Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Aurora [CLOSED]

Started by bigb3203 , Jul 28 2005 12:05 PM

This topic is locked

#1
bigb3203

Posted 28 July 2005 - 12:05 PM

New Member

Member
4 posts

As you know there is a huge problem having to do with aurora. I have inherited this virus or whatever it is and need help removing it, my HJT log is:

Logfile of HijackThis v1.99.1
Scan saved at 12:04:56 PM, on 7/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Bpt\bpt.exe
C:\windows\system32\dwCumIZ.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\windows\system32\YFP3.exe
C:\program files\tvs\tvs_b.exe
C:\WINDOWS\System32\jaarrr.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\System32\tcpdex.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\tofqsi.exe
C:\WINDOWS\System32\swlparse.exe
C:\WINDOWS\System32\r?gsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\ipee\othb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\6top95.exe
C:\WINDOWS\System32\6top95.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Aprps\CxtPls.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Marissa\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {016235BE-59D4-4CEB-ADD5-E2378282A1D9} - C:\Program Files\Aprps\cxtpls.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8E37E1B0-077A-008E-2E26-78C2B65F46C3} - C:\WINDOWS\System32\hqoslda.dll (file missing)
O2 - BHO: (no name) - {ABDB74ED-9677-CCD6-7151-EF5B5F2063C7} - C:\WINDOWS\System32\ynwf.dll (file missing)
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\System32\nvms.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O2 - BHO: (no name) - {E33DEC1D-58F9-7628-DEE9-0082BC647B97} - C:\WINDOWS\System32\bjyim.dll
O2 - BHO: FavoriteMan Class - {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} - C:\WINDOWS\System32\mmview_101.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\System32\msbe.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bcre.exe"
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [dwCumIZ] C:\windows\system32\dwCumIZ.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [YFP3] C:\windows\system32\YFP3.exe
O4 - HKLM\..\Run: [PopUp Buster+] C:\Documents and Settings\Marissa\Desktop\PopUpBuster\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jaarrr.exe reg_run
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [tE7h34e] tcpdex.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [nglayo] c:\windows\system32\tofqsi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [cponRQK2h] swlparse.exe
O4 - HKCU\..\Run: [Ehc] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\Run: [6top95] C:\WINDOWS\System32\6top95.exe
O4 - HKCU\..\RunOnce: [6top95] C:\WINDOWS\System32\6top95.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\PopUpBuster\popupbuster.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {EBBD88E5-C372-469D-B4C5-1FE00352AB9B} (FavoriteMan Class) - http://fad-403.mtl4....mviewer_101.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://download.winf...nnerInstall.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ZESOFT - Unknown owner - C:\WINDOWS\zeta.exe (file missing)

#2
therock247uk

Posted 28 July 2005 - 12:09 PM

Expert

Expert
14,672 posts

1. Run all these oline virus scans and tell me what they find.

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm
http://www3.ca.com/t...sinfo/scan.aspx

2. Then please download ewido security suite it is a free version of the program.

Install ewido security suite
When installing, under "Additional Options" uncheck..
- Install background guard
- Install scan via context menu
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
- On the left hand side of the main screen click update.
- Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")
Exit ewido. DO NOT scan yet.

If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CCleaner and install it, but do not run it yet.

Please download this file: Revised Installer for the Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.

Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
- You will need to step through the process of cleaning files one-by-one.
- If ewido detects a file you KNOW to be legitimate, select none as the action.
- DO NOT select "Perform action on all infections"
- If you are unsure of any entry found select none for now as the action.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

Now run HijackThis, click Scan, and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now run CCleaner.

Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the report log from the Ewido scan by using Add Reply

#3
bigb3203

Posted 29 July 2005 - 02:37 PM

New Member

Topic Starter
Member
4 posts

I ran the three tests you first suggested and is this what they found:

FIRST SCAN:
HouseCall has found and cleaned malware. TROJ_IMISERV.C TROJ_DLOADER.FN
TROJ QOOLOGIC.N
TROJ QOOLOGIC.N
TROJ QOOLOGIC.N
TROJ NAIL.B
TROJ RVP.D
TROJ QOOLOGIC.N
TROJ QOOLOGIC.P
TROJ QOOLOGIC.P
TROJ QOOLOGIC.N
TROJ QOOLOGIC.N
TROJ QOOLOGIC.N
TROJ QOOLOGIC.N
TROJ AGENT.ABS
TROJ MIEWER.A
TROJ MIEWER.A
TROJ MIEWER.B
TROJ MIEWER.C
TROJ APROPO.H
TROJ MEIWER.A
TROJ MIEWER.A
TROJ MIEWER.E
TROJ STERVIS.C

(THAT IS ALL THE THINGS IT FOUND I COULDN'T FIGURE OUT A WAY TO COPY PASTE THE LOG IN SO I TYPED IT OUT)

Panda Active Scan:

Incident Status Location

Adware:Adware/DelFinMedia No disinfected C:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nddk.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\!update.exe
Virus:Trj/Qoologic.G Disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\1704.tmp
Virus:Trj/Bhotcher.A Disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\1733.tmp
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\AutoUpdate0\auto_update_install.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/DelFinMedia No disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\rm05040901.Stub.exe
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\temp.fr5EED
Adware:Adware/ExactSearch No disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\temp.fr9F49\bin\nls.exe
Adware:Adware/Transponder No disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\temp.frD438
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\Marissa\Local Settings\Temp\ZNQ\auraupg1.exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Marissa\Local Settings\Temporary Internet Files\Content.IE5\3BXJRPWW\marketing11[1].htm
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Marissa\Local Settings\Temporary Internet Files\Content.IE5\C7NJY89H\CAUHM3GT.HTM
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\Marissa\Local Settings\Temporary Internet Files\Content.IE5\FBM0TFHA\upexactpop[1].html
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Marissa\Local Settings\Temporary Internet Files\Content.IE5\LOG75P4P\auto_update[1]
Adware:Adware/ExactSearch No disinfected C:\Documents and Settings\Marissa\Local Settings\Temporary Internet Files\Content.IE5\LOG75P4P\installer_VENDARE[1].cab[installer_VENDARE.exe]
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\ProxyStub.dll
Adware:Adware/Apropos No disinfected C:\Program Files\Aprps\pstub0\proxystub.dll
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Bpt\BPT.exe
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Common Files\Java\bpt.cfg
Adware:Adware/BroadcastPC No disinfected C:\Program Files\Common Files\Java\bptre.exe
Adware:Adware/FlashTrack No disinfected C:\Program Files\Common Files\Java\ftkcpy.cfg
Adware:Adware/FlashTrack No disinfected C:\Program Files\Common Files\Java\xclean.exe
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe
Adware:Adware/E2Give No disinfected C:\Program Files\E2G\IeBHOs.dll
Adware:Adware/FlashTrack No disinfected C:\Program Files\Ftk\f.bak
Adware:Adware/FlashTrack No disinfected C:\Program Files\Ftk\ftk.dll
Adware:Adware/PurityScan No disinfected C:\Program Files\ipee\othb.exe
Adware:Adware/BroadcastPC No disinfected C:\Program Files\tvs\TVSv2.dll
Adware:Adware/BroadcastPC No disinfected C:\Program Files\tvs\TVS_B.exe
Adware:Adware/BroadcastPC No disinfected C:\Program Files\tvs\tvs_clean.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\cfgmgr52.dll
Adware:Adware/Aurora No disinfected C:\WINDOWS\Nail.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\piufmjee.exe
Adware:Adware/BookedSpace No disinfected C:\WINDOWS\sessrkeo.exe
Adware:Adware/Aurora No disinfected C:\WINDOWS\sushrj.exe
Adware:Adware/Transponder No disinfected C:\WINDOWS\svcproc.exe
Spyware:Spyware/Spyblocs No disinfected C:\WINDOWS\system32\antispy.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.exe
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\auto_update_uninstall.log
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\better0503.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\bjyim.dll
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\datadx.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\delfin.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\delfin0406.dll
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\delfin0414.dll
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\dffggga.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\DrPMon.dll
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\dwCumIZ.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\goldnew2b.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\goldnew2b0406.dll Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\goldnew2b0414.dll
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\jaarrr.exe
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javex80.vxd[nvms.dll]
Adware:Adware/ExactSearch No disinfected C:\WINDOWS\system32\javex80.vxd[nls.exe]
Adware:Adware/ClkOptimizer No disinfected C:\WINDOWS\system32\jddnn.dll
Adware:Adware/Transponder No disinfected C:\WINDOWS\system32\jeevlvm.exe
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsv.ocx
Adware:Adware/DelFinMedia No disinfected C:\WINDOWS\system32\nsvsvc\nsvs.dll
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\pop317.dll
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\pop5.dll
Adware:Adware/Apropos No disinfected C:\WINDOWS\system32\pop7.dll
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\system32\PopOops.dll
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\system32\PopOops2.dll
Virus:Trj/Qoologic.G Disinfected C:\WINDOWS\system32\pqqaa.dat
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\r?gsvr32.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\Shex.exe
Spyware:Spyware/Spyblocs No disinfected C:\WINDOWS\system32\SplashSpot Games.exe
Adware:Adware/AdBehavior No disinfected C:\WINDOWS\system32\supdate.dll
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\system32\SWLAD1.dll
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\system32\SWLAD2.dll
Adware:Adware/WhileUSurf No disinfected C:\WINDOWS\system32\wys.dll
Adware:Adware/WhileUSurf No disinfected C:\WINDOWS\system32\wys.exe
Adware:Adware/StatBlaster No disinfected C:\WINDOWS\system32\YFP3.exe
Adware:Adware/BroadcastPC No disinfected C:\WINDOWS\Temp\bpc_inst.exe

