[sperry1b]

I have the Aurora virus on my computer and am getting killed with pop-ups. Please help me remove this. Here is the Hijack This file:

Logfile of HijackThis v1.99.1
Scan saved at 10:29:25 PM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
c:\windows\system32\vlgtzr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\hojvmwtn.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [lmscdll] C:\WINDOWS\lmscdll.EXE
O4 - HKLM\..\Run: [lmscenc] C:\WINDOWS\lmscenc.EXE
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [dv5qhfnw] C:\Program Files\dv5qhfnw\dv5qhfnw.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [zjfpkv] c:\windows\system32\vlgtzr.exe r
O4 - HKLM\..\RunOnce: [MicrosoftAntiSpywareCleaner] C:\Program Files\Microsoft AntiSpyware\gcASCleaner.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123128791158
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

[Advertisements]

Hi sperry1b, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

We need to do a general overall cleanup of your system at this time

1.Download and Run a free trial version of an anti-trojan program called Trojan Hunter: HERE

• Let it scan your whole system and remove anything it finds.
  
• REBOOT your system.

2. Run Panda, a free online antivirus scan from HERE

• Let it remove anything it finds.
  
• REBOOT your system.

3. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.

• Download Ad-Aware SE Personal 1.06:
  • Download Ad-Aware SE Personal 1.05.
  • Save aawsepersonal.exe to a convenient location.
• Install Ad-Aware SE Personal 1.06:
  • Double-click on aawsepersonal.exe to install the program.
  • Follow the default settings for installation.
  • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
• Update Ad-Aware SE Personal 1.06:
  • Double-click the Ad-Aware SE Personal icon on your desktop.
  • Click "Check for updates now" then click "Connect".
  • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
• Configure Ad-Aware SE Personal 1.06:
  • Click on the Gear button at the top of the window.
  • Click "General" on the left hand side to display the General Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Automatically save logfile"
      • "Automatically quarantine objects prior to removal"
      • "Safe Mode (always request confirmation)"
      • "Prompt to update outdated definitions" - change to 7 days from the default 14.
  • Click "Scanning" on the left hand side to display the Scan Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Scan within archives"
    • "Select drives & folders to scan" - select your hard drive(s).
    • "Scan active processes"
    • "Scan registry"
    • "Deep-scan registry"
    • "Scan my IE favorites for banned URLs"
    • "Scan my Hosts file"
  • Click "Advanced" on the left hand side to display the Advanced Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Move deleted files to Recycle Bin"
    • "Include additional object information"
    • "Include negligible objects information"
    • "Include environment information"
  • Click "Defaults" on the left hand side to display the Default Settings box.
    • Make sure these items have your preferred settings in them.:
    • "Default homepage"
    • "Default searchpage"
  • Click "Tweak" on the left hand side to display the Tweak Settings box.
    • Click the + (plus) sign next to the Log Files section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Include basic Ad-Aware settings in log file"
      • "Include additional Ad-Aware settings in log file"
      • "Include reference summary in log file"
      • "Include alternate data stream details in log file"
    • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Unload recognized processes & modules during scan"
      • "Scan registry for all users instead of current user only"
      • "Obtain command line of scanned processes"
    • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Always try to unload modules before deletion"
      • "During removal, unload Explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot"
      • "Delete quarantined objects after restoring"
  • Once you are done with these settings, click "Proceed" to save them.
  • This will take you back to the main screen.
• Run Ad-Aware SE Personal 1.06:
  • Click the "Start" button.
  • Uncheck the "Search for negligible risk entries" entry.
  • Choose the "Use custom scanning options" scan mode.
  • Click the "Next" button.
  • Ad-Aware will begin to scan for malware residing on your computer.
  • Allow the scan to finish.
  • Right-click on any entry in the list and click "Select All" to select the whole list.
  • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
  • REBOOT your system.

4. Download the .exe format of Cleanup by Steven Gould from :HERE

• A window will open and choose SAVE, then DESKTOP as the destination.
  
• On your Desktop, click on Cleanup40.exe icon.
  
• Then, click RUN and place a checkmark beside "I Agree"
  
• Then click NEXT followed by START and OK.
  
• A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  
• Click OK
  
• Finally click "CleanUp"

The program with probably ask you to reboot. If it doesn't, then REBOOT your system yourself.

5. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

[Trevuren]

Hi sperry1b, welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your problem.

We need to do a general overall cleanup of your system at this time

1.Download and Run a free trial version of an anti-trojan program called Trojan Hunter: HERE

• Let it scan your whole system and remove anything it finds.
  
• REBOOT your system.

2. Run Panda, a free online antivirus scan from HERE

• Let it remove anything it finds.
  
• REBOOT your system.

