[Ted T_T]

Hello! I hope you can help me!

Okay, I am posting on my brother's computer because mine has recently gone crazy. I was having internet browser problems a few days ago so I searched using SpyBot, Adaware, and AVG. Norton Antivirus had an error and couldn't boot so I uninstalled for the time being. After all viruses were detected and destroyed, my computer seemed back to normal. However the next day when it booted up it was filled with processes that multiplied itself and the computer is/was unusable.

The computer gets extra processes that are called "~26.tmp.exe" and "~T.tmp.exe" numbering higher and higher as time goes by. I cannot stop the processes because the processes are grayed out and the task manager won't give me access to stop anything.

I tried booting with safe mode, but the virus continues and I cannot scan the computer to delete it. I can't even download or get a web browser open. I tried system restoring to two months ago, one month ago, and a few weeks - none worked, nothing changed.

So here I am, hoping that someone knows of this virus and how to kill it!

Thank you for your time!

[Advertisements]

Welcome to GTG.

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.

[greyknight17]

Welcome to GTG.

Please read the first link in my signature and follow the steps outlined there. When you are ready, post the HijackThis log here.

[Ted T_T]

I cannot download nor use any programs on my computer, is there any way to fix this?

Edited by Ted T_T, 30 July 2005 - 10:41 AM.

[greyknight17]

You mean using this computer right? Try getting it on another computer (get all of them while you are at it) and burn them on a CD. Take the CD home and copy it over to this computer and run the scans.

[Ted T_T]

After I log on the computer (admin), the computer is overtaken by too many processes and cannot function. I cannot run ANY programs, or even get in a cd drive. Safe Mode does not fix this.

Sorry, its very frusterating..

[greyknight17]

Do a ctrl+alt+del and try killing all those randomly named files. See if you can decrease the amount running there. If not, try killing explorer.exe also. End that process and see if they still run like crazy.

If not, now start running those programs off the CD. If explorer.exe is needed back again, go to File->New Task and type in explorer and hit OK.

[Ted T_T]

Okay, I managed to get a hijack this log scan:

Logfile of HijackThis v1.99.1
Scan saved at 8:45:43 PM, on 7/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ventrilo\Ventrilo.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\Hijack This\hijackthis\HijackThis.exe
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.com liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com support.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-etrust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [cburhd] C:\WINDOWS\system32\jzzuwhk.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [cburhd] C:\WINDOWS\system32\jzzuwhk.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\COMPAQ~1\Presario\XPPNARP4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/...id=U_fh666_5427 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'xfire_lsp_8742.dll' missing
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...lim/install.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.reds...rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EBF131B-3E66-46FB-955D-1767D9860948}: NameServer = 192.168.254.254
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe



Hope this helps!

[greyknight17]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

Download LSPFix http://www.greyknigh.../spy/LSPFix.exe and run it. Click on xfire_lsp_8742.dll on the left window and click on the arrow pointing to the right. Click Finish and follow the prompts.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Make sure to close any open browsers. Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Viewpoint

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
O1 - Hosts: 255.255.255.255 ar.atwola.com atdmt.com avp.ch avp.com avp.ru awaps.net ca.com dispatch.mcafee.com download.mcafee.com download.microsoft.com downloads.microsoft.com engine.awaps.net f-secure.com ftp.f-secure.com ftp.sophos.com go.microsoft.co
m liveupdate.symantec.com mast.mcafee.com mcafee.com msdn.microsoft.com my-etrust.com nai.com networkassociates.com office.microsoft.com phx.corporate-ir.net secure.nai.com securityresponse.symantec.com service1.symantec.com sophos.com spd.atdmt.com suppo
rt.microsoft.com symantec.com update.symantec.com updates.symantec.com us.mcafee.com vil.nai.com viruslist.ru windowsupdate.microsoft.com www.avp.ch www.avp.com www.avp.ru www.awaps.net www.ca.com www.f-secure.com www.kaspersky.ru www.mcafee.com www.my-et
rust.com www.nai.com www.networkassociates.com www.sophos.com www.symantec.com www.trendmicro.com www.viruslist.com www.viruslist.ru www3.ca.com
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [cburhd] C:\WINDOWS\system32\jzzuwhk.exe
O4 - HKLM\..\RunServices: [cburhd] C:\WINDOWS\system32\jzzuwhk.exe
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/...id=U_fh666_5427 (file missing)
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildt...lim/install.cab
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)

