Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Problems after scans


  • This topic is locked This topic is locked

#1
cool c

cool c

    New Member

  • Member
  • Pip
  • 7 posts
HI, my computer was infected with nail.exe and other stuff. I'm new to the site and I followed the initial steps. I ran AdWare SE, Spybot S&D, CleanUp, Nailfix, CWShredder, and did an online scan with Housecall. I'm experiencing at login :"create remote thread failed", also "c:\windows\cfgmgr52.dll specified module not found", Windows explorer has encountered a problem message. Any help with these problems would be greatly appreciated. I'm adding my Hijack log.

Logfile of HijackThis v1.99.1
Scan saved at 10:30:55 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\kkhajl.exe
C:\WINDOWS\system32\vidctrl\vidctrl.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\WINDOWS\system\gmkri.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\mscmlby.exe
c:\windows\system32\iamtiu.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Cas\Client\casclient.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\browser\YBrowser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kkhajl.exe reg_run
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewug32.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AutoLoaderxw7Y1WIWURLZ] "C:\WINDOWS\System32\rtcfilt.exe"
O4 - HKLM\..\Run: [hctlur] c:\windows\system32\iamtiu.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [g072RkZ2P] mscmlby.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://chat.rtsports...va/cs4fs084.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0021.exe
O16 - DPF: {9FA45D9C-1412-4949-B735-0D73A3D20E51} (CFND Control) - http://www.gloopers.com/VFX.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

:tazz:
  • 0

Advertisements


#2
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hello and welcome to Geeks To Go. My name is Sam and I will be helping you.
Lets start out with some general scans and see if we cant clean things up a little.


+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.
  • Install Ewido security suite
  • Launch Ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:
  • Click on scanner
  • Make sure the following boxes are checked before scanning:
    • Binder
    • Crypter
    • Archives
  • Click on Start Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)


+++++ Step 3 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.


If you have recieved help elsewhere or no longer need our assistance, please let us know.
  • 0

#3
cool c

cool c

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Thanks for helping me. I have the logs you requested. Go Bucks!!!

First the Hijackthis log:
Logfile of HijackThis v1.99.1
Scan saved at 5:46:32 PM, on 7/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\kkhajl.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kkhajl.exe reg_run
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewug32.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AutoLoaderxw7Y1WIWURLZ] "C:\WINDOWS\System32\rtcfilt.exe"
O4 - HKLM\..\Run: [orolqzj] c:\windows\system32\appomwa.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [g072RkZ2P] mscmlby.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://chat.rtsports...va/cs4fs084.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0021.exe
O16 - DPF: {9FA45D9C-1412-4949-B735-0D73A3D20E51} (CFND Control) - http://www.gloopers.com/VFX.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Next the uninstall_list:
ABBYY FineReader 5.0 Sprint
Ad-Aware SE Personal
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 5.0
Adobe Acrobat and Reader 6.0.3 Update
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
AOL Instant Messenger
Britannica Ready Reference
Broadcom Advanced Control Suite
BroadJump Client Foundation
CC_ccProxyExt
ccCommon
ccPxyCore
CleanUp!
Conexant SmartHSFi V92 56K DF PCI Modem
DAO
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
ewido security suite
FaxTools
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Intel® Extreme Graphics Driver
iTunes
Kaspersky Anti-Virus Web Scanner
Kazaa Lite Resurrection 0.0.7.6 F
Lexmark X5100 Series
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Office XP Professional with FrontPage
mobile PhoneTools
Modem Helper
MSN Messenger 6.2
MSN Music Assistant
MSN Toolbar
MSRedist
MUSICMATCH® Jukebox
My First CD-ROM - PreSchool
My First CD-ROM - PreSchool XP update
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Norton WMI Update
Norton WMI Update
OLYMPUS CAMEDIA Master 1.2
Paint Shop Pro 7
PhotoParade Player
PowerDVD
QuickTime
RealPlayer Basic
SBC Yahoo! Applications
SBC Yahoo! DSL Activation
SBC Yahoo! DSL Activation
SBC Yahoo! Messenger Explorer Bar
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows XP (KB896426)
Shockwave
SPBBC
Spybot - Search & Destroy 1.4
Starcraft
Symantec Script Blocking Installer
SymNet
Viewpoint Media Player
VX2 Cleaner plug-in for Ad-Aware SE
Windows Media Format Runtime
Windows Media Player 10
Windows VisFx Components
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883939
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB897715
Windows XP Hotfix (SP2) Q814995
WinRAR archiver
XviD MPEG-4 Video Codec
Yahoo! Messenger

