can someone please help me

Geeks to Go Forums > Security > Virus, Spyware, Malware Removal

Today's New Content

can someone please help me Ive been waiting since the 22nd

#1 scratchy123

Group: Member
Posts: 12
Joined: 22-September 06

Posted 26 September 2006 - 02:02 PM

I posted my hjt log on the 22nd but still no help from anybody. Can you guys help me out this time please?

Here the log

Logfile of HijackThis v1.99.1
Scan saved at 10:02:09 PM, on 9/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speedandsound.co.za/forum/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzGBK] G:\setup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AF27481-7F79-476B-938A-2E6595B671F4}: NameServer = 196.44.136.162,196.44.128.146
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#2 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 03 October 2006 - 06:35 PM

Hi scratchy123,

Welcome to Geeks to Go.

Sorry for the delay the Helpers have been quite busy.

I notice that you have LimeWire running at startup. The use of Peer to Peer programs are usual channels for infections. Would you kindly remove this program from your computer or refrain from using these types of programs whilst we are cleaning your system. You can read more about this here.

If you don't remove LimeWire, then could you please disable it from running on startup.

Create an Uninstall list

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Your HijackThis log is a little old, please post a fresh HijackThis log along with the Uninstall list.

Thanks.

#3 scratchy123

Group: Member
Posts: 12
Joined: 22-September 06

Posted 04 October 2006 - 03:05 AM

i dont mind the delay. Im just happy to be helped.

here is the uninstall log:

ACE Mega CoDecS Pack
Ad-Aware SE Personal
Adobe Photoshop CS
Adobe Premiere 6.0
Advanced Port Scanner v1.2
Advanced RealMedia Export Plug-in for Premiere 6.0
Ahead InCD
a-squared Anti-Malware 2.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Battlefield 2™
BitComet 0.56
BlackICE
BlueSoleil
Cars - Radiator Springs Adventures
CDRWIN 5
Cleaner 5 EZ
Core FTP LE 1.3c
Cross Racing Championship 2005
DAEMON Tools
DFE-520TX
DiamondCS Port Explorer v1.700 Evaluation
DivX 5.0 Bundle
D-Link PCI Fast Ethernet Adapter
Download Accelerator Plus
dvdSanta 3.43
ewido anti-spyware 4.0
Free Download Manager 2.1 - Free Downloads Center Edition
GameShadow
GameSpy Arcade
HijackThis 1.99.1
Hitman Blood Money
J2SE Runtime Environment 5.0 Update 6
Microsoft .NET Framework 2.0
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5.0.7)
MSN Messenger 7.5
Nero - Burning Rom
Nero 6 Demo
NetBus Pro
Neuro Hunter
NVIDIA Drivers
Oblivion
QuickTime
RealPlayer Plus
Realtek AC'97 Audio
RelevantKnowledge
Richard Burns Rally
Rogue Trooper
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
Shadow IM Sniffer 4.01
SketchUp 5
Sniper Elite
SoulSeek Client 156c
Spybot - Search & Destroy 1.2
The Godfather™ The Game
The Sims
The Sims 2
The Sims 2 Nightlife
Ulead DVD Workshop Trial
Ulead VideoStudio 6 Trial
Uninstall CEDP Stealer 5.0 for Messenger
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Walaber's Trampoline
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPcap 3.1
WinRAR archiver
WinZip
World of Warcraft
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

And the new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 11:05:29 AM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\ANCO~1.ANC\LOCALS~1\Temp\~e5.0001
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speedandsound.co.za/forum/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzGBK] G:\setup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AF27481-7F79-476B-938A-2E6595B671F4}: NameServer = 196.44.136.162,196.44.128.146
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

p.s. i have removed limewire from startup as requested

#4 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 04 October 2006 - 06:36 AM

Hi scratchy123,

I notice that you also have BitComet and SoulSeek Client installed and running, could you please disable the startup of these programs while we are cleaning your system as well as any other file sharing program that you may have. It would be unfortunate to have our cleaning spoilt by any unwanted downloads.

Your version of Spybot - Search & Destroy is way out of date. Uninstall the old version then please go here to download and install the latest version.

You have a suspicious file that I need you to upload and get analysed.

Jotti File Submission:

Please go to Jotti's malware scan
Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
- G:\setup.exe
Click on the submit button
Please post the results in your next reply.

Download Accelerator Plus- DAP You are using Download Accelerator Plus- DAP Be informed that it delivers popup/popunder ads, and tracks your internet usage. I would suggest that you remove this.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O3 - Toolbar: (no name) - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - (no file)
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm

Now close all windows other than HiJackThis (including any browser windows), then click Fix Checked.

Please go to Start then Control Panel then Add/Remove Programs and remove the following (if present):

Download Accelerator Plus
RelevantKnowledge
Shadow IM Sniffer 4.01
Uninstall CEDP Stealer 5.0 for Messenger

Please note any other programs that you dont recognize in that list in your next response

Boot into Safe Mode: You can do thid by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\PROGRAM FILES\DAP << Folder

Reboot into Normal Mode.

Download Combofix.exe and save it to your desktop.

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log, Jotti's results and I will take another look. BTW are you in Africa by any chance?

Thanks.

#5 scratchy123

Group: Member
Posts: 12
Joined: 22-September 06

Posted 05 October 2006 - 02:58 AM

yes i am from africa, how did you know lol

I have disabled soul seek and bit commet starup as requested.

I have removed dap and all the other programs as listed.

The setup.exe file was from a virtual drive that is no longer connected, so it cannot be uploaded. I hope this isnt a problem.

I have run the new spybot and found a couple of entries which I have cleaned, but
the problem persists

i ran combofix, but it did not produce a log file and the problem persists

here is the log:

"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"a-squared"="\"C:\\Program Files\\a-squared Anti-Malware\\a2guard.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll

Completion time: Wed 10/04/2006 15:12:22.48
ComboFix.txt
ComboFix2.txt

and a fresh HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:58:34 AM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\ANCO~1.ANC\LOCALS~1\Temp\~e5.0001
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe

#6 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 05 October 2006 - 07:23 AM

Hi scratchy123,

Looks like your HijackThis log got cut off. No problems, we'll get another one shortly.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

Click Exit on the Main menu to close the program.