Last Scan:

ei.exe Win32.Prutec!downloader

temp.frD438 Win32.BettInet.AL

AutoUpdate.exe Win32.Propo!downloader

dinst.exe Win32.SillyDl.TC

Nail.exe Win32.BettInet.BE

svcproc.exe Win32.BettInet.AD

dwCumIZ.exe Win32.WinFetch.B

jeevlvm.exe Win32.BettInet.AA

YFP3.exe Win32.WinFetch.B

(Currently I'm downloading the ewido security suite and i will follow those directions)

#4
bigb3203

Posted 29 July 2005 - 03:31 PM

New Member

Topic Starter
Member
4 posts

After all that the HiJackThis Log is

Logfile of HijackThis v1.99.1
Scan saved at 3:29:01 PM, on 7/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Bpt\bpt.exe
C:\program files\tvs\tvs_b.exe
C:\WINDOWS\System32\tcpdex.exe
C:\WINDOWS\System32\6top95.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\6top95.exe
C:\WINDOWS\System32\swlparse.exe
C:\WINDOWS\System32\r?gsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\Program Files\ipee\othb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Marissa\Desktop\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\DOCUME~1\Marissa\LOCALS~1\Temp\28.exe\28.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8E37E1B0-077A-008E-2E26-78C2B65F46C3} - C:\WINDOWS\System32\hqoslda.dll (file missing)
O2 - BHO: (no name) - {ABDB74ED-9677-CCD6-7151-EF5B5F2063C7} - C:\WINDOWS\System32\ynwf.dll (file missing)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O2 - BHO: (no name) - {E33DEC1D-58F9-7628-DEE9-0082BC647B97} - C:\WINDOWS\System32\bjyim.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bcre.exe"
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [dwCumIZ] C:\windows\system32\dwCumIZ.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [YFP3] C:\windows\system32\YFP3.exe
O4 - HKLM\..\Run: [PopUp Buster+] C:\Documents and Settings\Marissa\Desktop\PopUpBuster\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [tE7h34e] tcpdex.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jaarrr.exe reg_run
O4 - HKLM\..\Run: [itrptp] c:\windows\system32\ifqjga.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [cponRQK2h] swlparse.exe
O4 - HKCU\..\Run: [Ehc] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\Run: [6top95] C:\WINDOWS\System32\6top95.exe
O4 - HKCU\..\RunOnce: [6top95] C:\WINDOWS\System32\6top95.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\PopUpBuster\popupbuster.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...nnerInstall.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and EWIDO SCAN REPORT