This is the Ewido scan log:
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:48:48 PM, 7/16/2005
+ Report-Checksum: 83040B0E

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\xw7u1WIWURLZ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\xw7Y1WIWURLZ -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{F5EE52D3-2ECC-409E-A92F-A73F2B8DD407} -> Spyware.HiWire : Cleaned with backup
HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\S-1-5-21-3670962695-4087242085-2497070514-1006\Software\LQ -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\carl@overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Carl\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0000002.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0000003.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000014.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000015.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000020.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000021.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000024.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000025.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000026.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000027.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000028.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000029.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000030.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000031.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000032.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000033.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000034.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000035.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000036.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000037.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000038.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000039.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000040.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000041.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000042.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000043.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000044.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000045.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000046.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000047.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000048.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000049.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000050.dll -> TrojanDownloader.Qoologic.t : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000051.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000052.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000053.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000054.exe -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000055.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000056.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000057.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000058.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0000098.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001096.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001117.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0003514.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0003604.dll -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0004510.exe -> Adware.SAHA : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0004515.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0005798.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0005800.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0005808.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0006808.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0007803.exe -> TrojanDownloader.Apropo.ac : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0007808.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0008808.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP18\A0009807.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0001120.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0010014.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0010996.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0011011.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0012007.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0012008.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0012009.DLL -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0012010.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001151.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0002098.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0002117.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0003096.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0003097.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP6\A0003131.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0003231.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\cfgmgr52\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\cfgmgr52\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\nnlesvc.exe -> TrojanDropper.Agent.mu : Cleaned with backup
C:\WINDOWS\SYSTEM32\czdial32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\duskmon.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitemoj32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\mscmlby.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\WINDOWS\SYSTEM32\MWXLEGIH.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\nhtplwiz.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\ooffilt.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\qqwua.dat -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\SYSTEM32\quaaprxy.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\WINDOWS\SYSTEM32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\urerenv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\udsbsvc.exe -> TrojanDropper.Agent.mu : Cleaned with backup