Lets take a look a bit deeper into your system. If I don't find anything using this scanner, I may ask for other scanners to be run to try to track down what is hiding in your system, so please be patient if I ask for other logs.

Please RIGHT-CLICK HERE and Save As (in IE it's "Save Target As", in FF it's "Save Link As") to download Silent Runners.

Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
If you receive an error just click OK and double-click it to run it again - sometimes it won't run as it's supposed to the first time but will in subsequent runs.
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here together with a fresh HijackThis log.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Thanks.

#7 scratchy123

Group: Member
Posts: 12
Joined: 22-September 06

Posted 05 October 2006 - 07:38 AM

here is the silent runners log:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]
"MsnMsgr" = ""C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background" [MS]
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"BluetoothAuthenticationAgent" = "rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent" [MS]
"NeroFilterCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"zzGBK" = "G:\setup.exe" [file not found]
"SunJavaUpdateSched" = "C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" ["Sun Microsystems, Inc."]
"ATICCC" = ""C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"" [null data]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"DAEMON Tools-1033" = ""C:\Program Files\D-Tools\daemon.exe" -lang 1033" ["DAEMON'S HOME"]
"RealTray" = "C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER" ["RealNetworks, Inc."]
"NeroCheck" = "C:\WINDOWS\system32\NeroCheck.exe" ["Ahead Software Gmbh"]
"InCD" = "C:\Program Files\Ahead\InCD\InCD.exe" [null data]
"a-squared" = ""C:\Program Files\a-squared Anti-Malware\a2guard.exe"" ["Emsi Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{02478D38-C3F9-4EFB-9B51-7695ECA05670}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! Toolbar Helper"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
{CC59E0F9-7E43-44FA-9FAA-8377850BF205}\(Default) = (no title provided)
-> {HKLM...CLSID} = "FDMIECookiesBHO Class"
\InProcServer32\(Default) = "C:\Program Files\Free Download Manager\iefdmcks.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}" = "Web Folders"
-> {HKLM...CLSID} = "Web Folders"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL" [file not found]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{AB77609F-2178-4E6F-9C4B-44AC179D937A}" = "a-squared Context Menu Shell Extension"
-> {HKLM...CLSID} = "a-squared context menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" ["Emsi Software GmbH"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
a2ContMenu\(Default) = "{AB77609F-2178-4E6F-9C4B-44AC179D937A}"
-> {HKLM...CLSID} = "a-squared context menu"
\InProcServer32\(Default) = "C:\PROGRA~1\A-SQUA~1\A2CONT~1.DLL" ["Emsi Software GmbH"]
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {HKLM...CLSID} = "WinRAR"
\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\web\wallpaper\Bliss.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Anco" & "All Users" startup folders:
------------------------------------------------------

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"BlackICE Utility" -> shortcut to: "C:\Program Files\ISS\BlackICE\blackice.exe -closed" ["Internet Security Systems, Inc."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\system32\wshbth.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000004\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 04, 07 - 20
%SystemRoot%\system32\rsvpsp.dll [MS], 05 - 06

Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{EF99BD32-C1FB-11D2-892F-0090271D4F88}"
-> {HKLM...CLSID} = "Yahoo! Toolbar"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll" ["Yahoo! Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0006-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_06"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll" ["Sun Microsystems, Inc."]

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" ["Yahoo! Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
BlackICE, BlackICE, ""C:\Program Files\ISS\BlackICE\blackd.exe"" ["Internet Security Systems, Inc."]
BlueSoleil Hid Service, BlueSoleil Hid Service, "C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe" [null data]
Bluetooth Support Service, BthServ, "C:\WINDOWS\system32\svchost.exe -k bthsvcs" {"C:\WINDOWS\System32\bthserv.dll" [MS]}
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]

Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 178 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 9 seconds.
---------- (total run time: 225 seconds)

and a fresh hjt:

Logfile of HijackThis v1.99.1
Scan saved at 3:38:08 PM, on 10/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\ANCO~1.ANC\LOCALS~1\Temp\~e5.0001
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speedandsound.co.za/forum/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzGBK] G:\setup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AF27481-7F79-476B-938A-2E6595B671F4}: NameServer = 196.44.136.162,196.44.128.146
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#8 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 05 October 2006 - 08:19 AM

Hi scratchy123,

You will need to print out a copy of these instructions, or save them to NotePad and put a shortcut to the file on the desktop so that you can refer to while you complete this procedure.

Ewido has merged with AVG and Ewido Anti-Spyware is now known as AVG Anti-Spyware, so I will refer to it as AVG Anti-Spyware. It is still the same engine and should perform just the same but with a different name.

Be sure to update AVG Anti-Spyware to the latest definition files.

Open AVG Anti-Spyware
On top of the main screen click the Update icon.
Then click on Manual Update button.

The update will start and the progress bar will show the updates being installed.
(When complete the status area at the top will display ("Update successful" or "No Update Available")

If you are having problems with the updater, you can use this link to manually update AVG Anti-Spyware.

Close AVG Anti-Spyware. We will run the scan shortly.

Once the updates are installed do the following:

Boot into Safe Mode: You can do this by restarting your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Once in Safe Mode, Open AVG Anti-Spyware.

IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:

Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Reboot into Normal Mode.

Please do an online scan with Kaspersky WebScanner

Please note: You must use Internet Explorer for this as it uses an ActiveX component.

This scan may take a while to complete, so please be patient and let it finish.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Click OK
Now under select a target to scan:
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Let me know how the computer is behaving (slowness, any pop-ups etc.)

Thanks.