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 3:23:18 PM, 7/29/2005
+ Report-Checksum: 1868305C

+ Scan result:

HKLM\SOFTWARE\AutoLoader -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\tto71ObWWNWM -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\AutoLoader\ttoH1ObWWNWM -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Bargains -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\BPT -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\131.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\132.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\133.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\134.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\135.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\136.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\137.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\138.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\139.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\142.zip -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\BPT\28.exe -> Spyware.BroadcastPC : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{014DA6C9-189F-421a-88CD-07CFE51CFF10} -> Spyware.MySearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{417386C3-8D4A-4611-9B91-E57E89D603AC} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A8BD9566-9895-4FA3-918D-A51D4CD15865} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D0070620-1E72-42E7-A14C-3A255AD31839} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B} -> Spyware.FavoriteMan : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CLSID -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\IeBHOs.Control\CurVer -> Spyware.E2G : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{10D7DB96-56DC-4617-8EAB-EC506ABE6C7E} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{2BB15D36-43BE-4743-A3A0-3308F4B1A610} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{41700749-A109-4254-AF13-BE54011E8783} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6CDC3337-01F7-4A79-A4AF-0B19303CC0BE} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{795398D0-DC2F-4118-A69C-592273BA9C2B} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{890089B7-B385-442F-97B6-99060E8BD08F} -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E1357} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8EEE58D5-130E-4CBD-9C83-35A0564E5678} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B288F21C-A144-4CA2-9B70-8AFA1FAE4B06} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B548B7D8-3D03-4AED-A6A1-4251FAD00C10} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{B99A727F-0782-4A71-BCC2-6E1E66414904} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED11357} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C6906A23-4717-4E1F-B6FD-F06EBED15678} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\NewFavorite.FavoriteMan -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\NewFavorite.FavoriteMan\CLSID -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\NewFavorite.FavoriteMan\CurVer -> Spyware.VX2 : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher\CLSID -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\PopOops2.PopOops\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\SWLAD1.SWLAD\Clsid -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{2A7DB8D1-43BE-4AD3-A81E-9BB8C9D00073} -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{48E832EC-B061-49E2-BBC1-AC818623B742} -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516B2C3} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{4EB7BBE8-2E15-424B-9DDB-2CDB9516C2E3} -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{D0C29A75-7146-4737-98EE-BC4D7CF44AF9} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{E0D3B292-A0B0-4640-975C-2F882E039F52} -> Spyware.AdDestroyer : Cleaned with backup
HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\Classes\UnawareObj.UnawareObj\CurVer -> Spyware.FlashTrack : Cleaned with backup
HKLM\SOFTWARE\ClickSpring -> Spyware.PurityScan : Cleaned with backup
HKLM\SOFTWARE\Envolo -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\State -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Envolo\AutoUpdate\Tasks -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B} -> Spyware.FavoriteMan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{016235BE-59D4-4CEB-ADD5-E2378282A1D9} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{EBBD88E5-C372-469D-B4C5-1FE00352AB9B} -> Spyware.FavoriteMan : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AproposClient -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AutoUpdate -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\NaviSearch -> Spyware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\skin -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick2 -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick2\Internet Explorer -> Spyware.SurfSide : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT -> Spyware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Security -> Spyware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Enum -> Spyware.NaviSearch : Cleaned with backup
HKU\S-1-5-21-3778217443-4174389276-1306762108-1007\Software\Apropos -> Spyware.AproposMedia : Cleaned with backup