3. Download, install, update, configure, and run Ad-Aware SE Personal 1.06.

• Download Ad-Aware SE Personal 1.06:
  • Download Ad-Aware SE Personal 1.05.
  • Save aawsepersonal.exe to a convenient location.
• Install Ad-Aware SE Personal 1.06:
  • Double-click on aawsepersonal.exe to install the program.
  • Follow the default settings for installation.
  • After the program has finished installing uncheck the "Perform a full system scan now", "Update definition file now", and "Open the help file now" boxes.
• Update Ad-Aware SE Personal 1.06:
  • Double-click the Ad-Aware SE Personal icon on your desktop.
  • Click "Check for updates now" then click "Connect".
  • It will check for any updates. If any are found click "OK" to download and install the updates. Once it has finished click "Finish".
• Configure Ad-Aware SE Personal 1.06:
  • Click on the Gear button at the top of the window.
  • Click "General" on the left hand side to display the General Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Automatically save logfile"
      • "Automatically quarantine objects prior to removal"
      • "Safe Mode (always request confirmation)"
      • "Prompt to update outdated definitions" - change to 7 days from the default 14.
  • Click "Scanning" on the left hand side to display the Scan Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Scan within archives"
    • "Select drives & folders to scan" - select your hard drive(s).
    • "Scan active processes"
    • "Scan registry"
    • "Deep-scan registry"
    • "Scan my IE favorites for banned URLs"
    • "Scan my Hosts file"
  • Click "Advanced" on the left hand side to display the Advanced Settings box.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
    • "Move deleted files to Recycle Bin"
    • "Include additional object information"
    • "Include negligible objects information"
    • "Include environment information"
  • Click "Defaults" on the left hand side to display the Default Settings box.
    • Make sure these items have your preferred settings in them.:
    • "Default homepage"
    • "Default searchpage"
  • Click "Tweak" on the left hand side to display the Tweak Settings box.
    • Click the + (plus) sign next to the Log Files section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Include basic Ad-Aware settings in log file"
      • "Include additional Ad-Aware settings in log file"
      • "Include reference summary in log file"
      • "Include alternate data stream details in log file"
    • Click the + (plus) sign next to the Scanning Engine section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Unload recognized processes & modules during scan"
      • "Scan registry for all users instead of current user only"
      • "Obtain command line of scanned processes"
    • Click the + (plus) sign next to the Cleaning Engine section. This will expand the section.
    • Make sure these items have a green check next to them. If they do not, click once on the circle next to them to put a green checkmark in it.:
      • "Always try to unload modules before deletion"
      • "During removal, unload Explorer and IE if necessary"
      • "Let Windows remove files in use at next reboot"
      • "Delete quarantined objects after restoring"
  • Once you are done with these settings, click "Proceed" to save them.
  • This will take you back to the main screen.
• Run Ad-Aware SE Personal 1.06:
  • Click the "Start" button.
  • Uncheck the "Search for negligible risk entries" entry.
  • Choose the "Use custom scanning options" scan mode.
  • Click the "Next" button.
  • Ad-Aware will begin to scan for malware residing on your computer.
  • Allow the scan to finish.
  • Right-click on any entry in the list and click "Select All" to select the whole list.
  • Click "Next" and choose "OK" at the prompt to quarantine and remove the objects.
  • REBOOT your system.

4. Download the .exe format of Cleanup by Steven Gould from :HERE

• A window will open and choose SAVE, then DESKTOP as the destination.
  
• On your Desktop, click on Cleanup40.exe icon.
  
• Then, click RUN and place a checkmark beside "I Agree"
  
• Then click NEXT followed by START and OK.
  
• A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
  
• Click OK
  
• Finally click "CleanUp"

The program with probably ask you to reboot. If it doesn't, then REBOOT your system yourself.

5. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

[sperry1b]

Trevuren-

Thanks for your help. I did as you instructed. Here is the post from Hijack This:

Logfile of HijackThis v1.99.1
Scan saved at 8:04:44 PM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
c:\windows\system32\cxknjgb.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\hojvmwtn.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [lmscdll] C:\WINDOWS\lmscdll.EXE
O4 - HKLM\..\Run: [lmscenc] C:\WINDOWS\lmscenc.EXE
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [dv5qhfnw] C:\Program Files\dv5qhfnw\dv5qhfnw.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [qguncg] c:\windows\system32\cxknjgb.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123128791158
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

[Trevuren]

Please print out or copy this page to Notepad for we will be doing most of our work in Safe Mode. Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.

• Download a free trial version of Ewido security suite
• Install Ewido security suite
• When installing, under "Additional Options" uncheck..
• Install background guard
• Install scan via context menu

[*]Launch Ewido, there should be an icon on your desktop, double-click it.

• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

[*]You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")

[*]Exit Ewido.

[*]DO NOT SCAN YET.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


[*]Download DSRFIX by Atribune, et al... from HERE onto your Desktop.

• Unzip and EXTRACT the files to your Desktop.
• The program creates and names the new folder to house the files.
• DO NOT RUN IT YET

[*]Download Cleanup from Here (Alternate site if the above is not working Go Here)

• A window will open and choose SAVE, then DESKTOP as the destination.
• On your Desktop, click on Cleanup40.exe icon.
• Then, click RUN and place a checkmark beside "I Agree"
• Then click NEXT followed by START and OK.
• Click OPTIONS, Move the arrow down to "Custom Cleanup".
• Put a check next to the following items: (Make sure nothing else is checked)
  • Empty Recycle Bins
  • Delete cookies
  • Delete Prefetch Files
  • Cleanup All Users
• Click OK
• DO NOT RUN IT YET

[*]Download this file: Revised Installer for the Nailfix Utility

• Save it to your desktop.
• DO NOT RUN IT YET.