#9 scratchy123

Group: Member
Posts: 12
Joined: 22-September 06

Posted 06 October 2006 - 05:06 AM

I have run ewido and kaspersky. The problem still persists.

Here are the logs

EWIDO:
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:29:29 PM 10/5/2006

+ Scan result:

D:\bit downloads\Bill Gates Toolkit Reloaded!!!\UltimateWindows\RockXP v3\RockXP30.exe/keyms.exe -> Not-A-Virus.PSWTool.Win32.RAS.a : No action taken.
:mozilla.10:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.11:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.12:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.7:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.8:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.9:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
:mozilla.13:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.14:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.301:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@adbrite[2].txt -> TrackingCookie.Adbrite : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : No action taken.
:mozilla.17:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.18:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.337:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.338:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
:mozilla.339:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@z1.adserver[2].txt -> TrackingCookie.Adserver : No action taken.
:mozilla.21:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
:mozilla.22:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
:mozilla.356:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@burstnet[2].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@www.burstnet[1].txt -> TrackingCookie.Burstnet : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : No action taken.
:mozilla.70:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@com[1].txt -> TrackingCookie.Com : No action taken.
:mozilla.317:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Enhance : No action taken.
:mozilla.83:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.84:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Esomniture : No action taken.
:mozilla.342:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.343:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.344:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Onestat : No action taken.
:mozilla.185:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@ads.pointroll[2].txt -> TrackingCookie.Pointroll : No action taken.
:mozilla.193:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.194:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@questionmarket[1].txt -> TrackingCookie.Questionmarket : No action taken.
:mozilla.219:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@ads1.revenue[1].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@revenue[2].txt -> TrackingCookie.Revenue : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
:mozilla.76:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.77:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Sexcounter : No action taken.
:mozilla.248:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.249:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Statcounter : No action taken.
:mozilla.250:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.251:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.252:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.261:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.262:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.263:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.264:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.265:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.266:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.267:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.268:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Trafficmp : No action taken.
:mozilla.269:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.302:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.303:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.304:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.305:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.306:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\anco@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.296:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.297:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.298:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.299:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Zedo : No action taken.
:mozilla.300:C:\Documents and Settings\Anco.ANCO-DC7801B793\Application Data\Mozilla\Firefox\Profiles\h1tmm7tn.default\cookies.txt -> TrackingCookie.Zedo : No action taken.