HKU\S-1-5-21-3778217443-4174389276-1306762108-1007\Software\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-3778217443-4174389276-1306762108-1007\Software\picsvr -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-3778217443-4174389276-1306762108-1007\Software\SurfSideKick2 -> Spyware.SurfSide : Cleaned with backup
HKU\S-1-5-21-3778217443-4174389276-1306762108-1007\Software\SurfSideKick2\Internet Explorer -> Spyware.SurfSide : Cleaned with backup
HKU\S-1-5-21-3778217443-4174389276-1306762108-1007\Software\VB and VBA Program Settings\VBouncer -> Spyware.VirtualBouncer : Cleaned with backup
HKU\S-1-5-21-3778217443-4174389276-1306762108-1007\Software\VB and VBA Program Settings\VBouncer\Settings -> Spyware.VirtualBouncer : Cleaned with backup
[1032] C:\WINDOWS\System32\datadx.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe -> Spyware.Delfin : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nddk.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@clickagents[2].txt -> Spyware.Cookie.Clickagents : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@commission-junction[2].txt -> Spyware.Cookie.Commission-junction : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@targetnet[2].txt -> Spyware.Cookie.Targetnet : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\marissa@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marissa\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Marissa\Local Settings\Temp\AutoUpdate0\auto_update_install.exe -> Spyware.AproposMedia : Cleaned with backup
C:\Documents and Settings\Marissa\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Marissa\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Marissa\Local Settings\Temp\rm05040901.Stub.exe -> Adware.eZula : Cleaned with backup
C:\Documents and Settings\Marissa\Local Settings\Temp\temp.fr9F49\bin\nls.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Documents and Settings\Marissa\Local Settings\Temporary Internet Files\Content.IE5\FMLWTV3V\recinst[1].exe -> TrojanDownloader.Qoologic.x : Cleaned with backup
C:\Program Files\AutoUpdate\AutoUpdate.exe -> TrojanDownloader.Apropo.g : Cleaned with backup
C:\Program Files\Common Files\Java\bptre.exe -> Spyware.BroadcastPC : Cleaned with backup
C:\Program Files\Common Files\Java\xclean.exe -> Spyware.Broadcap.b : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Ftk\ftk.dll -> Spyware.FlashEnhancer : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\dsr.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\dsr.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\piufmjee.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\pxrmjbmeavm.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\sessrkeo.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\sushrj.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\system32\antispy.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\system32\auto_update_uninstall.exe -> Spyware.AproposMedia : Cleaned with backup
C:\WINDOWS\system32\bccnnnx.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\system32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\datadx.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\dffggga.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\system32\dwCumIZ.exe -> Spyware.WinFetcher : Cleaned with backup
C:\WINDOWS\system32\goldnew2b.dll -> TrojanDropper.Miewer.f : Cleaned with backup
C:\WINDOWS\system32\goldnew2b0406.dll -> TrojanDropper.Miewer.f : Cleaned with backup
C:\WINDOWS\system32\goldnew2b0414.dll -> TrojanDropper.Miewer.f : Cleaned with backup
C:\WINDOWS\system32\ifqjga.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\system32\jaarrr.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\system32\javex80.vxd/C:/WINDOWS/System32/nvms.dll -> Spyware.BargainBuddy : Error during cleaning
C:\WINDOWS\system32\javex80.vxd/C:/Program Files/NaviSearch/bin/nls.exe -> Spyware.BargainBuddy : Error during cleaning
C:\WINDOWS\system32\jddnn.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\WINDOWS\system32\jeevlvm.exe -> Trojan.Agent.cp : Cleaned with backup
C:\WINDOWS\system32\midad.dll -> TrojanDownloader.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\midad0406.dll -> TrojanDownloader.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system32\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\system32\pop5.dll -> TrojanDropper.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\pop7.dll -> TrojanDropper.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\PopOops.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\PopOops2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\ssk.dll -> TrojanDownloader.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\system32\svc.dll -> TrojanDropper.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\SWLAD1.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\SWLAD2.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\system32\tv0510.dll -> TrojanDropper.Miewer.f : Cleaned with backup
C:\WINDOWS\system32\tv2.dll -> TrojanDropper.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\tv30406.dll -> TrojanDropper.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\tvnew.dll -> TrojanDropper.Miewer.a : Cleaned with backup
C:\WINDOWS\system32\wys.exe -> Spyware.WhileSurf : Cleaned with backup
C:\WINDOWS\system32\wys5.dll -> TrojanDownloader.Miewer.e : Cleaned with backup
C:\WINDOWS\system32\YFP3.exe -> Spyware.WinFetcher : Cleaned with backup