::Report End

Finally the Kaspersky scan log:
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Saturday, July 16, 2005 17:45:02
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/07/2005
Kaspersky Anti-Virus database records: 138464
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 52895
Number of viruses found: 59
Number of infected objects: 243
Number of suspicious objects: 0
Duration of the scan process: 3138 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddra.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Documents and Settings\Carl\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From "Carl.smith" <[email protected]>][Date Sun, 07 Nov 2004 21:39:54 -0500]/UNNAMED/Joke.cpl Infected: Email-Worm.Win32.Bagle.at
C:\Documents and Settings\Carl\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From "Carl.smith" <[email protected]>][Date Sun, 07 Nov 2004 21:39:54 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.at
C:\Documents and Settings\Carl\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From "Carl.smith" <[email protected]>][Date Sun, 07 Nov 2004 23:36:38 -0500]/UNNAMED/price.cpl Infected: Email-Worm.Win32.Bagle.at
C:\Documents and Settings\Carl\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx/[From "Carl.smith" <[email protected]>][Date Sun, 07 Nov 2004 23:36:38 -0500]/UNNAMED Infected: Email-Worm.Win32.Bagle.at
C:\Documents and Settings\Carl\Local Settings\Application Data\Identities\{8D32DF8B-D3B8-4783-A0C5-FE37E2FC8659}\Microsoft\Outlook Express\Inbox.dbx Infected: Email-Worm.Win32.Bagle.at
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\01CC3715.dll Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\02982324.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\065B3253.exe/data0000.bin Infected: Trojan-Downloader.Win32.Apropo.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\065B3253.exe/data0002.bin Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\065B3253.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\084E5C74.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0A9271BE.exe Infected: not-a-virus:AdWare.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B5E5DCD.exe Infected: not-a-virus:AdWare.DealHelper.x
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\13B41225.exe Infected: Trojan-Dropper.Win32.Agent.ch
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\13D24753.exe Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\13DF1873.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\168823C4.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\18A25BEA.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\18EC2F12.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\19B81B21.dll Infected: not-a-virus:AdWare.BookedSpace.e
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\19BE785B.exe Infected: not-a-virus:AdWare.Pacer.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1DEE4122.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1FD54A79.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\21B269BB.exe Infected: not-a-virus:AdWare.DealHelper.ac
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\22126B4A.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\22ED3765.exe Infected: not-a-virus:AdWare.VirtualBouncer.i
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\24E36118.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\250E131E.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\25495720.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\27F654AF.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\29333D46.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2B650678.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\30731D17.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\30D9131E.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\362A5667.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\362A5667.exe/data0003 Infected: Trojan-Downloader.Win32.Small.aly
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\362A5667.exe Infected: Trojan-Downloader.Win32.Small.aly
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\36904C6F.exe Infected: not-a-virus:AdWare.BetterInternet.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\36F64276.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0001 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0003 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0007/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0007/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.w
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0007/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0007/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0007/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0007/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\39270715.exe Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3A0543CF.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3AD22FDE.exe Infected: not-a-virus:AdWare.BetterInternet.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3BA82E70.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3BC5284F.exe Infected: Trojan-Downloader.Win32.VB.hj
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3BE64C2B.exe Infected: Trojan-Downloader.Win32.VB.hj
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3C3111D9.exe Infected: Trojan-Downloader.Win32.Small.amw
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3F6E7F54.dll Infected: not-a-virus:AdWare.VirtualBouncer.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\403173D2.dat Infected: Email-Worm.Win32.Ronoper.t
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\40E14F0F.dat Infected: P2P-Worm.Win32.SdDrop.e
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45967FCE.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\47941514.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\48600123.exe/data0000.bin Infected: Trojan-Downloader.Win32.Apropo.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\48600123.exe/data0002.bin Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\48600123.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\48B02D09.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B9474A0.exe Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B971E9C.exe Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B9A4899.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B9A4899.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4B9E7295.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BA11C92.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BA11C92.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BA4468E.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BA7708B.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BAB1A87.exe Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BAE4483.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BAE4483.vxd Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BB16E80.exe Infected: not-a-virus:AdWare.EZula.ah
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BB16E80.srg Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BB4187C.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BB4187C.exe Infected: not-a-virus:AdWare.BetterInternet.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BB84279.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BB84279.ocx Infected: not-a-virus:AdWare.DelphinMediaViewer.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BBB6C75.exe Infected: Trojan-Downloader.Win32.Dyfuca.dk
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BBE1671.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BC56A6A.exe Infected: not-a-virus:AdWare.Pacer.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BC81467.exe Infected: not-a-virus:AdWare.Pacer.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BCB3E63.dat Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BCB3E63.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BCB3E63.exe Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BCF685F.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BCF685F.exe Infected: not-a-virus:AdWare.DelphinMedia.Viewer.f