::Report end

and KASPERSKY:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 06, 2006 12:46:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 6/10/2006
Kaspersky Anti-Virus database records: 229310
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 178744
Number of viruses found: 46
Number of infected objects: 162 / 0
Number of suspicious objects: 0
Duration of the scan process: 03:06:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Anco\Local Settings\Temp\hsperfdata_Anco\4624 Object is locked skipped
C:\Documents and Settings\Anco\Local Settings\Temporary Internet Files\Content.IE5\C5CTYZG5\444444[1].htm Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\Downloads\CEDP-Stealer-Setup.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\Downloads\CEDP-Stealer-Setup.exe/stream/data0014 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\Downloads\CEDP-Stealer-Setup.exe/stream Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\Downloads\CEDP-Stealer-Setup.exe NSIS: infected - 3 skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Identities\{0EA9CF34-8980-4712-A394-3F683163C85B}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Identities\{0EA9CF34-8980-4712-A394-3F683163C85B}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Identities\{0EA9CF34-8980-4712-A394-3F683163C85B}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Identities\{0EA9CF34-8980-4712-A394-3F683163C85B}\Microsoft\Outlook Express\Outbox.dbx Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Identities\{0EA9CF34-8980-4712-A394-3F683163C85B}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Identities\{0EA9CF34-8980-4712-A394-3F683163C85B}\Microsoft\Outlook Express\Sent Items.dbx Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\History\History.IE5\MSHist012006100620061007\index.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Temp\Free Download Manager\tic33.tmp Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Temp\hsperfdata_Anco\2260 Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Temp\Perflib_Perfdata_31c.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz\Key Finder 1.5 Beta 3.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz\Key Finder 1.5 Beta 3.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz\Key Finder 1.5 Beta 3.exe RarSFX: infected - 2 skipped
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz\Rock XP 2.0.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz\Rock XP 2.0.exe/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz\Rock XP 2.0.exe/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz\Rock XP 2.0.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz\Rock XP 2.0.exe RarSFX: infected - 4 skipped
C:\Program Files\ESET\infected\0ULJETBA.NQF Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
C:\Program Files\ESET\infected\TAD3XUBA.NQF Infected: VirTool.Win32.Patcher.a skipped
C:\Program Files\ISS\BlackICE\blackice-service.log Object is locked skipped
C:\Program Files\ISS\BlackICE\rapapp.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP63\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{73DCF101-355E-4ABD-985B-46A26EB61693}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\bit downloads\Bill Gates Toolkit Reloaded!!!\UltimateWindows\JellyBean KeyFinder\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\bit downloads\Bill Gates Toolkit Reloaded!!!\UltimateWindows\JellyBean KeyFinder\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\bit downloads\Bill Gates Toolkit Reloaded!!!\UltimateWindows\JellyBean KeyFinder\keyfinder.exe RarSFX: infected - 2 skipped
D:\hiberfil.sys Object is locked skipped
D:\Incomplete\T-4997288-She sucks them both off before they cream all over her perfect lilly white tits! (oral sex).mpg Object is locked skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe/VirtuallyJenna-2.017.002-cracked-installer.msi/_6A5BC9DCF6308413044425600E433DB7/_A072FB71F98447849289D58C552E0E01 Infected: Trojan-PSW.Win32.QQPass.ly skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe/VirtuallyJenna-2.017.002-cracked-installer.msi/_6A5BC9DCF6308413044425600E433DB7 Infected: Trojan-PSW.Win32.QQPass.ly skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe/VirtuallyJenna-2.017.002-cracked-installer.msi Infected: Trojan-PSW.Win32.QQPass.ly skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe RAR: infected - 3 skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe PE_Patch: infected - 3 skipped
D:\Software\CYBERsitter 9.4.10.22\setup2k.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.Dwork.a skipped
D:\Software\CYBERsitter 9.4.10.22\setup2k.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.Dwork.a skipped
D:\Software\CYBERsitter 9.4.10.22\setup2k.exe WiseSFX: infected - 2 skipped
D:\Software\CYBERsitter 9.4.10.22\setup2k.exe WiseSFX Dropper: infected - 2 skipped
D:\Software\mIRC 6.1.4\mirc614.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.614 skipped
D:\Software\mIRC 6.1.4\mirc614.exe mIRC: infected - 1 skipped
D:\Software\Nero 6.6.0.1\nero6601.iso/cr-n6601.exe;1 Infected: Trojan-Dropper.Win32.Delf.fd skipped
D:\Software\Nero 6.6.0.1\nero6601.iso ISO image: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\A\Acidmax 2.0.2\acidmax202801.exe/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
D:\Software\Programs DVD 2004 - October\A\Acidmax 2.0.2\acidmax202801.exe ZIP: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\A\Advanced RAR Password Recovery 1.11\Setup.exe/WISE0039.BIN Infected: not-a-virus:PSWTool.Win32.OEPass.b skipped
D:\Software\Programs DVD 2004 - October\A\Advanced RAR Password Recovery 1.11\Setup.exe WiseSFX: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\A\Ares 1.81\Ares.exe/data0009/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\Software\Programs DVD 2004 - October\A\Ares 1.81\Ares.exe/data0009/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\Software\Programs DVD 2004 - October\A\Ares 1.81\Ares.exe/data0009/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
D:\Software\Programs DVD 2004 - October\A\Ares 1.81\Ares.exe/data0009/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
D:\Software\Programs DVD 2004 - October\A\Ares 1.81\Ares.exe/data0009/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
D:\Software\Programs DVD 2004 - October\A\Ares 1.81\Ares.exe/data0009 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
D:\Software\Programs DVD 2004 - October\A\Ares 1.81\Ares.exe NSIS: infected - 6 skipped
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1\BearShare v4.1.exe/WISE0038.BIN/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e skipped
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1\BearShare v4.1.exe/WISE0038.BIN/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1\BearShare v4.1.exe/WISE0038.BIN/data0001.cab/Weather/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow skipped
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1\BearShare v4.1.exe/WISE0038.BIN/data0001.cab/Weather/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1\BearShare v4.1.exe/WISE0038.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1\BearShare v4.1.exe/WISE0038.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1\BearShare v4.1.exe WiseSFX: infected - 6 skipped
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1\BearShare v4.1.exe WiseSFX Dropper: infected - 6 skipped
D:\Software\Programs DVD 2004 - October\B\BeFaster 3.31\BeFaster v3.31.exe/navhelper.exe/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
D:\Software\Programs DVD 2004 - October\B\BeFaster 3.31\BeFaster v3.31.exe/navhelper.exe/v2.0.2.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
D:\Software\Programs DVD 2004 - October\B\BeFaster 3.31\BeFaster v3.31.exe/navhelper.exe/v2.0.2.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
D:\Software\Programs DVD 2004 - October\B\BeFaster 3.31\BeFaster v3.31.exe/navhelper.exe/v2.0.2.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel skipped
D:\Software\Programs DVD 2004 - October\B\BeFaster 3.31\BeFaster v3.31.exe/navhelper.exe/v2.0.2.cab Infected: not-a-virus:AdWare.Win32.NavExcel skipped
D:\Software\Programs DVD 2004 - October\B\BeFaster 3.31\BeFaster v3.31.exe/navhelper.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
D:\Software\Programs DVD 2004 - October\B\BeFaster 3.31\BeFaster v3.31.exe CreateInstall: infected - 6 skipped
D:\Software\Programs DVD 2004 - October\C\Chat Blocker 1.6\chatblocker-setup-sw.exe/easys32.dll Infected: not-a-virus:Monitor.Win32.KeyLoggerPro.13 skipped
D:\Software\Programs DVD 2004 - October\C\Chat Blocker 1.6\chatblocker-setup-sw.exe ViseMan: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\C\Chat Blocker 1.6\chatblocker-setup-sw.exe ViseMan: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\C\Codecs Audio+Video\Global DiVX 1.85\GDIVX185.ZIP/GDivX_1.8.5.exe/data0006 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\Software\Programs DVD 2004 - October\C\Codecs Audio+Video\Global DiVX 1.85\GDIVX185.ZIP/GDivX_1.8.5.exe/data0007/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bf skipped
D:\Software\Programs DVD 2004 - October\C\Codecs Audio+Video\Global DiVX 1.85\GDIVX185.ZIP/GDivX_1.8.5.exe/data0007/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
D:\Software\Programs DVD 2004 - October\C\Codecs Audio+Video\Global DiVX 1.85\GDIVX185.ZIP/GDivX_1.8.5.exe/data0007 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
D:\Software\Programs DVD 2004 - October\C\Codecs Audio+Video\Global DiVX 1.85\GDIVX185.ZIP/GDivX_1.8.5.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
D:\Software\Programs DVD 2004 - October\C\Codecs Audio+Video\Global DiVX 1.85\GDIVX185.ZIP ZIP: infected - 5 skipped
D:\Software\Programs DVD 2004 - October\D\DivX 5.11 + Other Codecs\GDIVX185.ZIP/GDivX_1.8.5.exe/data0006 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\Software\Programs DVD 2004 - October\D\DivX 5.11 + Other Codecs\GDIVX185.ZIP/GDivX_1.8.5.exe/data0007/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bf skipped
D:\Software\Programs DVD 2004 - October\D\DivX 5.11 + Other Codecs\GDIVX185.ZIP/GDivX_1.8.5.exe/data0007/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
D:\Software\Programs DVD 2004 - October\D\DivX 5.11 + Other Codecs\GDIVX185.ZIP/GDivX_1.8.5.exe/data0007 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