Delete the following Files/Folders (delete folders if no filename is specified) according to their directory (if none, just do a search for them) and delete them if they exist:

C:\Program Files\Viewpoint\
C:\WINDOWS\system32\jzzuwhk.exe
C:\WINDOWS\rofl.exe

Restart and run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart and run a new HijackThis scan. Save the log file and post it here.

[Ted T_T]

Okay, here is the panda log:


Incident Status Location

Virus:W32/Baxbo.A Disinfected Operating system
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/midaddle No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\addit.exe
Adware:adware/ipinsight No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\alchem.inf
Adware:adware/ncase No disinfected C:\WINDOWS\msbb.exe.temp
Spyware:spyware/clearsearch No disinfected C:\PROGRAM FILES\ClearSearch
Adware:adware/sidesearch No disinfected C:\PROGRAM FILES\Lycos
Adware:adware/memorywatcher No disinfected C:\PROGRAM FILES\MemoryWatcher
Adware:adware/ezula No disinfected C:\PROGRAM FILES\Web Offer
Adware:adware/dealhelper No disinfected C:\WINDOWS\SYSTEM32\Newmsrdk
Adware:adware/wintools No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\msiein
Adware:adware/twain-tech No disinfected C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\TEMP\THI3CE7.tmp
Spyware:spyware/searchcentrix No disinfected HKEY_CURRENT_USER\SOFTWARE\DYNAMIC TOOLBAR
Adware:adware/savenow No disinfected HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET
Adware:adware/virtualbouncer No disinfected HKEY_CLASSES_ROOT\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}
Adware:adware/redswoosh No disinfected HKEY_CLASSES_ROOT\CLSID\{FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75}
Adware:adware/gator No disinfected HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLS
Adware:adware/powerscan No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST
Adware:adware/cws No disinfected HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE_BAK
Adware:Adware/Midaddle No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\addit.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\alchem.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\alchem.ini
Virus:Trj/Multidropper.KH Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\all_files10.exe
Adware:Adware/WinTools No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\temp.cab[toolbar.dll]
Adware:Adware/Twain-Tech No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\THI4DF9.tmp\twaintec.cab
Adware:Adware/Twain-Tech No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\THI7CBC.tmp\twaintec.inf
Adware:Adware/Gatorclone No disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\vrdda.dat
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~2.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~27.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~28.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~29.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~2A.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~2B.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~3C.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~3D.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~3E.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~3F.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~40.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~41.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~42.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~43.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~44.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~45.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~46.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~47.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~48.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~49.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~4A.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~4B.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~4C.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~4D.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~4E.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~4F.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~50.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~51.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~52.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~53.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~54.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~55.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~56.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~57.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~58.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~59.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~5A.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~5B.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~5C.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~5D.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~5E.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~5F.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~6.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~60.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~61.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~62.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~63.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~64.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~65.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~66.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~67.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~68.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~69.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~6A.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~6B.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~6C.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~6D.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~6E.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~6F.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~70.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~71.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~72.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~73.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~74.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~75.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~76.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~77.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~78.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~79.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~7A.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~7B.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~7C.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~7D.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~7E.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~7F.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~80.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~81.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~82.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~83.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~84.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~85.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~86.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~87.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~88.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~89.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~8A.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~8B.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~8C.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~8D.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~8E.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~8F.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~90.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~91.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~92.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~93.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~94.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~95.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~96.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~97.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~98.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~99.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~9A.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~9B.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~9C.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~9D.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~9E.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~9F.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A0.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A1.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A2.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A3.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A4.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A5.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A6.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A7.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A8.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~A9.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~AA.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~AB.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~AC.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~AD.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~AE.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~AF.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B0.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B1.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B2.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B3.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B4.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B5.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B6.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B7.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~B8.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~BD.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~BE.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~C4.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~C7.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~C9.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~D3.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~D7.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~D9.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~DC.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~DD.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~DE.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~DF.tmp.exe
Virus:W32/Bobax.AU.worm Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~DF5.tmp
Virus:W32/Bobax.AT.worm Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~DFF.tmp
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~E0.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~E1.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~E2.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~E3.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~E5.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~E6.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~E8.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~EB.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~ED.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~EE.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~F1.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~F2.tmp.exe
Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~F4.tmp.exe