[*]Reboot your computer into SafeMode by doing the following:

• To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:
• OR
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Once in Safe Mode,


[*]Double-click on nailfix.exe.

• Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
• Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

[*]Open the folder dsrfix

• Double click on the dsrfix batch file( the one with the little gear in it )
• Once dsrfix has completed it will close on its own

[*]Open Ewido and scan your system.

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.**
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now as the action.
• Once the scan has completed, click the Save Report button located on the bottom of the screen and choose your DESKTOP as the destination.

[*]Now run HijackThis, click Scan, and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [qguncg] C:\windows\system32\cxknjgb.exe r
R3 - Default URLSearchHook is missing
O2 - BHO: LANBridge Class - {71D1708F-973D-4600-AF01-AD86688403AE} - C:\WINDOWS\System32\hojvmwtn.dll
O4 - HKLM\..\Run: [lanbrup] C:\WINDOWS\System32\lanbrup.exe
O4 - HKLM\..\Run: [lmscdll] C:\WINDOWS\lmscdll.EXE
O4 - HKLM\..\Run: [lmscenc] C:\WINDOWS\lmscenc.EXE
O4 - HKLM\..\Run: [msresearch] C:\WINDOWS\msresearch.exe
O4 - HKLM\..\Run: [dv5qhfnw] C:\Program Files\dv5qhfnw\dv5qhfnw.exe
O4 - HKLM\..\Run: [System service62] C:\WINDOWS\etb\pokapoka62.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe



[*]Close all open windows except for HJT, click the Fix Checked button and EXIT HJT.

NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r


[*]Now, using Windows Explorer, locate and DELETE the following Files/Folders (with all their content), if they are present:

c:\windows\system32\cxknjgb.exe (or whatever the name may have changed to, as noted above).
c:\windows\system32\cxknjgb.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\hojvmwtn.dll
C:\WINDOWS\System32\lanbrup.exe
C:\WINDOWS\lmscdll.EXE
C:\WINDOWS\lmscenc.EXE
C:\WINDOWS\msresearch.exe
C:\Program Files\dv5qhfnw<===Folder
C:\WINDOWS\etb<===Folder



[*]Run Cleanup

• Click on the "Cleanup" button and let it run.
• Once its done, close the program

[*]Finally, REBOOT into Normal Mode and please post a new HijackThis log, as well as the report log from the Ewido scan .
[/list]Regards,

Treburen

[sperry1b]

Trevuren-

Did as instructed. When I went to delete the file associated with the r 04 entry (initially cxknjgb.exe, then xottwa.exe) it said that the file was in use and wouldn't let me delete it.

Here are the posts-

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 9:58:00 PM, on 8/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
c:\windows\system32\qwiiedf.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [fpndema] c:\windows\system32\qwiiedf.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123128791158
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

Ewido scan:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:33:11 PM, 8/4/2005
+ Report-Checksum: A06F3A9A

+ Scan result:

[912] c:\windows\system32\mmwedkc.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\6B816AD2-0E1B-425E-8446-3E8B6C\F8233F1D-A72C-49D1-ACE7-920D0D -> Spyware.Hijacker.Generic : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F452008F-AAF9-46A5-A59A-F0485E\823DACA6-EF73-48E1-805D-171A96 -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014458.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014460.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014461.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014462.dll -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014463.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014464.exe -> TrojanDownloader.VB.hj : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014465.exe -> TrojanDownloader.VB.kd : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014469.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014473.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014505.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014513.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014575.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014580.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014585.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014586.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014592.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014599.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014603.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014604.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014611.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014630.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014636.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014637.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014640.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014641.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014643.dll -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\kfmvmz.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\mmwedkc.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

[Trevuren]

We are dealing with the"epolvy"trojan.

Print this out please

1. Download Process Explorer from http://www.sysintern...ssExplorer.html

2. Run Process Explorer and find the Process in the list of Processes.

qwiiedf.exe

3. Select the process and click Process > Suspend.

4. Then in HijackThis click Config > Misc Tools > Delete a file on reboot...

5. In the explorer Window, locate and select the file c:\windows\system32\qwiiedf.exe

6. When prompted if you want to reboot click YES

Leave Process explorer running with the process suspended.

7. After the reboot, check the following items in HijackThis.

O4 - HKLM\..\Run: [fpndema] c:\windows\system32\qwiiedf.exe r

Close all windows except HijackThis and click Fix checked:

8. REBOOT your system

9. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

[sperry1b]

Trevuren

Followed instructions. Before I got your last posting I had shutdown and rebooted my system, therefore the name had changed. I found the new name in Hijack This then proceeded with what you said to do. The post is below.

Also, TrojanGuard keeps coming up with a message that says Agent.214 is running in memory.

Thanks for your help. Please let me know what to do next.

Logfile of HijackThis v1.99.1
Scan saved at 7:08:20 AM, on 8/5/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\windows\system32\tsjtnb.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [jahnkj] c:\windows\system32\tsjtnb.exe r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123128791158
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

[Trevuren]

Please print out or copy this page to Notepad for we will be doing most of our work in Safe Mode. Make sure to work through the steps in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fix.