D:\Software\Programs DVD 2004 - October\D\DivX 5.11 + Other Codecs\GDIVX185.ZIP/GDivX_1.8.5.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
D:\Software\Programs DVD 2004 - October\D\DivX 5.11 + Other Codecs\GDIVX185.ZIP ZIP: infected - 5 skipped
D:\Software\Programs DVD 2004 - October\F\FreeRip 2.51\freeripmp3.exe/data0010 Infected: not-a-virus:AdWare.Win32.MyWay.j skipped
D:\Software\Programs DVD 2004 - October\F\FreeRip 2.51\freeripmp3.exe Inno: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\G\Go!Zilla\gozilla.exe/data0033 Infected: not-a-virus:AdWare.Win32.EZula.bh skipped
D:\Software\Programs DVD 2004 - October\G\Go!Zilla\gozilla.exe Inno: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\M\mIRC 6.16\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Software\Programs DVD 2004 - October\M\mIRC 6.16\mirc616.exe mIRC: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\M\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Software\Programs DVD 2004 - October\M\mirc616.exe mIRC: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\M\Morpheus 2.0\Morpheus v2.0.exe/WISE0015.BIN Infected: not-a-virus:AdWare.Win32.Gator.3210 skipped
D:\Software\Programs DVD 2004 - October\M\Morpheus 2.0\Morpheus v2.0.exe/WISE0016.BIN/WISE0007.BIN Infected: Trojan-Downloader.Win32.Stubby.b skipped
D:\Software\Programs DVD 2004 - October\M\Morpheus 2.0\Morpheus v2.0.exe/WISE0016.BIN Infected: Trojan-Downloader.Win32.Stubby.b skipped
D:\Software\Programs DVD 2004 - October\M\Morpheus 2.0\Morpheus v2.0.exe/WISE0017.BIN/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.d skipped
D:\Software\Programs DVD 2004 - October\M\Morpheus 2.0\Morpheus v2.0.exe/WISE0017.BIN/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.a skipped
D:\Software\Programs DVD 2004 - October\M\Morpheus 2.0\Morpheus v2.0.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.a skipped
D:\Software\Programs DVD 2004 - October\M\Morpheus 2.0\Morpheus v2.0.exe WiseSFX: infected - 6 skipped
D:\Software\Programs DVD 2004 - October\M\MusIRC 4.3\MusIRCSetup.exe/MusIRC.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
D:\Software\Programs DVD 2004 - October\M\MusIRC 4.3\MusIRCSetup.exe ViseMan: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\M\MusIRC 4.3\MusIRCSetup.exe ViseMan: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0\setupneoaudio.exe/data0002 Infected: not-a-virus:AdWare.Win32.IPInsight.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0\setupneoaudio.exe/data0003 Infected: not-a-virus:AdWare.Win32.IGetNet skipped
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0\setupneoaudio.exe/data0035 Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0\setupneoaudio.exe/data0036 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0\setupneoaudio.exe/data0037/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v skipped
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0\setupneoaudio.exe/data0037/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0\setupneoaudio.exe/data0037 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0\setupneoaudio.exe NSIS: infected - 7 skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0006/UCMIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0006/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0006 Infected: not-a-virus:AdWare.Win32.Ucmore skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0007/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0007/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0008 Infected: not-a-virus:AdWare.Win32.180Solutions.m skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0009 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0010/data0121 Infected: not-a-virus:AdWare.Win32.TopMoxie.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0010 Infected: not-a-virus:AdWare.Win32.TopMoxie.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0011 Infected: not-a-virus:AdWare.Win32.IGetNet skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0012 Infected: not-a-virus:AdWare.Win32.IPInsight.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0014/WISE0009.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0014/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.Exact.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0014 Infected: not-a-virus:AdWare.Win32.Exact.a skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0015 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe/data0016 Infected: Trojan-Downloader.Win32.Agent.i skipped
D:\Software\Programs DVD 2004 - October\N\NeoNapster\NeoNapster.exe Inno: infected - 17 skipped
D:\Software\Programs DVD 2004 - October\N\NetVizor\netvizor.zip/NVClientInstallTrial.exe/SystemSA32N.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.c skipped
D:\Software\Programs DVD 2004 - October\N\NetVizor\netvizor.zip/NVClientInstallTrial.exe/NTInvisible.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
D:\Software\Programs DVD 2004 - October\N\NetVizor\netvizor.zip/NVClientInstallTrial.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
D:\Software\Programs DVD 2004 - October\N\NetVizor\netvizor.zip ZIP: infected - 3 skipped
D:\Software\Programs DVD 2004 - October\N\NexGen Acidmax 2.0+\acidmax202801.exe/mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603 skipped
D:\Software\Programs DVD 2004 - October\N\NexGen Acidmax 2.0+\acidmax202801.exe ZIP: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\R\RaidenFTPD 2.4.19\Setup.exe/data0024 Infected: not-a-virus:Server-FTP.Win32.Raiden skipped
D:\Software\Programs DVD 2004 - October\R\RaidenFTPD 2.4.19\Setup.exe/data0025 Infected: not-a-virus:Server-FTP.Win32.Raiden skipped
D:\Software\Programs DVD 2004 - October\R\RaidenFTPD 2.4.19\Setup.exe NSIS: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.40\serialsoct.exe/data0021 Infected: VirTool.Win32.Patcher.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.40\serialsoct.exe/data0036 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.40\serialsoct.exe Astrum: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.44\serialsoctunofficial_081004.exe/data0021 Infected: VirTool.Win32.Patcher.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.44\serialsoctunofficial_081004.exe/data0036 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.44\serialsoctunofficial_081004.exe Astrum: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - September 2.36.15\serialssep.exe/data0021 Infected: VirTool.Win32.Patcher.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - September 2.36.15\serialssep.exe/data0035 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - September 2.36.15\serialssep.exe Astrum: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\S\SpyAnywhere\spyanywhere.zip/Setup.exe/NTInvisible.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
D:\Software\Programs DVD 2004 - October\S\SpyAnywhere\spyanywhere.zip/Setup.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
D:\Software\Programs DVD 2004 - October\S\SpyAnywhere\spyanywhere.zip ZIP: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\S\SpyLock\spylock.zip/Setup.exe/NTInvisible.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
D:\Software\Programs DVD 2004 - October\S\SpyLock\spylock.zip/Setup.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
D:\Software\Programs DVD 2004 - October\S\SpyLock\spylock.zip ZIP: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\V\VNC 3.3.6\vnc-3.3.6-x86_win32.zip/vnc-3.3.6-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
D:\Software\Programs DVD 2004 - October\V\VNC 3.3.6\vnc-3.3.6-x86_win32.zip/vnc-3.3.6-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
D:\Software\Programs DVD 2004 - October\V\VNC 3.3.6\vnc-3.3.6-x86_win32.zip ZIP: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\W\Wasp IRC\Wasp IRC.exe/waspIRC/MIRC32.EXE Infected: not-a-virus:Client-IRC.Win32.mIRC.591 skipped
D:\Software\Programs DVD 2004 - October\W\Wasp IRC\Wasp IRC.exe ZIP: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\W\WeatherCast 1.1.1\wcstc111.exe/WISE0008.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
D:\Software\Programs DVD 2004 - October\W\WeatherCast 1.1.1\wcstc111.exe WiseSFX: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\W\WeatherCast 1.1.1\wcstc111.exe WiseSFX Dropper: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\W\Windows XP CD-Key Changer\keyfinder.rar/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Software\Programs DVD 2004 - October\W\Windows XP CD-Key Changer\keyfinder.rar/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Software\Programs DVD 2004 - October\W\Windows XP CD-Key Changer\keyfinder.rar/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
D:\Software\Programs DVD 2004 - October\W\Windows XP CD-Key Changer\keyfinder.rar RAR: infected - 3 skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04\Installer\serials2004unofficial412.exe/data0018/data0054 Infected: VirTool.Win32.Patcher.a skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04\Installer\serials2004unofficial412.exe/data0018/data0355 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04\Installer\serials2004unofficial412.exe/data0018 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04\Installer\serials2004unofficial412.exe Astrum: infected - 3 skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04.iso/Installer/serials2004unofficial412.exe;1/data0018/data0054 Infected: VirTool.Win32.Patcher.a skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04.iso/Installer/serials2004unofficial412.exe;1/data0018/data0355 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04.iso/Installer/serials2004unofficial412.exe;1/data0018 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04.iso/Installer/serials2004unofficial412.exe;1 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04.iso ISO image: infected - 4 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Users\Anco\AppData\Local\Temp\Low\~DF2977.tmp Object is locked skipped
D:\Users\Anco\AppData\Local\Temp\Low\~DF297D.tmp Object is locked skipped
D:\Windows\CSC\v2.0.6\pq Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{D8F9921C-EC55-4E84-AC9C-3610BA3AA3F0}\RP39\A0006320.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