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BD2125C.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BE50E46.dll Infected: Trojan-Downloader.Win32.Dyfuca.eg
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BE93843.dat Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BE93843.exe Infected: not-a-virus:AdWare.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BE93843.fr7 Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BE93843.frA Infected: not-a-virus:AdWare.WinAD.am
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BEC623F.exe Infected: not-a-virus:AdWare.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BEF0C3B.exe Infected: not-a-virus:AdWare.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BF33638.exe Infected: not-a-virus:AdWare.BetterInternet
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BF66034.exe Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BF90A31.exe/data0002 Infected: not-a-virus:AdWare.WeirWeb.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BF90A31.exe Infected: not-a-virus:AdWare.WeirWeb.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BF90A31.ocx Infected: Trojan-Downloader.Win32.Agent.ex
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BFC342D.exe/data0002 Infected: not-a-virus:AdWare.WeirWeb.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4BFC342D.exe Infected: not-a-virus:AdWare.WeirWeb.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\50C045C5.dll Infected: not-a-virus:AdWare.SafeSurfing.m
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\517D4C9D.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\51A26078.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\53245113.exe Infected: not-a-virus:AdWare.BookedSpace.e
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\538A471A.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A823EC1.exe Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A8568BD.exe Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A8F66B2.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A9310AF.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A9964A8.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A9C0EA4.exe/data0000.bin Infected: Trojan-Downloader.Win32.Apropo.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A9C0EA4.exe/data0002.bin Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5A9C0EA4.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AA038A0.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AA038A0.exe/data0000.bin Infected: Trojan-Downloader.Win32.Apropo.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AA038A0.exe/data0002.bin Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AA038A0.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AA3629D.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AA60C99.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AA93696.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AAD6092.dll Infected: Trojan.Win32.Agent.db
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AAD6092.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AB00A8F.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AB00A8F.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AB3348B.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AB65E87.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AB65E87.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5ABA0884.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5ABD3280.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AC05C7D.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AC40679.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AC40679.exe Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AC40679.vxd Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AC73075.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5ACA5A72.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5ACD046E.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AD12E6B.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AD45867.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AD70263.DLL Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5ADA2C60.dll Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5ADA2C60.srg Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5ADE565C.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5ADE565C.exe Infected: not-a-virus:AdWare.BetterInternet.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AE10059.dat Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AE10059.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AE42A55.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AE75451.dat Infected: Trojan.Win32.StartPage.nk
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AE75451.dll Infected: Trojan-Downloader.Win32.Dyfuca.eg
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AEB7E4E.exe Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AEE284A.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5AF15247.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5BEA0BBC.exe Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5C5001C4.dll Infected: not-a-virus:AdWare.VirtualBouncer.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5CB677CB.exe Infected: Trojan-Downloader.Win32.Agent.hw
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5E1022FD.exe Infected: Trojan-Downloader.Win32.Apropo.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F817920.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\630F193F.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\638D174C.exe/stream/data0001 Infected: not-a-virus:AdWare.PurityScan.w
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\638D174C.exe/stream Infected: not-a-virus:AdWare.PurityScan.w
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\638D174C.exe Infected: not-a-virus:AdWare.PurityScan.w
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63904148.exe Infected: Trojan-Dropper.Win32.Agent.ch
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\63946B44.exe Infected: Trojan-Dropper.Win32.Agent.ch
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\659D2878.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\677B47BB.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6B11351F.exe Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\70C86E6F.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\712E6477.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71C969BA.exe Infected: not-a-virus:AdWare.BetterInternet.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71DC65A5.exe Infected: not-a-virus:AdWare.BetterInternet.c
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71F30B8C.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71F63588.exe/data0000.bin Infected: Trojan-Downloader.Win32.Apropo.g
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71F63588.exe/data0002.bin Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71F63588.exe Infected: Trojan-Downloader.Win32.Apropo.u
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71FA5F84.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\71FD0981.dll Infected: not-a-virus:AdWare.BookedSpace.e
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\72045D7A.exe Infected: not-a-virus:AdWare.DealHelper.x
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\72045D7A.htm Infected: not-a-virus:AdWare.DealHelper.ab
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\72070776.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\720A3172.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\720A3172.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\720A3172.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\720D5B6F.exe Infected: not-a-virus:AdWare.Look2Me.ag
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7211056B.exe Infected: not-a-virus:AdWare.WinAD.aw
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\72175964.exe Infected: not-a-virus:AdWare.BetterInternet.b
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\721A0360.dll Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\721A0360.exe Infected: not-a-virus:AdWare.Pacer.j
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\72215759.dll Infected: not-a-virus:AdWare.VirtualBouncer.g
C:\Program Files\Nort
  • 0