• Download a free trial version of Ewido security suite
• Install Ewido security suite
• When installing, under "Additional Options" uncheck..
• Install background guard
• Install scan via context menu

[*]Launch Ewido, there should be an icon on your desktop, double-click it.

• The program will now open to the main screen.
• When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

[*]You will need to update ewido to the latest definition files.

• On the left hand side of the main screen click update.
• Then click on Start Update.
• The update will start and a progress bar will show the updates being installed.
  (the status bar at the bottom will display "Update successful")

[*]Exit Ewido.

[*]DO NOT SCAN YET.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates


[*]Download DSRFIX by Atribune, et al... from HERE onto your Desktop.

• Unzip and EXTRACT the files to your Desktop.
• The program creates and names the new folder to house the files.
• DO NOT RUN IT YET

[*]Download Cleanup from Here (Alternate site if the above is not working Go Here)

• A window will open and choose SAVE, then DESKTOP as the destination.
• On your Desktop, click on Cleanup40.exe icon.
• Then, click RUN and place a checkmark beside "I Agree"
• Then click NEXT followed by START and OK.
• Click OPTIONS, Move the arrow down to "Custom Cleanup".
• Put a check next to the following items: (Make sure nothing else is checked)
  • Empty Recycle Bins
  • Delete cookies
  • Delete Prefetch Files
  • Cleanup All Users
• Click OK
• DO NOT RUN IT YET

[*]Download this file: Revised Installer for the Nailfix Utility

• Save it to your desktop.
• DO NOT RUN IT YET.

[*]Reboot your computer into SafeMode by doing the following:

• To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:
• OR
• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
• Instead of Windows loading as normal, a menu should appear
• Select the first option, to run Windows in Safe Mode.

Once in Safe Mode,


[*]Double-click on nailfix.exe.

• Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
• Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

[*]Open the folder dsrfix

• Double click on the dsrfix batch file( the one with the little gear in it )
• Once dsrfix has completed it will close on its own

[*]Open Ewido and scan your system.

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• NOTE: During some scans with ewido it is finding cases of false positives.**
  • You will need to step through the process of cleaning files one-by-one.
  • If ewido detects a file you KNOW to be legitimate, select none as the action.
  • DO NOT select "Perform action on all infections"
  • If you are unsure of any entry found select none for now as the action.
• Once the scan has completed, click the Save Report button located on the bottom of the screen and choose your DESKTOP as the destination.

[*]Now run HijackThis, click Scan, and place a checkmark next to each of the following items:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [jahnkj] C:\windows\system32\tsjtnb.exerandom.exe r
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drs...esearch.cgi?id=
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


[*]Close all open windows except for HJT, click the Fix Checked button and EXIT HJT.

NOTE: The 04 entry may have changed names if you have rebooted since posting the log; look for an entry with a similar format, that will always end in a single letter r


[*]Now, using Windows Explorer, locate and DELETE the following Files/Folders (with all their content), if they are present:

c:\windows\system32\tsjtnb.exe (or whatever the name may have changed to, as noted above).

C:\WINDOWS\Nail.exe


[*]Run Cleanup

• Click on the "Cleanup" button and let it run.
• Once its done, close the program

[*]Finally, REBOOT into Normal Mode and please post a new HijackThis log, as well as the report log from the Ewido scan .
[/list]Regards,

Treburen

[sperry1b]

Trevuren-

Thanks for all of your help. Here are the latest logs:

From Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 11:56:11 AM, on 8/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123128791158
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe


From Ewido:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:40:24 AM, 8/6/2005
+ Report-Checksum: F4251D42

+ Scan result:

C:\Documents and Settings\Matt\Cookies\matt@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@qksrv[2].txt -> Spyware.Cookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\matt@specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014644.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014659.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014663.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014673.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014678.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014690.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014699.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0015699.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP208\A0015703.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP209\A0015706.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP209\A0016699.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP210\A0017697.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP210\A0017707.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP210\A0017709.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP210\A0017710.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP210\A0017711.exe -> TrojanDownloader.Intexp.d : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP210\A0017712.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\kfmvmz.exe -> Adware.BetterInternet : Cleaned with backup


::Report End

[Trevuren]

• Please RUN HijackThis.
  . Click the SCAN button to produce a log.
  
  
• Place a check mark beside each one of the following items:
  
  O2 - BHO: (no name) - {00F1D395-4744-40f0-A611-980F61AE2C59} - (no file)
  
  
• Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
  
  
• Reboot Your System
  
  
• Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now.

Regards,

Trevuren

[sperry1b]

Trevuren-

Done. Here is the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:44:49 PM, on 8/6/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\1XConfig.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\WINDOWS\SM1BG.EXE
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMAPP\Client\cmappclient.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123128791158
O16 - DPF: {90051A81-3018-4826-8B38-DD60B6B53F9C} (Snapfish File Upload ActiveX Control) - http://www.costcopho...ostcoUpload.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O23 - Service: Broadcom ASF IP monitoring service v6.0.3 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Groove Installer Service (GrooveInstallerService) - Groove Networks, Inc. - C:\Program Files\Groove Networks\Groove\Bin\GrooveInstallerService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe

[Trevuren]

Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

Trevuren

[sperry1b]

Everything seems to be OK. I am getting an occaisional pop-up that shows ICEE and looks like a search, but no ABI stuff and no warnings from TrojanHunter.