Scan process completed.

#10 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 07 October 2006 - 06:07 PM

Hi scratchy123,

Nearly all of the things that Ewido found are cookies and will be easily removed.

However, there is another issue here that we need to address.

Here at Geeks to Go we have a policy of not offering assistance to those with 'cracked' software. It is quite evident from the Kaspersky log that you have a considerable amount of this type of material residing on your computer. It would appear that downloading this type of material is the most likely cause of the infections and problems you are experiencing with your system. Using 'cracked' software is not only inviting a host of different types of virus and malware but is also illegal.

Seeing that I have helped you this far, I shall continue to help clean your system of the unwanted infections. I would recommend that you follow these instructions as you must take some steps to help yourself otherwise next time you require assistance you may not get any help.

I would strongly suggest that you remove the Peer to Peer programs that you have on your computer as the practice of downloading 'cracked' software is subjecting your computer to the likelihood of future infections.

Please go to Start then Control Panel then Add/Remove Programs and remove the following:

BitComet
LimeWire
SoulSeek Client

also remove any other Peer to Peer programs that you may have on your computer.

Be sure that you can view hidden files and folders.

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders:

D:\bit downloads\Bill Gates Toolkit Reloaded!!!\UltimateWindows\RockXP v3
C:\Program Files\BitComet\Downloads\(app) windows xp KeyGens & Cracks & Appz
D:\bit downloads\Bill Gates Toolkit Reloaded!!!\UltimateWindows\JellyBean KeyFinder
D:\Incomplete
D:\Software\CYBERsitter 9.4.10.22
D:\Software\mIRC 6.1.4
D:\Software\Nero 6.6.0.1
D:\Software\Programs DVD 2004 - October\A\Acidmax 2.0.2
D:\Software\Programs DVD 2004 - October\A\Advanced RAR Password Recovery 1.11
D:\Software\Programs DVD 2004 - October\A\Ares 1.81
D:\Software\Programs DVD 2004 - October\B\BearShare 4.1
D:\Software\Programs DVD 2004 - October\B\BeFaster 3.31
D:\Software\Programs DVD 2004 - October\C\Chat Blocker 1.6
D:\Software\Programs DVD 2004 - October\C\Codecs Audio+Video\Global DiVX 1.85
D:\Software\Programs DVD 2004 - October\D\DivX 5.11 + Other Codecs
D:\Software\Programs DVD 2004 - October\F\FreeRip 2.51
D:\Software\Programs DVD 2004 - October\G\Go!Zilla
D:\Software\Programs DVD 2004 - October\M\mIRC 6.16
D:\Software\Programs DVD 2004 - October\M\Morpheus 2.0
D:\Software\Programs DVD 2004 - October\M\MusIRC 4.3
D:\Software\Programs DVD 2004 - October\N\NeoAudio 2.0
D:\Software\Programs DVD 2004 - October\N\NeoNapster
D:\Software\Programs DVD 2004 - October\N\NetVizor
D:\Software\Programs DVD 2004 - October\N\NexGen Acidmax 2.0+
D:\Software\Programs DVD 2004 - October\R\RaidenFTPD 2.4.19
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.40
D:\Software\Programs DVD 2004 - October\S\SpyAnywhere
D:\Software\Programs DVD 2004 - October\V\VNC 3.3.6
D:\Software\Programs DVD 2004 - October\W\Wasp IRC
D:\Software\Programs DVD 2004 - October\W\WeatherCast 1.1.1
D:\Software\Programs DVD 2004 - October\W\Windows XP CD-Key Changer
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04\Installer
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04.iso/Installer