#4
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
First we are going to clean up your log a bit. Then we'll need to get a closer look at the bad files hiding on your computer so we can kill your qoologic trojan.

Please make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\system32\PSof1.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kkhajl.exe reg_run
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\system32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitewug32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AutoLoaderxw7Y1WIWURLZ] "C:\WINDOWS\System32\rtcfilt.exe"
O4 - HKLM\..\Run: [orolqzj] c:\windows\system32\appomwa.exe r
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [g072RkZ2P] mscmlby.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0021.exe



Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\tct101.dll
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\system32\PSof1.exe
C:\WINDOWS\System32\kkhajl.exe
C:\WINDOWS\system32\vidctrl
C:\WINDOWS\System32\elitewug32.exe
C:\WINDOWS\system32\AUNPS2.DLL
C:\WINDOWS\System32\rtcfilt.exe"
C:\WINDOWS\System32\appomwa.exe
mscmlby.exe <-- search for this file
C:\Program Files\Cas
C:\Program Files\SurfSideKick 3


Reboot your computer to go back to normal mode.


Now that we've cleaned that up we need to dig a little deeper to take on the next one.

[*]Download WinPFind
  • Right Click the Zip Folder and Select "Extract All"
  • Extract it somewhere you will remember like the Desktop
  • Dont do anything with it yet!
[*]Download Track qoo
  • Save it somewhere you will remember like the Desktop
[/list]
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe
  • Click "Start Scan"
  • It will scan the entire System, so please be patient!
  • Once the Scan is Complete
  • Go to the WinPFind folder
  • Locate WinPFind.txt
  • Place those results in the next post!
Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
  • 0

#5
cool c

cool c

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Buckeye Sam, I tried to download track qoo and I was'nt able to is there another link I can use
  • 0

#6
cool c

cool c

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Buckeye Sam, followed your instructions on deleting the files. All is fine except I was denied access to c:\windows\systen32\kkhajl.exe I feel all the others are gone. Also found a link for trackqoo so disregard my earlier note. Thanks for all your help so far. Attached is the scan results you requested.

winPFind results

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "not responding" you can ignore it. Windows is throwing this message up even though the program is still running. As long as the hard disk is working then the program is running.

»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! C:\Program Files\mythxpak.exe
UPX! C:\Program Files\replsosa.exe

Checking %WinDir% folder...
abetterinternet.com C:\WINDOWS\aamno.dll
web-nex C:\WINDOWS\aamno.dll
abetterinternet.com C:\WINDOWS\abiuninst.htm
PECompact2 C:\WINDOWS\lpt$vpn.719
qoologic C:\WINDOWS\lpt$vpn.719
SAHAgent C:\WINDOWS\lpt$vpn.719
UPX! C:\WINDOWS\RMAgentOutput.dll
UPX! C:\WINDOWS\tsc.exe
UPX! C:\WINDOWS\visfxun.exe
PECompact2 C:\WINDOWS\VPTNFILE.719
qoologic C:\WINDOWS\VPTNFILE.719
SAHAgent C:\WINDOWS\VPTNFILE.719
UPX! C:\WINDOWS\vsapi32.dll
aspack C:\WINDOWS\vsapi32.dll