[Trevuren]

Just to make sure then, please do the following:

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe. This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.

Put a check next to the below items before scanning:

• Memory
• Startup Folders
• Drive - All Local Drives
• Folder - then click "browse" to change the directory to C: (default is C:\Windows)
• Registry
• System Folders
• Services
• Include Sub-Directory
• Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Regards,

Trevuren

[sperry1b]

Trevuren-

Ran the scan with MWAV. Here is the result. Again, thanks for your help.


Sat Aug 06 13:55:35 2005 => ERROR!!! Invalid Entry bascstray = BascsTray.exe (in key SOFTWARE\Microsoft\Windows\CurrentVersion\Run). No Action Taken.

Sat Aug 06 13:55:46 2005 => Scanning HKLM\SYSTEM\CurrentControlSet\Services\VxD
Sat Aug 06 13:55:46 2005 => Scanning File C:\WINDOWS\system32\JAVASUP.VXD

Sat Aug 06 13:55:46 2005 => ***** Scanning Registry and File system for Adware/Spyware *****
Sat Aug 06 13:55:46 2005 => Loading Spyware Signatures from FIXED Database...
Sat Aug 06 13:55:51 2005 => Offending Folder C:\PROGRA~1\ADTOOL~1 present...
Sat Aug 06 14:46:40 2005 => Object "AdTools Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Aug 06 14:46:48 2005 => Offending value found in HKLM\Software\microsoft\downloadmanager !!!
Sat Aug 06 14:46:48 2005 => Object "AltNet Spyware/Adware" found in File System! Action Taken: No Action Taken.

Sat Aug 06 14:47:11 2005 => System found infected with l.exe Spyware/Adware (C:\WINDOWS\System32\uninstall.exe)! Action taken: No Action Taken.
Sat Aug 06 14:47:11 2005 => System found infected with iSearch Spyware/Adware (patch.exe)! Action taken: No Action Taken.

Sat Aug 06 14:47:11 2005 => ***** Scanning Registry for errors created because of Adware/Spyware *****
Sat Aug 06 14:47:11 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\AdToolsX.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:11 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\site.ocx". Action Taken: No Action Taken.

Sat Aug 06 14:47:11 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\ModuleUsage" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:12 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Microsoft Office\Office\MSACCESS.EXE". Action Taken: No Action Taken.

Sat Aug 06 14:47:12 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Microsoft Shared\Proof\MSGREN32.DLL". Action Taken: No Action Taken.

Sat Aug 06 14:47:12 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Microsoft Shared\Proof\msgr_en.lex". Action Taken: No Action Taken.

Sat Aug 06 14:47:13 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\XLREC.DLL". Action Taken: No Action Taken.

Sat Aug 06 14:47:13 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\RECNCL.DLL". Action Taken: No Action Taken.

Sat Aug 06 14:47:13 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\System32\atl71.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:17 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Common Files\Borland Shared\BDE\IDAPINST.DLL". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\USWebUncoated.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\AppleRGB.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\ColorMatchRGB.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\EuroscaleCoated.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\EuroscaleUncoated.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\JapanStandard.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\sRGB Color Space Profile.icm". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\USSheetfedCoated.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:19 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\USSheetfedUncoated.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\USWebCoatedSWOP.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Recommended\AdobeRGB1998.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\WideGamutRGB.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\NTSC1953.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\PAL_SECAM.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\SMPTE-C.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Adobe\Acrobat 5.0\TempICCProfiles\Profiles\Non-Recommended\CIERGB.icc". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\ysbactivex.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\AdToolsX.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\Downloaded Program Files\site.ocx". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-40C8-9A75-CC9092DA8929}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-41EC-933B-10677844254D}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-4241-849E-E44CC9FAC031}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-4891-BB81-9CA817008BB6}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-4A61-A6FD-2EF1A2E69573}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-4B3B-AAEC-62B4F7C3C6D2}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-4BDE-B3A9-A1A29EC854C0}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-4CA9-AF67-032CC82CBCE0}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:20 2005 => Entry "HKCR\CLSID\{00000000-0000-4DC5-9EB0-70B4C2D02792}" refers to invalid object "C:\Program Files\dv5qhfnw\dv5qhfnw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:21 2005 => Entry "HKCR\CLSID\{0880413D-9C3D-11D3-B931-00C04F8EF738}" refers to invalid object ".\sldse.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:21 2005 => Entry "HKCR\CLSID\{0B6DC6EE-C4FD-11d1-819A-00C04FB69B4D}" refers to invalid object "C:\Program Files\Common Files\Adobe\Shell\psicon.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:22 2005 => Entry "HKCR\CLSID\{1444FA95-CB58-11d4-88F5-00B0D0239602}" refers to invalid object ".\sldproe.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:23 2005 => Entry "HKCR\CLSID\{1C9BC2F5-6822-11d2-B8A7-00C04F8EF738}" refers to invalid object ".\sldug.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:23 2005 => Entry "HKCR\CLSID\{27C101B0-E6A3-11d0-B1D4-006097C28A5D}" refers to invalid object ".\pworks\lworks.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:25 2005 => Entry "HKCR\CLSID\{3E68E456-DF91-42B6-9199-BE58FC9D51F2}" refers to invalid object "C:\PROGRA~1\MAGICV~1\MOVIEP~1.OCX". Action Taken: No Action Taken.