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.
Please double-click Killbox.exe to run it.
Select: Delete on Reboot then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\Downloads\CEDP-Stealer-Setup.exe
C:\Program Files\ESET\infected\0ULJETBA.NQF
C:\Program Files\ESET\infected\TAD3XUBA.NQF
D:\Software\Programs DVD 2004 - October\M\mirc616.exe
D:\Software\Serials 2004 - November 4.12 Unofficial\serials04.iso
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

Reboot the computer.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

ATF-Cleaner.exe

Main

Select All

Empty Selected

If you use Firefox browser

Firefox

Select All

Empty Selected

NOTE:

If you use Opera browser

Opera

Select All

Empty Selected

NOTE:

Click Exit on the Main menu to close the program.

I would like you to perform another Kaspersky online scan to ensure that no more bad entries are present.

Please do an online scan with Kaspersky WebScanner

Please note: You must use Internet Explorer for this as it uses an ActiveX component.

This scan may take a while to complete, so please be patient and let it finish.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Scan Options:
Click OK
Now under select a target to scan:
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log and an Uninstall List. Also let me know how your system is behaving.

We have not fiished there is more to do, so please post the requested logs.

Thanks.

#11 scratchy123

Group: Member
Posts: 12
Joined: 22-September 06

Posted 08 October 2006 - 07:22 AM

I bought this computer from a colegue and was not aware of all the illegal software, I have removed them with haste.

I have done all of the above, but the problem still persists.

Here is the kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, October 08, 2006 3:04:51 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/10/2006
Kaspersky Anti-Virus database records: 229891
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 167077
Number of viruses found: 9
Number of infected objects: 35 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:39:40

Infected Object Name / Virus Name / Last Action
C:\!KillBox\CEDP-Stealer-Setup.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\!KillBox\CEDP-Stealer-Setup.exe/stream/data0014 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\!KillBox\CEDP-Stealer-Setup.exe/stream Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\!KillBox\CEDP-Stealer-Setup.exe NSIS: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Anco\Local Settings\Temp\hsperfdata_Anco\4624 Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\History\History.IE5\MSHist012006100820061009\index.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Temp\Free Download Manager\tic27.tmp Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Temp\Perflib_Perfdata_358.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Anco.ANCO-DC7801B793\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ESET\infected\0ULJETBA.NQF Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
C:\Program Files\ESET\infected\TAD3XUBA.NQF Infected: VirTool.Win32.Patcher.a skipped
C:\Program Files\ISS\BlackICE\blackice-service.log Object is locked skipped
C:\Program Files\ISS\BlackICE\rapapp.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014683.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014683.exe/stream/data0014 Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014683.exe/stream Infected: not-a-virus:AdWare.Win32.Relevant.a skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014683.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014706.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014706.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014706.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014709.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014709.exe/data.rar/RAS.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014709.exe/data.rar/RockXp_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014709.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\A0014709.exe RarSFX: infected - 4 skipped
C:\System Volume Information\_restore{7B0BBF17-57C8-4DD1-9508-DAC273FC5519}\RP68\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1E19FE8B-13D4-44D2-871B-D5ED1C7A6647}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SHD Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00000.SPL Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00001.SHD Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\FP00001.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\hiberfil.sys Object is locked skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe/VirtuallyJenna-2.017.002-cracked-installer.msi/_6A5BC9DCF6308413044425600E433DB7/_A072FB71F98447849289D58C552E0E01 Infected: Trojan-PSW.Win32.QQPass.ly skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe/VirtuallyJenna-2.017.002-cracked-installer.msi/_6A5BC9DCF6308413044425600E433DB7 Infected: Trojan-PSW.Win32.QQPass.ly skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe/VirtuallyJenna-2.017.002-cracked-installer.msi Infected: Trojan-PSW.Win32.QQPass.ly skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe RAR: infected - 3 skipped
D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe PE_Patch: infected - 3 skipped
D:\Software\Programs DVD 2004 - October\M\mirc616.exe/data0001.bin Infected: not-a-virus:Client-IRC.Win32.mIRC.616 skipped
D:\Software\Programs DVD 2004 - October\M\mirc616.exe mIRC: infected - 1 skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.40\serialsoct.exe/data0021 Infected: VirTool.Win32.Patcher.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.40\serialsoct.exe/data0036 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.40\serialsoct.exe Astrum: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - September 2.36.15\serialssep.exe/data0021 Infected: VirTool.Win32.Patcher.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - September 2.36.15\serialssep.exe/data0035 Infected: Trojan-Dropper.Win32.ExeBundle.2x.a skipped
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - September 2.36.15\serialssep.exe Astrum: infected - 2 skipped
D:\Software\Programs DVD 2004 - October\S\SpyLock\spylock.zip/Setup.exe/NTInvisible.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
D:\Software\Programs DVD 2004 - October\S\SpyLock\spylock.zip/Setup.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.44103 skipped
D:\Software\Programs DVD 2004 - October\S\SpyLock\spylock.zip ZIP: infected - 2 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\Users\Anco\AppData\Local\Temp\Low\~DF2977.tmp Object is locked skipped
D:\Users\Anco\AppData\Local\Temp\Low\~DF297D.tmp Object is locked skipped
D:\Windows\CSC\v2.0.6\pq Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{D8F9921C-EC55-4E84-AC9C-3610BA3AA3F0}\RP39\A0006320.exe Infected: not-a-virus:AdWare.Win32.MyWebSearch skipped