::Report End

#5
therock247uk

Posted 29 July 2005 - 03:50 PM

Expert

Expert
14,672 posts

1. Make sure your PC is set to show all hidden files and folders go here for instructions on how to do this. http://www.xtra.co.n...1916458,00.html

2. Boot into safemode to do this keep tapping F8 on your keyboard while your PC is starting up you will get a menu select safemode.

3. While in safemode open Hijackthis and click scan. Then tick and fix the following in Hijackthis with all windows closed except Hijackthis.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {8E37E1B0-077A-008E-2E26-78C2B65F46C3} - C:\WINDOWS\System32\hqoslda.dll (file missing)
O2 - BHO: (no name) - {ABDB74ED-9677-CCD6-7151-EF5B5F2063C7} - C:\WINDOWS\System32\ynwf.dll (file missing)
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O2 - BHO: (no name) - {E33DEC1D-58F9-7628-DEE9-0082BC647B97} - C:\WINDOWS\System32\bjyim.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bcre.exe"
O4 - HKLM\..\Run: [BPT] "C:\Program Files\Bpt\bpt.exe"
O4 - HKLM\..\Run: [dwCumIZ] C:\windows\system32\dwCumIZ.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [YFP3] C:\windows\system32\YFP3.exe
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\ftkcpy.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [tE7h34e] tcpdex.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\jaarrr.exe reg_run
O4 - HKLM\..\Run: [itrptp] c:\windows\system32\ifqjga.exe
O4 - HKCU\..\Run: [cponRQK2h] swlparse.exe
O4 - HKCU\..\Run: [Ehc] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O4 - HKCU\..\Run: [6top95] C:\WINDOWS\System32\6top95.exe
O4 - HKCU\..\RunOnce: [6top95] C:\WINDOWS\System32\6top95.exe
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...nnerInstall.cab

4. Delete the folders. (if present)

C:\Program Files\E2G
c:\Program Files\Ftk
C:\Program Files\Bpt
C:\WINDOWS\System32\nsvsvc
C:\program files\tvs
C:\Program Files\AutoUpdate
C:\Program Files\ipee

5. Delete the files. (if present)

C:\WINDOWS\dsr.dll
C:\Program Files\Common Files\Java\bcre.exe
C:\Program Files\Common Files\Java\ftkcpy.exe
C:\windows\system32\YFP3.exe
C:\WINDOWS\dinst.exe
C:\WIndows\tcpdex.exe or C:\WIndows\System32\tcpdex.exe
C:\WINDOWS\System32\jaarrr.exe
c:\windows\system32\ifqjga.exe
C:\Windows\swlparse.exe or C:\Windows\System32\swlparse.exe
C:\WINDOWS\System32\6top95.exe

6. Reboot and post a new Hijackthis log here in a reply.

#6
bigb3203

Posted 29 July 2005 - 04:18 PM

New Member

Topic Starter
Member
4 posts

Here's the new log

Logfile of HijackThis v1.99.1
Scan saved at 4:17:34 PM, on 7/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\ctfmon.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\WINDOWS\System32\r?gsvr32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\program files\tvs\tvs_b.exe
C:\Program Files\ipee\othb.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Marissa\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...ilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: FlashTEnhancer Ext - {D7E588AB-A5D9-4422-B313-22A3470F9700} - c:\Program Files\Ftk\ftk.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TV Now] C:\Program Files\HPQ\Notebook Utilities\TvNow.exe /RK
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PopUp Buster+] C:\Documents and Settings\Marissa\Desktop\PopUpBuster\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [FtkCPY] "C:\Program Files\Common Files\Java\Ftkcpy.exe"
O4 - HKLM\..\Run: [tvs_b] C:\program files\tvs\tvs_b.exe
O4 - HKLM\..\RunOnce: [tvs_re] c:\Program Files\Common Files\Java\tvs_re_inst.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [Ehc] C:\WINDOWS\System32\r?gsvr32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\SIMPLE~1\PHOTOS~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Aaou] C:\Program Files\ipee\othb.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Grip.com - file://C:\Program Files\GRIPCZ29\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\PopUpBuster\popupbuster.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#7
therock247uk

Posted 29 July 2005 - 04:21 PM

Expert

Expert
14,672 posts

#8
therock247uk

Posted 18 August 2005 - 06:57 AM

Expert

Expert
14,672 posts

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.