Sat Aug 06 14:47:25 2005 => Entry "HKCR\CLSID\{4575C431-E2CB-11d2-B8E0-00C04F8EF738}" refers to invalid object ".\sld2demu.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:26 2005 => Entry "HKCR\CLSID\{46C64A4D-2B14-11D2-B484-00C04FA33EF2}" refers to invalid object "ShellExt\sldicon.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:26 2005 => Entry "HKCR\CLSID\{47B4ACA1-B1C4-11d2-8398-0008C7B2F44D}" refers to invalid object ".\sldmdt.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:27 2005 => Entry "HKCR\CLSID\{5B888B60-3BE1-11d0-9CC9-00A0241BA77E}" refers to invalid object "C:\WINDOWS\System32\viewers\sldviewer.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:27 2005 => Entry "HKCR\CLSID\{5d3d7a00-5f31-11d1-b1c9-0020af351f6f}" refers to invalid object ".\sldtrans.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:28 2005 => Entry "HKCR\CLSID\{6B8FE721-A25A-11d3-B45B-0008C7B2ECD7}" refers to invalid object ".\sldinventor.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:29 2005 => Entry "HKCR\CLSID\{700D36FB-3889-11D4-AF00-00C04F61025C}" refers to invalid object ".\sldxgl.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:29 2005 => Entry "HKCR\CLSID\{7CF8CA03-1DCE-11d1-A89B-0020AF351FA9}" refers to invalid object ".\fworks\fworks.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:30 2005 => Entry "HKCR\CLSID\{7EFD5D24-CB58-11d4-88F5-00B0D0239602}" refers to invalid object ".\sldjpeg.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:31 2005 => Entry "HKCR\CLSID\{99180163-DA16-101A-935C-444553540000}" refers to invalid object "recncl.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:32 2005 => Entry "HKCR\CLSID\{A8683C98-5341-421B-B23C-8514C05354F1}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\CONFLICT.1\FujifilmUploadClient.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:33 2005 => Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.

Sat Aug 06 14:47:34 2005 => Entry "HKCR\CLSID\{BBEF802E-1021-11d4-BD57-00C04F019809}" refers to invalid object ".\sldcollab.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:35 2005 => Entry "HKCR\CLSID\{C90DF1A7-4DEF-11D4-AF15-00C04F61025C}" refers to invalid object ".\sldhsf.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:35 2005 => Entry "HKCR\CLSID\{CEDDF50D-9FA7-41A8-BCD0-6350D1ED2306}" refers to invalid object "C:\DOCUME~1\Matt\LOCALS~1\Temp\DLLs\BJAXSecurityManager.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:36 2005 => Entry "HKCR\CLSID\{D44C75D8-C827-473E-8F68-A77E42500782}" refers to invalid object "C:\WINDOWS\Downloaded Program Files\WebUploadClient.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:37 2005 => Entry "HKCR\CLSID\{E32C3B01-C81B-4D01-8AD4-2B93F7FA544C}" refers to invalid object "C:\WINDOWS\system\mlcom.ax". Action Taken: No Action Taken.

Sat Aug 06 14:47:37 2005 => Entry "HKCR\CLSID\{E32C3B01-C81B-4D01-8AD4-2B93F7FA544E}" refers to invalid object "C:\WINDOWS\system\mlcom.ax". Action Taken: No Action Taken.

Sat Aug 06 14:47:37 2005 => Entry "HKCR\CLSID\{E49F0B41-3322-11D4-AEFE-00C04F61025C}" refers to invalid object ".\sldmts.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:37 2005 => Entry "HKCR\CLSID\{E981DDD5-E7B9-11d2-8BC1-00105A1E7868}" refers to invalid object ".\animator\animator.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:37 2005 => Entry "HKCR\CLSID\{EA320F72-9CFB-11D3-B931-00C04F8EF738}" refers to invalid object ".\slddxf3d.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:37 2005 => Entry "HKCR\CLSID\{ED78333F-D5DB-11d4-BD5A-00C04F019809}" refers to invalid object ".\toolbox\swtoolbox.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:37 2005 => Entry "HKCR\CLSID\{ED783340-D5DB-11d4-BD5A-00C04F019809}" refers to invalid object ".\toolbox\swbrowser.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:38 2005 => Entry "HKCR\CLSID\{F335158C-A691-11D3-B934-00C04F8EF738}" refers to invalid object ".\sldhcg.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:38 2005 => Entry "HKCR\CLSID\{F4A32EAF-F30D-466D-BEC8-F4ED86CAF84E}" refers to invalid object "C:\PROGRA~1\MAGICV~1\MOVIEP~1.OCX". Action Taken: No Action Taken.

Sat Aug 06 14:47:38 2005 => Entry "HKCR\CLSID\{F50B3F13-19C4-11CF-AA9A-02608C9BABA2}" refers to invalid object "C:\WINDOWS\system\mpgdec.ax". Action Taken: No Action Taken.