Scan process completed.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 3:13:26 PM, on 10/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\D-Tools\daemon.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\a-squared Anti-Malware\a2guard.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\ISS\BlackICE\rapapp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\FREEDO~1\fdm.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Anco.ANCO-DC7801B793\Desktop\New Folder (2)\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.speedandsound.co.za/forum/
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdmcks.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzGBK] G:\setup.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Malware\a2guard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BlackICE Utility.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{4AF27481-7F79-476B-938A-2E6595B671F4}: NameServer = 196.44.136.162,196.44.128.146
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

and uninstall log:

ACE Mega CoDecS Pack
Ad-Aware SE Personal
Adobe Flash Player 9 ActiveX
Adobe Photoshop CS
Adobe Premiere 6.0
Advanced Port Scanner v1.2
Advanced RealMedia Export Plug-in for Premiere 6.0
Ahead InCD
a-squared Anti-Malware 2.0
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
Battlefield 2™
BitComet 0.56
BlackICE
BlueSoleil
Cars - Radiator Springs Adventures
CDRWIN 5
Cleaner 5 EZ
Core FTP LE 1.3c
Cross Racing Championship 2005
DAEMON Tools
DFE-520TX
DiamondCS Port Explorer v1.700 Evaluation
DivX 5.0 Bundle
D-Link PCI Fast Ethernet Adapter
dvdSanta 3.43
ewido anti-spyware 4.0
GameShadow
GameSpy Arcade
HijackThis 1.99.1
Hitman Blood Money
J2SE Runtime Environment 5.0 Update 6
Kaspersky Online Scanner
Microsoft .NET Framework 2.0
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
Mozilla Firefox (1.5)
MSN Messenger 7.5
Nero - Burning Rom
Nero 6 Demo
NetBus Pro
Neuro Hunter
NVIDIA Drivers
Oblivion
QuickTime
RealPlayer Plus
Realtek AC'97 Audio
Richard Burns Rally
Rogue Trooper
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB925486)
SketchUp 5
Sniper Elite
Spybot - Search & Destroy 1.4
The Godfather™ The Game
The Sims
The Sims 2
The Sims 2 Nightlife
Ulead DVD Workshop Trial
Ulead VideoStudio 6 Trial
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Walaber's Trampoline
Windows Installer 3.1 (KB893803)
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinISD beta
WinPcap 3.1
WinRAR archiver
WinZip
World of Warcraft
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

#12 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 08 October 2006 - 11:54 PM

Hi scratchy123,

I can't see an antivirus program installed on your system but you have quarantined entries from NOD32.... If are not currently using an antvirus program on your system please install one of these (these are also free for personal use):

Make sure that you install current updates for the appropriate program if you download one of these.

Please double-click Killbox.exe that you downloaded previously to run it.

Select:
- Delete on Reboot
- then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

D:\RECYCLER\S-1-5-21-343818398-57989841-725345543-1003\Dk1\VirtuallyJenna-2.017.002-cracked.exe
D:\Software\Programs DVD 2004 - October\M\mirc616.exe
D:\Software\Programs DVD 2004 - October\S\Serials 2004 - October 2.40\serialsoct.exe
D:\Software\Programs DVD 2004 - October\S\SpyLock\spylock.zip
Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Lets see if a rootkit is present.

Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).

Double-click blbeta.exe then accept the agreement, click > "Scan" then > "Next".

You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).

Copy and paste this log in your next reply.

Thanks.

#13 scratchy123

Group: Member
Posts: 12
Joined: 22-September 06

Posted 09 October 2006 - 01:35 AM

Ran kill box, then blacklight

Blacklight didnt find anything, but the problem def still is there.

10/09/06 09:28:00 [Info]: BlackLight Engine 1.0.47 initialized
10/09/06 09:28:00 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/09/06 09:28:00 [Note]: 7019 4
10/09/06 09:28:00 [Note]: 7005 0
10/09/06 09:28:08 [Note]: 7006 0
10/09/06 09:28:08 [Note]: 7011 416
10/09/06 09:28:08 [Note]: 7026 0
10/09/06 09:28:08 [Note]: 7026 0
10/09/06 09:28:13 [Note]: FSRAW library version 1.7.1020
10/09/06 09:31:57 [Note]: 2000 1012
10/09/06 09:32:15 [Note]: 7007 0

I thank you very much for not giving up on me yet...lol

#14 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 10 October 2006 - 08:35 PM

Hi scratchy123,

Sorry for the delay, I've had a few things happening on the homefront.

Download WinPFind2.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind2 on your desktop.

Open the folder and double-click on winpfind2.exe to start the program.
Click on the Services tab.
From the two drop down boxes next to Filter list:, on the left one choose List all type of services and on the right one choose List all services.
Click on the Configuration tab.
Keep the standard settings and then in the AddOn-Options box click the checkboxes for
- HKCU_IEDesktop.def
- Policies.def
- SID_Run_Policies.def
to select them.
Under File Options click Select All
Under Other Options put a check to both Show All boxes
Please maximize the window in order to be able to view the Status Bar where you can see the progress of the scan.
Now click the Run All Scans button on the toolbar.
When the scans are complete click the Simple Report button in the lower right-hand corner to create a report file. Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is, click on it to uncheck it and then please post that report into this topic. After posting please check if the whole report fit into the post. If it did fit, it should say <End of Report> at the end. If not, please post the section that was cut off in a second post.

Also can you let me know exactly what problems you are still experiencing.

Thanks.

#15 Octagonal

Group: Member
Posts: 2,528
Joined: 04-May 05

Posted 25 October 2006 - 01:38 AM

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.

Back to Virus, Spyware, Malware Removal

Share this topic:

Page 1 of 1

Please log in to reply

can someone please help me - Geeks to Go Forums