Checking %System% folder...
aspack C:\WINDOWS\system32\ccdanxa.exe
PEC2 C:\WINDOWS\system32\dfrg.msc
aspack C:\WINDOWS\system32\eenkpyk.dll
KavSvc C:\WINDOWS\system32\eenkpyk.dll
69.59.186.63 C:\WINDOWS\system32\eenkpyk.dll
209.66.67.134 C:\WINDOWS\system32\eenkpyk.dll
testpopup C:\WINDOWS\system32\eenkpyk.dll
web-nex C:\WINDOWS\system32\eenkpyk.dll
yourkey C:\WINDOWS\system32\eenkpyk.dll
aspack C:\WINDOWS\system32\kkhajl.exe
PECompact2 C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\MRT.exe
aspack C:\WINDOWS\system32\qqwua.dat
Umonitor C:\WINDOWS\system32\rasdlg.dll
aspack C:\WINDOWS\system32\rrikw.dll
KavSvc C:\WINDOWS\system32\rrikw.dll
69.59.186.63 C:\WINDOWS\system32\rrikw.dll
209.66.67.134 C:\WINDOWS\system32\rrikw.dll
web-nex C:\WINDOWS\system32\rrikw.dll
yourkey C:\WINDOWS\system32\rrikw.dll
aspack C:\WINDOWS\system32\SKCL.dll
UPX! C:\WINDOWS\system32\ThriXXX010104Z.dll
UPX! C:\WINDOWS\system32\ThriXXX010205PNG.dll
UPX! C:\WINDOWS\system32\ThriXXX015003JP2.dll

Checking %System%\Drivers folder and sub-folders...
PTech C:\WINDOWS\system32\drivers\mtlstrm.sys

Checking the Windows folder for system and hidden files within the last 60 days...
7/7/2005 C:\WINDOWS\WindowsShell.Manifest
7/7/2005 C:\WINDOWS\Downloaded Program Files\DESKTOP.INI
7/7/2005 C:\WINDOWS\Fonts\DESKTOP.INI
6/28/2005 C:\WINDOWS\INF\oem40.inf
7/7/2005 C:\WINDOWS\Offline Web Pages\DESKTOP.INI
7/7/2005 C:\WINDOWS\REPAIR\NTUSER.DAT
7/7/2005 C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
7/7/2005 C:\WINDOWS\SYSTEM32\logonui.exe.manifest
7/7/2005 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
7/7/2005 C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
7/7/2005 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
7/7/2005 C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
7/7/2005 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
7/7/2005 C:\WINDOWS\SYSTEM32\CONFIG\default.tmp.LOG
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
7/7/2005 C:\WINDOWS\SYSTEM32\CONFIG\software.tmp.LOG
7/17/2005 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
7/7/2005 C:\WINDOWS\SYSTEM32\CONFIG\system.tmp.LOG
7/7/2005 C:\WINDOWS\SYSTEM32\CONFIG\TempKey.LOG
7/7/2005 C:\WINDOWS\SYSTEM32\CONFIG\USERDIFF.LOG
7/7/2005 C:\WINDOWS\SYSTEM32\CONFIG\userdifr.LOG
6/16/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
7/9/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\AHEDP6LH\desktop.ini
7/9/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KDUBSTEN\desktop.ini
7/9/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\KY45SYCI\desktop.ini
7/9/2005 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\YP2NWLUJ\desktop.ini
7/16/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\b38e8b7f-591a-4021-8816-eb6843ee1113
7/16/2005 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
7/7/2005 C:\WINDOWS\SYSTEM32\Restore\filelist.xml
7/17/2005 C:\WINDOWS\Tasks\SA.DAT

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

Checking %ALLUSERSPROFILE%\Startup folder...
aspack C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddra.exe

Checking %ALLUSERSPROFILE%\Application Data folder...

Checking %USERPROFILE%\Startup folder...

Checking %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»»»»»»»»» Registry Entries Found »»»»»»»»»»»»»»»»»»»»»»»

*\shellex\ContextMenuHandlers
*\shellex\ContextMenuHandlers\ggmynsyn
{c90db4d9-8806-4a6f-9cd7-852a96ee1673} = C:\WINDOWS\system32\rrikw.dll
*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll
*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin =

SOFTWARE\Classes\Folder\shellex\ColumnHandlers
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
DwlClient C:\Program Files\Common Files\Dell\EUSW\Support.exe
tgcmdprovidersbc "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
YBrowser C:\Program Files\Yahoo!\browser\ybrwicon.exe
IPInSightMonitor 01 "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
mmtask C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
msnappau "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Lexmark X5100 Series "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
KavSvc C:\WINDOWS\System32\kkhajl.exe reg_run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents
IMAIL
MAPI
MSFS