Sat Aug 06 14:47:38 2005 => Entry "HKCR\CLSID\{F50B3F14-19C4-11CF-AA9A-02608C9BABA2}" refers to invalid object "C:\WINDOWS\system\mpgdec.ax". Action Taken: No Action Taken.

Sat Aug 06 14:47:38 2005 => Entry "HKCR\CLSID\{F80FA0F1-B13D-11d4-944A-000629992CFE}" refers to invalid object ".\sldutils\swloadersw.dll". Action Taken: No Action Taken.

Sat Aug 06 14:47:41 2005 => Entry "HKCR\AdToolsX.Installer" refers to invalid object "{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6}". Action Taken: No Action Taken.

Sat Aug 06 14:47:45 2005 => Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.

Sat Aug 06 14:47:45 2005 => Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.

Sat Aug 06 14:47:45 2005 => Entry "HKCR\DSrch.Band" refers to invalid object "{00F1D395-4744-40f0-A611-980F61AE2C59}". Action Taken: No Action Taken.

Sat Aug 06 14:47:50 2005 => Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.

Sat Aug 06 14:47:55 2005 => Entry "HKCR\Pool.LANBridge" refers to invalid object "{71D1708F-973D-4600-AF01-AD86688403AE}". Action Taken: No Action Taken.

Sat Aug 06 14:47:55 2005 => Entry "HKCR\Pool.LANBridge.1" refers to invalid object "{71D1708F-973D-4600-AF01-AD86688403AE}". Action Taken: No Action Taken.

Sat Aug 06 14:47:58 2005 => Entry "HKCR\RxSBDViewEx.SBDGroupCtrl" refers to invalid object "{7495CF57-E208-4DF0-A8C5-9E17ECC51490}". Action Taken: No Action Taken.

Sat Aug 06 14:47:58 2005 => Entry "HKCR\RxSBDViewEx.SBDGroupCtrl.1" refers to invalid object "{7495CF57-E208-4DF0-A8C5-9E17ECC51490}". Action Taken: No Action Taken.

Sat Aug 06 14:48:00 2005 => Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.

Sat Aug 06 14:48:00 2005 => Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.

Sat Aug 06 14:48:00 2005 => Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.


Sat Aug 06 14:48:50 2005 => Scanning File C:\WINDOWS\System32\InstallerV4.exe
Sat Aug 06 14:48:50 2005 => File C:\WINDOWS\System32\InstallerV4.exe tagged as "not-a-virus:AdWare.SafeSurfing.o". Action Taken: No Action Taken.


Sat Aug 06 14:48:58 2005 => Scanning File C:\WINDOWS\System32\lanbruns.exe
Sat Aug 06 14:48:58 2005 => File C:\WINDOWS\System32\lanbruns.exe infected by "Trojan-Downloader.NSIS.Agent.i" Virus! Action Taken: No Action Taken.


Sat Aug 06 14:51:09 2005 => Scanning File C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Sat Aug 06 14:51:09 2005 => File C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.



Sat Aug 06 15:12:08 2005 => Scanning File C:\Nailfix\Process.exe
Sat Aug 06 15:12:09 2005 => File C:\Nailfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.



Sat Aug 06 16:02:15 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013854.exe tagged as "not-a-virus:AdWare.BargainBuddy.y". Action Taken: No Action Taken.


Sat Aug 06 16:02:16 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013863.dll.tcf
Sat Aug 06 16:02:16 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013863.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:16 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013864.exe
Sat Aug 06 16:02:16 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013864.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:25 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0013984.dll.tcf
Sat Aug 06 16:02:25 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0013984.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:25 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0013985.exe
Sat Aug 06 16:02:25 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0013985.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:26 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014001.dll.tcf
Sat Aug 06 16:02:26 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014001.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:26 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014002.exe
Sat Aug 06 16:02:26 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014002.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:26 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014016.dll.tcf
Sat Aug 06 16:02:26 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014016.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:26 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014017.exe
Sat Aug 06 16:02:26 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014017.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:27 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014032.dll.tcf
Sat Aug 06 16:02:27 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014032.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:27 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014033.exe
Sat Aug 06 16:02:27 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014033.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:27 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014045.dll.tcf
Sat Aug 06 16:02:27 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014045.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:27 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014046.exe
Sat Aug 06 16:02:27 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014046.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:27 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014060.dll.tcf
Sat Aug 06 16:02:27 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014060.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:27 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014061.exe
Sat Aug 06 16:02:27 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014061.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:28 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014073.dll.tcf
Sat Aug 06 16:02:28 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014073.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:28 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014074.exe
Sat Aug 06 16:02:28 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014074.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:28 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014101.dll.tcf
Sat Aug 06 16:02:29 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014101.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:29 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014102.exe
Sat Aug 06 16:02:29 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014102.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.



Sat Aug 06 16:02:44 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014393.dll.tcf
Sat Aug 06 16:02:44 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014393.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:44 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014394.exe
Sat Aug 06 16:02:44 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014394.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:46 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014426.dll.tcf
Sat Aug 06 16:02:46 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014426.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 16:02:46 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014427.exe
Sat Aug 06 16:02:46 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014427.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:02:58 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014601.dll
Sat Aug 06 16:02:58 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014601.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.


