOCAL_MACHINE\SOFTWARE\Toolbar


That should do it, let me know how everythings running after that

Title: Can't get rid of viruses
Post by: indigenous1 on January 30, 2006, 06:45:30 AM

when i tried to move the file C:\WINDOWS\usuot.log to the backup folder there was a prompt asking if i wanted to move this windows system file. i declined b/c the file sounds important (i didn't get that prompt with any other files).  it's a good thing that you had me create another system restore point b/c i accidently deleted a couple registries that i shouldn't have and the computer started acting up and wouldn't run windows explorer.  so i had to go back to that point and start over.  i deleted all of the registries on the list.  i ran ad aware 1 more time and it came up with nothing.  ewido also found nothing.  one thing though, when i went back to my restore point i don't remember if i re did this task: "In safe mode, go to START>>RUN>>Type in the following sc stop TBPSSvc"  should i do it again just in case?

Title: Can't get rid of viruses
Post by: guestolo on January 30, 2006, 08:34:38 PM

Quote

START>>RUN>>Type in the following sc stop TBPSSvc" should i do it again just in case?

No, don't worry about it
Did you right click on this file and left click properties?
Did you find what it's related too?
C:\WINDOWS\usuot.log <-file

Just to be on the safe side
Can you go to
Jotti's Online Malware scan (http://\"http://virusscan.jotti.org/\")

Use the browse button and navigate to this file on your hard disk
C:\WINDOWS\usuot.log

Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please

I take it everything is running fine now?

Title: Can't get rid of viruses
Post by: indigenous1 on January 30, 2006, 11:59:30 PM

when i submit C:\WINDOWS\usuot.log to jotti's i get this reply in a blank white screen "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file" i do not know what it is related to. when i go to properties is says that it is a text document that opens with notepad.  it is 4.0 kb and was created on dec 7, 2005.  but everything seems to be running fine.

Title: Can't get rid of viruses
Post by: guestolo on January 31, 2006, 06:24:09 PM

I'm not sure what it's related to either
Can you leave the file where it is and right click on it and rename it too
usuot.lo_

See if it has any effect on any programs

Title: Can't get rid of viruses
Post by: indigenous1 on February 01, 2006, 01:32:38 AM

I changed the name of the file and all other programs seem to be working fine.

Title: Can't get rid of viruses
Post by: guestolo on February 01, 2006, 01:41:18 AM

Good work, and thanks for hanging in there  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

If everything's running good still
I would clear your system restore points again
Remember to reenable it after you have rebooted

You should have SpywareBlaster 3.5.1 installed
Make sure to check for updates every couple of weeks

Same goes with Spybot 1.4
Immunize after every update

  *Keep up to date on Windows updates
It's very important to keep up to date on the latest High Priority updates
Set dad to Automatic updates if he wants  /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />

*Make sure your Anti-Virus software is always kept up to date and actively running in the background

*Check for updates with your anti-spyware programs and run a scan on a regular basis
This includes Ad-aware and Spybot

You may also choose to hold onto Ewido and CleanUp!
Ewido is a Limited version after a couple weeks
It's still a very good scanner to update and run once a month

Stay safe  /biggrin.gif\' class=\'bbc_emoticon\' alt=\':D\' />

Title: Can't get rid of viruses
Post by: indigenous1 on February 01, 2006, 02:03:59 AM

hey, i just wanna say thanks for being patient with me though this ordeal.  i learned quite a lot thoughout this month long journey. i appreciate it.  you actually will be hearing from me again very soon b/c in trying to download a program to fix this computer i got a virus on my own computer.  i posted the thread over a month ago but i will find it and reply. i've just been busy putting all of my time and effort into this computer.  trust me, my computer won't be nearly as difficult as this one was.

Title: Can't get rid of viruses
Post by: guestolo on February 01, 2006, 02:06:30 AM

Sounds good, I'll lock this topic as it appears resolved
If you can't find your other post, start a new one with a fresh hijackthis log

Take care /smile.gif\' class=\'bbc_emoticon\' alt=\':)\' />