Edited by Ted T_T, 01 August 2005 - 03:38 PM.

[Ted T_T]

continued:

Virus:W32/Baxbo.A Disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\~F7.tmp.exe
Possible Virus. No disinfected C:\Documents and Settings\Administrator\My Documents\Downloads\Hijack This\hijackthis\backup-20040215-125926-362.dll
Virus:W32/Baxbo.A Disinfected C:\Program Files\AIM\aim.exe
Virus:W32/Baxbo.A Disinfected C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Virus:W32/Baxbo.A Disinfected C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe
Spyware:Spyware/XXXToolbar No disinfected C:\Program Files\Mozilla Firefox\install.log
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\aeyhunmsetbi.exe
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\crjhiacelnae.exe
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\ctfmon.exe.tmp
Virus:Trj/Qhost.AD Disinfected C:\WINDOWS\system32\drivers\etc\hosts.bak
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\hxstq.exe
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\nwiz.exe
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\ps2.exe.tmp
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\wchkeukkzqcfn.exe
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\wcmnke.exe
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\yaschmj.exe
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\ynjixidnpxka.exe
Virus:W32/Baxbo.A Disinfected C:\WINDOWS\system32\ztxqhntythtxy.exe

[Ted T_T]

Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 5:33:29 PM, on 8/1/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Administrator\My Documents\Downloads\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunServices: [cburhd] C:\WINDOWS\system32\qfqpa.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\COMPAQ~1\Presario\XPPNARP4EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_02\bin\npjpi141_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75} (InstallCtl Class) - http://download.reds...rsinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{9EBF131B-3E66-46FB-955D-1767D9860948}: NameServer = 192.168.254.254
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[greyknight17]

Check and fix these in HijackThis:

O4 - HKLM\..\RunServices: [cburhd] C:\WINDOWS\system32\qfqpa.exe
O23 - Service: AOL Instant Messenger (AOL Instant Messenger) - Unknown owner - C:\WINDOWS\rofl.exe (file missing)

Uninstall these from Add/Remove panel if listed:

Memory Watcher
Web Offer
ClearSearch
Lycos

Delete these if found:

C:\Program Files\Mozilla Firefox\install.log
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\WINDOWS\msbb.exe.temp
C:\PROGRAM FILES\ClearSearch
C:\PROGRAM FILES\Lycos
C:\PROGRAM FILES\MemoryWatcher
C:\PROGRAM FILES\Web Offer
C:\WINDOWS\SYSTEM32\Newmsrdk
C:\WINDOWS\system32\qfqpa.exe

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_CURRENT_USER\SOFTWARE\DYNAMIC TOOLBAR]
[-HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\MAGNET]
[-HKEY_CLASSES_ROOT\CLSID\{D52433A9-A44C-43AB-A013-24B3C756DD2B}]
[-HKEY_CLASSES_ROOT\CLSID\{FF0C042C-98E9-4C36-B2EC-E21FDFDCEF75}]
[-HKEY_USERS\.DEFAULT\SOFTWARE\MICROSOFT\SYSTEMCERTIFICATES\TRUSTEDPUBLISHER\CTLS]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\BANDREST]
[-HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN\START PAGE_BAK]

Save the file as "delete.reg". Make sure to save it with the quotes. Double click on it and choose Yes to merge it. You may delete the file afterwards.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
[X]Scan local drives for temporary files (Please uncheck this option)
* Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Run a new Panda scan and post that log along with a new HijackThis log.

[greyknight17]

Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.