Sat Aug 06 16:03:00 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014648.exe
Sat Aug 06 16:03:00 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014648.exe tagged as "not-a-virus:AdWare.SafeSurfing.n". Action Taken: No Action Taken.


Sat Aug 06 16:03:01 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014654.DLL
Sat Aug 06 16:03:01 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014654.DLL tagged as "not-a-virus:AdWare.ClaerSearch.ab". Action Taken: No Action Taken.


Sat Aug 06 16:03:01 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014656.exe
Sat Aug 06 16:03:01 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014656.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 16:14:27 2005 => File C:\WINDOWS\SYSTEM32\InstallerV4.exe tagged as "not-a-virus:AdWare.SafeSurfing.o". Action Taken: No Action Taken.


Sat Aug 06 16:14:35 2005 => Scanning File C:\WINDOWS\SYSTEM32\lanbruns.exe
Sat Aug 06 16:14:35 2005 => File C:\WINDOWS\SYSTEM32\lanbruns.exe infected by "Trojan-Downloader.NSIS.Agent.i" Virus! Action Taken: No Action Taken.


Sat Aug 06 16:17:36 2005 => Scanning File C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe
Sat Aug 06 16:17:36 2005 => File C:\Documents and Settings\All Users\Desktop\nailfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.


Sat Aug 06 16:38:49 2005 => Scanning File C:\Nailfix\Process.exe
Sat Aug 06 16:38:49 2005 => File C:\Nailfix\Process.exe tagged as not-a-virus:RiskTool.Win32.Processor.20. No Action Taken.


Sat Aug 06 17:29:04 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013854.exe
Sat Aug 06 17:29:04 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013854.exe tagged as "not-a-virus:AdWare.BargainBuddy.y". Action Taken: No Action Taken.

S
Sat Aug 06 17:29:05 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013863.dll.tcf
Sat Aug 06 17:29:05 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013863.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:05 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013864.exe
Sat Aug 06 17:29:05 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP201\A0013864.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:14 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0013984.dll.tcf
Sat Aug 06 17:29:14 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0013984.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:14 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0013985.exe
Sat Aug 06 17:29:14 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0013985.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:14 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014001.dll.tcf
Sat Aug 06 17:29:14 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014001.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:15 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014002.exe
Sat Aug 06 17:29:15 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014002.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:15 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014016.dll.tcf
Sat Aug 06 17:29:15 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014016.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:15 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014017.exe
Sat Aug 06 17:29:15 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014017.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:15 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014032.dll.tcf
Sat Aug 06 17:29:15 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014032.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:15 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014033.exe
Sat Aug 06 17:29:15 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014033.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:16 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014045.dll.tcf
Sat Aug 06 17:29:16 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014045.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:16 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014046.exe
Sat Aug 06 17:29:16 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014046.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:16 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014060.dll.tcf
Sat Aug 06 17:29:16 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014060.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:16 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014061.exe
Sat Aug 06 17:29:16 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014061.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:17 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014073.dll.tcf
Sat Aug 06 17:29:17 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014073.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:17 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014074.exe
Sat Aug 06 17:29:17 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014074.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:17 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014101.dll.tcf
Sat Aug 06 17:29:17 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014101.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:17 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014102.exe
Sat Aug 06 17:29:17 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014102.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:32 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014393.dll.tcf
Sat Aug 06 17:29:32 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014393.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:32 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014394.exe
Sat Aug 06 17:29:32 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP202\A0014394.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:35 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014426.dll.tcf
Sat Aug 06 17:29:35 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014426.dll.tcf tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.

Sat Aug 06 17:29:35 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014427.exe
Sat Aug 06 17:29:35 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP203\A0014427.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.


Sat Aug 06 17:29:47 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014601.dll
Sat Aug 06 17:29:47 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014601.dll tagged as "not-a-virus:AdWare.ClearSearch.z". Action Taken: No Action Taken.


Sat Aug 06 17:29:49 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014648.exe
Sat Aug 06 17:29:49 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014648.exe tagged as "not-a-virus:AdWare.SafeSurfing.n". Action Taken: No Action Taken.


Sat Aug 06 17:29:49 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014654.DLL
Sat Aug 06 17:29:49 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014654.DLL tagged as "not-a-virus:AdWare.ClaerSearch.ab". Action Taken: No Action Taken.


Sat Aug 06 17:29:49 2005 => Scanning File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014656.exe
Sat Aug 06 17:29:49 2005 => File C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP207\A0014656.exe tagged as "not-a-virus:AdWare.ClearSearch.ac". Action Taken: No Action Taken.



Sat Aug 06 17:41:15 2005 => File C:\WINDOWS\SYSTEM32\InstallerV4.exe tagged as "not-a-virus:AdWare.SafeSurfing.o". Action Taken: No Action Taken.


Sat Aug 06 17:41:23 2005 => Scanning File C:\WINDOWS\SYSTEM32\lanbruns.exe
Sat Aug 06 17:41:23 2005 => File C:\WINDOWS\SYSTEM32\lanbruns.exe infected by "Trojan-Downloader.NSIS.Agent.i" Virus! Action Taken: No Action Taken.



Sat Aug 06 17:43:41 2005 => Scan Completed.