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe C:\WINDOWS\System32\ctfmon.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\PostBootReminder
{7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WebCheck
{E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\SysTray
{35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\CDBurn
{fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\apitrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ASSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Cleanup.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cqw32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divxdec.ax
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DJSMAR00.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\DRMINST.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\enc98.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncodeDivXExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EncryptPatchVer.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\front.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fullsoft.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GBROWSER.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmarq.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\htmlmm.ocx
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ishscan.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ISSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\javai.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jvm_g.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\main123w.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mngreg32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msci_uno.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscoree.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorsvr.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mscorwks.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mso.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NAVOPTRF.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NeVideoFX.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NPMLIC.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NSWSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\photohse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PMSTE.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ppw32hlp.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\printhse.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ps80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psdmt.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qfinder.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\qpw.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Salwrap.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\setup32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sevinst.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\symlcnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tcore_ebook.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFDTCTT8.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ua80.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\udtapi.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ums.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vb40032.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vbe6.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wpwin8.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xlmlEN.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xwsetup.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_INSTPGM.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
UserInit C:\WINDOWS\system32\userinit.exe,
Shell explorer.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.0.0.8 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Trackqoo results

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"
"tgcmdprovidersbc"="\"c:\\program files\\support.com\\bin\\tgcmd.exe\" /server /startmonitor /deaf /nosystray"
"YBrowser"="C:\\Program Files\\Yahoo!\\browser\\ybrwicon.exe"
"IPInSightMonitor 01"="\"C:\\Program Files\\SBC Yahoo!\\Connection Manager\\IP InSight\\IPMon32.exe\""
"mmtask"="C:\\Program Files\\MUSICMATCH\\MUSICMATCH Jukebox\\mmtask.exe"
"msnappau"="\"C:\\Program Files\\MSN Apps\\Updater\\01.03.0000.1005\\en-us\\msnappau.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Lexmark X5100 Series"="\"C:\\Program Files\\Lexmark X5100 Series\\lxbabmgr.exe\""
"KavSvc"="C:\\WINDOWS\\System32\\kkhajl.exe reg_run"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers


Subkey --- ggmynsyn
{c90db4d9-8806-4a6f-9cd7-852a96ee1673}
C:\WINDOWS\system32\rrikw.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}
C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

Subkey --- WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA}
C:\Program Files\WinRAR\rarext.dll

Subkey --- Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499}
C:\PROGRA~1\Yahoo!\Common\ymmapi20040613.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers


Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

==============================
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

DESKTOP.INI
==============================
C:\Documents and Settings\Carl\Start Menu\Programs\Startup

DESKTOP.INI
DESKTOP.INI
==============================
C:\WINDOWS\SYSTEM32 cpl files


access.cpl Microsoft Corporation
appwiz.cpl Microsoft Corporation
B57exp.cpl Broadcom Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
igfxcpl.cpl Intel Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
prefscpl.cpl RealNetworks, Inc.
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
  • 0

#7
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
That's what I need to see! ;)

:tazz:



Download Pocket KillBox from here. There is a Direct Download and a description of what the Program does inside this link.

Please open Notepad, and copy/paste the code in the box below into a new text file. Save it as KillQoo.reg (set Filetype to "All Files") and save it on your Desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ggmynsyn]

[-HKEY_CLASSES_ROOT\CLSID\{c90db4d9-8806-4a6f-9cd7-852a96ee1673}]


Open Pocket Killbox and Copy & Paste the entries below into the "Full Path of File to Delete"



C:\Program Files\mythxpak.exe
C:\Program Files\replsosa.exe
C:\WINDOWS\aamno.dll
C:\WINDOWS\abiuninst.htm
C:\WINDOWS\lpt$vpn.719
C:\WINDOWS\RMAgentOutput.dll
C:\WINDOWS\VPTNFILE.719
C:\WINDOWS\system32\ccdanxa.exe
C:\WINDOWS\system32\eenkpyk.dll
C:\WINDOWS\system32\kkhajl.exe
C:\WINDOWS\system32\qqwua.dat
C:\WINDOWS\system32\rrikw.dll
C:\WINDOWS\system32\ThriXXX010104Z.dll
C:\WINDOWS\system32\ThriXXX010205PNG.dll
C:\WINDOWS\system32\ThriXXX015003JP2.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ddra.exe



As you Paste each entry into Killbox,place a tick by any of these Selections available

"Delete on Reboot"
"Unregister .dll before Deleting"


Click the Red Circle with the White X in the Middle to Delete!

Restart in Safe Mode and Run those files through Killbox once more to be sure nothing survived.

This time place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"


Now Locate and DoubleClick KillQoo.reg-> Allow it to merge into the Registry!

Please re-open HiJackThis and scan. Check the boxes next to this entry.

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\kkhajl.exe reg_run

Now close all windows other than HiJackThis, then click Fix Checked.

Restart back in Normal Mode and Post a fresh HijackThis log!
  • 0

#8
cool c

cool c

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Buckeye Sam, I completed your last set of instructions. Here is my HijackThis log.
Logfile of HijackThis v1.99.1
Scan saved at 5:36:21 PM, on 7/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://chat.rtsports...va/cs4fs084.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {9FA45D9C-1412-4949-B735-0D73A3D20E51} (CFND Control) - http://www.gloopers.com/VFX.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Thanks !!!
  • 0

#9
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Your log is looking pretty good! :tazz:

Click Start -> Run -> (type) services.msc

Scroll down and find the service called System Startup Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.


Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.

SvcProc


Reboot and post a new hijackthis log. How do things feel on your end? Any problems?
  • 0

#10
cool c

cool c

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi Buckeye Sam, the last set of things to do got the computer running much smoother. One thing I've noticed is the desktop keeps refreshing if I have the browser running and I try to go to control panel ( for example). And I've had trouble downloading SP2 from the windows website. What happens is the browser shuts down. I get the feeling the system is much cleaner. Thanks.


Logfile of HijackThis v1.99.1
Scan saved at 7:59:06 PM, on 7/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [tgcmdprovidersbc] "c:\program files\support.com\bin\tgcmd.exe" /server /startmonitor /deaf /nosystray
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ChatSpace Full Java Client 2.1.0.84 - http://chat.rtsports...va/cs4fs084.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0C568603-D79D-11D2-87A7-00C04FF158BB} (BrowseFolderPopup Class) - http://download.mcaf...ed/MGBrwFld.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.co...rols/Rovion.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {4208FB4D-4E53-4F5A-BF7A-3E047DDB5281} (ActiveX Control) - http://www.icannnews.../ST/ActiveX.ocx
O16 - DPF: {9FA45D9C-1412-4949-B735-0D73A3D20E51} (CFND Control) - http://www.gloopers.com/VFX.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
  • 0

#11
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
The refreshing desktop puzzles me somewhat. That may be a hardware problem. Is this recent or have you noticed it for a while?

As far as the Windows updates, you can set your computer up to download and install SP2 automatically. It's probably the easiest way to do it. Check this link.

http://www.microsoft...xp/updates.mspx



Your log is clean, but there are a few optional fixes that you could make to free up some resources and improve your bootup time.

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.03.0000.1005\en-us\msnappau.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
  • 0

#12
cool c

cool c

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Hi, Buckeye Sam, the optional fixes you mention are to be fixed using HijackThis ? The refreshing might be happening because of needing to add RAM. Currently running 256Meg
  • 0

#13
Buckeye_Sam

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Yes, you can fix those items using Hijackthis the same way you fixed the malware earlier.


You should be ok with 256mb of RAM. It's the minimum, but you shouldn't have problems. It could be your monitor going bad.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP