Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Torjan.Elitebar, Hacktool.Rootkit, Downloader.Troj [CLOSED]

Started by Anker137 , Sep 28 2005 07:00 PM

This topic is locked

#1
Anker137

Posted 28 September 2005 - 07:00 PM

New Member

Member
9 posts

Apparently, I have the above 4 viruses on my Windows XP. I did practically everything before using Hijack This. I ran Symantec, Ad-Aware, Spybot, CWShredder, Housecall, Ewido, and more. Nothing helped. HELP

#2
skate_punk_21

Posted 02 October 2005 - 12:16 AM

Malware Removal Expert

Retired Staff
1,049 posts

Please download HijackThis - this program will help us determine if there are any spyware/malware

on your computer. Create a folder at C:\HJT and move HijackThis.exe there. Double click on the program to run it.

1. If it gives you an intro screen, just choose 'Do a system scan and save a logfile'.
2. If you don't get the intro screen, just hit Scan and then click on Save log.
3. Post that log here!

#3
Anker137

Posted 06 October 2005 - 10:44 AM

New Member

Topic Starter
Member
9 posts

Thank you so much for helping :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 12:42:24 PM, on 10/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1800searc...ine.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.1800searc...ine.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.1800searc...ine.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newpaltz.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bw.myway.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.1800searc...ine.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{0026AD90-C86F-4269-97F3-DAB4897C6D06} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107909060\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [Windows Script Host] winhost32.exe
O4 - HKLM\..\RunServices: [WinSvc16.exe] C:\WINDOWS\system32\MsSvc16\WinSvc16.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global User Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093393851460
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c2.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4
skate_punk_21

Posted 07 October 2005 - 10:21 AM

Malware Removal Expert

Retired Staff
1,049 posts

Currently at work - will get back to your with instructions this evening
Skate

#5
skate_punk_21

Posted 07 October 2005 - 06:44 PM

Malware Removal Expert

Retired Staff
1,049 posts

Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.

Notes
I see you already have Ewido Installed, please update it but do not run it yet
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
ViewPoint Manager
NavExcel
SearchUpgrader

Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.1800searc...ine.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.1800searc...ine.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.1800searc...ine.com/sp2.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newpaltz.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapp...://my.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://bw.myway.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.1800searc...ine.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: (no name) - _{0026AD90-C86F-4269-97F3-DAB4897C6D06} - (no file)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [OSS] c:\windows\system32\ossproxy.exe -boot
O4 - HKLM\..\Run: [navapp] C:\Program Files\NavExcel\NavHelper\v2.0.4d\navapp.exe
O4 - HKLM\..\Run: [SearchUpgrader] C:\Program Files\Common files\SearchUpgrader\SearchUpgrader.exe
O4 - HKLM\..\Run: [stratas] lockx.exe
O4 - HKLM\..\RunServices: [Windows Script Host] winhost32.exe
O4 - HKLM\..\RunServices: [WinSvc16.exe] C:\WINDOWS\system32\MsSvc16\WinSvc16.exe
O4 - HKLM\..\RunServices: [stratas] lockx.exe
O4 - HKCU\..\Run: [stratas] lockx.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} - http://static.zangoc...e/bridge-c2.cab

Please remember to close all other windows, including browsers then click Fix checked.

Run Downloaded Programs
Run Ewido Security Suite

Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.

Close ewido security suite.

File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\Viewpoint\Viewpoint Manager\
c:\windows\system32\ossproxy.exe
C:\Program Files\NavExcel\
C:\Program Files\Common files\SearchUpgrader\
C:\WINDOWS\system32\MsSvc16\
lockx.exe <--Search for and Delete via "start" | "search"
winhost32.exe <--Search for and Delete via "start" | "search"

Reboot your system in Normal Mode.

Perform an online scan with Internet Explorer with Panda ActiveScan

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it will offer you a report.
Click on see report. Then click Save report

Post the contents of the report in your next reply along with a new HJT log

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan

Please post a fresh HijackThis log, the Ewido Log & the Log from Panda so that we can check if your system is clean.

#6
Anker137

Posted 09 October 2005 - 07:25 PM

New Member

Topic Starter
Member
9 posts

I did everything. Took about 2 days..phew.. but it's here :tazz:

Thanks

I'm finally gettin somewhere with this.

Logfile of HijackThis v1.99.1
Scan saved at 9:18:53 PM, on 10/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107909060\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093393851460
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:34:03 PM, 10/8/2005
+ Report-Checksum: 4A753674

+ Scan result:

HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\0\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\0\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\0\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\0\Controls\2 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\1\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\10 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\10\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\10\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\10\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\11 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\11\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\11\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\11\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\11\Controls\2 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\2 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\2\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\2\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\2\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\2\Controls\2 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\3 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\3\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\3\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\3\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\4 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\4\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\4\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\4\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\5 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\5\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\5\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\5\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\6 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\6\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\6\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\6\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\7 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\7\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\7\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\7\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\7\Controls\2 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\8 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\8\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\8\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\8\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\9 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\9\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\9\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\9\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\A -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\A\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\B -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\B\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\B\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\B\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\C -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\C\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\C\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\D -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\D\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\D\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\D\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\E -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\E\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\E\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\E\Controls\1 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\F -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\F\Controls -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\F\Controls\0 -> Spyware.MidAddle : Cleaned with backup
HKLM\SYSTEM\ControlSet003\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}\##?#PCI#VEN_10B9&DEV_5451&SUBSYS_0024103C&REV_02#3&61AAA01&0&30#{6994ad04-93ef-11d0-a3cc-00a0c9223196}\#Wave\Device Parameters\Mixer\F\Controls\1 -> Spyware.MidAddle : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.30:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Aneta Kruk\Application Data\Mozilla\Firefox\Profiles\75f60mu2.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@247realmedia[2].txt -> Spyware.Cookie.247realmedia : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Counted : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@casalemedia[2].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Adocean : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta kruk@yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Aneta Kruk\Cookies\aneta [email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\etb\xud_70.dll -> TrojanSpy.Small.dj : Cleaned with backup

::Report End

Panda Activescan Report:

Incident Status Location

Adware:adware/exact.searchbar No disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\blank.gif
Adware:adware/gator No disinfected C:\WINDOWS\GatorPatch.log
Adware:adware/sahagent No disinfected C:\WINDOWS\unstall.exe
Adware:adware/quicksearch No disinfected C:\PROGRAM FILES\QuickSearch
Adware:adware/elitebar No disinfected C:\Documents and Settings\Aneta Kruk\Favorites\Casino & Carrers
Spyware:spyware/searchcentrix No disinfected Windows Registry
Adware:Adware/IST.YourSiteBar No disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\6arab4.html
Adware:Adware/KeenValue No disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\temp.fr3055\BHO\IncFindBHO180.dll
Spyware:Application/Bestoffer No disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Tempbooteula.exe
Adware:Adware/SaveNow No disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\071ZIANT\WUInstSECS[1].cab[WUInstSECS[1]][WUInst.dll]
Virus:Trj/Rameh.A Disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\QT4JQTM5\ON01[1].cab
Virus:Trj/Rameh.A Disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\QT4JQTM5\ON01[2].cab
Virus:Trj/Rameh.A Disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\TWSZHTWX\ON01[1].cab
Virus:Trj/Rameh.A Disinfected C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\TWSZHTWX\ON01[2].cab
Possible Virus. No disinfected C:\RECYCLER\S-1-5-21-1001806686-3173916016-1910799264-1006\Dc3.exe
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\casino.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\dating.bmp
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINDOWS\etb\xml\images\virus.bmp
Virus:W32/Sdbot.EFG.worm Disinfected C:\xz.bat

#7
skate_punk_21

Posted 10 October 2005 - 09:20 AM

Malware Removal Expert

Retired Staff
1,049 posts

File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\WINDOWS\GatorPatch.log
C:\WINDOWS\unstall.exe
C:\PROGRAM FILES\QuickSearch\
C:\Documents and Settings\Aneta Kruk\Favorites\Casino & Carrers
C:\Documents and Settings\Aneta Kruk\Local Settings\Tempbooteula.exe
C:\WINDOWS\etb\

and Now,
Congratulations Your Log is Clean!!

If you are still having trouble, please dont continue with these instructions just yet. LET ME KNOW!

Otherwise, we have a few clean up items to deal with.

1. System Restore
Now that we know your system is clean, we want to purge any potentially infected restore points. To do that, complete the following:

Turn off System Restore by Clicking Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

To re-enable this function - simply uncheck this same box, and click "apply" and "ok"

2. Reset Hidden Files & Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is UNchecked. Also make sure that the System Files and Folders are invisible. CHECK the Hide protected operating system files option.

Also Consider...

SpywareBlaster to help prevent spyware from installing in the first place.
SpywareGuard to catch and block spyware before it can execute.
IESpy-Ad to block access to malicious websites so you cannot be redirected to them from an infected site or email.

You should also have a good firewall. Here are 3 free ones available for personal use:

How is she running now? Any further problems? If not, Good work, and Happy Computing!

Please reply once more so we know you have read these measures.

#8
Anker137

Posted 11 October 2005 - 10:00 AM

New Member

Topic Starter
Member
9 posts

Thanks for helping!

So my system WAS clean for like a day lol...I think there's more malware that got installed somehow though :tazz:

Here's the new HijackThis log. please help if you can. Thank u!

Logfile of HijackThis v1.99.1
Scan saved at 11:58:15 AM, on 10/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Gadu-Gadu\gg.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\QW5ldGEgS3J1awAA\command.exe
C:\WINDOWS\system32\VB2.exe
C:\WINDOWS\etb\pokapoka73.exe
C:\PROGRA~1\MOZILL~1\firefox.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iedw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch2005.com/sp2.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107909060\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\\etb\pokapoka75.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093393851460
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - AppInit_DLLs: repairs302972946.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW5ldGEgS3J1awAA\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#9
skate_punk_21

Posted 12 October 2005 - 07:47 AM

Malware Removal Expert

Retired Staff
1,049 posts

Please print out or save this page to your desktop in order to assist you when carrying out the following instructions.

Downloads
Download LQfix[/color] & save it to your desktop and extract the files. DO NOT RUN THE NEW FOLDERS CONTENTS YET

Boot Into Safe Mode
Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

View Hidden Files and Folders
Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option.

Potential Uninstallations
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
SurfSideKick

Run Downloaded Programs
In the LQFix folder, Double click on LQFix.bat
A dos window will open and close again, this is normal.

Start HijackThis Fix
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.esearch2005.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.esearch2005.com/sp2.php
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [APD123] C:\WINDOWS\system32\APD123.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [System service73] C:\WINDOWS\\etb\pokapoka75.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0002.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - (no file)
O20 - AppInit_DLLs: repairs302972946.dll

Please remember to close all other windows, including browsers then click Fix checked.

File/Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

C:\Program Files\SurfSideKick 3\
C:\Program Files\Cas\
C:\WINDOWS\system32\APD123.exe
C:\WINDOWS\etb\
repairs302972946.dll <--search for and delete via "start" | "Search"

Reboot your system in Normal Mode.

Please run a Scan at any 2 of the Following sites
Symantec/Norton
Trend Micro
BitDefender On-Line Virus Scan
Panda ActiveScan
F-Secure
Kaspersky

Make sure that you choose the "fix" or "clean" option when available
Please Take note of any files that were uncleanable and post the filenames here in your next reply

[b]Please post a fresh Hijack This log so that we can check if your system is clean.

#10
Anker137

Posted 17 October 2005 - 07:54 PM

New Member

Topic Starter
Member
9 posts

Hey! It took a while but here it is:
In the initial Hijackthis Log, you told me to delete this but it was not there:
O20 - AppInit_DLLs: repairs302972946.dll

Maybe it got deleted cuz when I searched for
repairs302972946.dll
it wasn't there either. Also,
C:\WINDOWS\etb\
did not exist.

I did a Bit Defender Scan and Kaspersky Scan. I'm posting the results of Kaspersky because when I scanned with it, apparently there are still viruses on my computer, so I'm confused about the results:

KASPERSKY ON-LINE SCANNER REPORT
Monday, October 17, 2005 09:49:02
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 17/10/2005
Kaspersky Anti-Virus database records: 145205
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 161604
Number of viruses found: 23
Number of infected objects: 194
Number of suspicious objects: 0
Duration of the scan process: 19430 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02DC0000.VBN Infected: Trojan.Win32.EliteBar.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02DC0001.VBN Infected: Trojan.Win32.EliteBar.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02DC0002.VBN Infected: Trojan.Win32.EliteBar.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02DC0003.VBN Infected: Trojan.Win32.EliteBar.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02DC0006.VBN Infected: Trojan.Win32.EliteBar.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02DC0007.VBN Infected: Trojan.Win32.EliteBar.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03AC0000.VBN Infected: Trojan.Win32.EliteBar.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03D80000.VBN Infected: Trojan.Win32.EliteBar.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\07980000.VBN Infected: Rootkit.Win32.Agent.l
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E300000.VBN Infected: Rootkit.Win32.Agent.l
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E440000.VBN Infected: Backdoor.Win32.IRCBot.gw
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E680000.VBN Infected: Backdoor.Win32.IRCBot.gw
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0EA40000.VBN Infected: Trojan-Dropper.Win32.Agent.mu
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\1049446_3464_10300_18348_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131598_512_1924_4632_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131658_2868_2472_2576_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131668_928_276_4048_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131684_3308_2724_4828_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131684_3308_57968_59008_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131684_3308_57968_59404_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131906_512_1924_7824_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131908_7324_2348_17204_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\131960_928_276_8004_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\1442244_71628_71096_69968_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\1639030_7324_2348_12720_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\197170_10948_3848_11080_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\197172_1204_232_7844_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\197394_928_276_15524_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\197586_7324_2348_22196_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\197694_928_276_17992_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\2164536_3808_768_2368_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\262474_2868_2472_7636_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\263086_512_1924_12708_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\265692_3400_2988_25948_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\328268_512_1924_11400_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\328486_1204_232_5020_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\328684_1720_2388_9376_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\3803112_3808_768_4732_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\393276_3464_10300_17412_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\393772_2868_2472_11620_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\393970_3464_10300_1552_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\4195126_3808_768_4936_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\459394_3464_10300_16180_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\459504_7324_2348_28928_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\459504_7324_2348_29860_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\5441012_3808_768_1292_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\590158_3464_10300_15388_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\65968_2096_3944_3756_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\65978_3008_2492_2832_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\65982_3956_3100_2348_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\65982_3956_3100_2452_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\721354_83116_71096_84508_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\918416_83116_71096_85868_76.41.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_271.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_2A1E.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_3F35.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_4115.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_5387.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_53E7.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_5A6B.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_62FE.tmp Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_690D.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_6E5F.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_8DD7.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_99D5.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_C423.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_E668.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temp\k_FDFB.tmp Infected: Trojan.Win32.EliteBar.f
C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\ADFWXSN6\ysb_prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j
C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\D40BP14X\a572af7b[1].js Infected: Trojan-Downloader.JS.Small.af
C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\D40BP14X\a572af7b[2].js Infected: Trojan-Downloader.JS.Small.af
C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\N31FJ5SW\ibar[1].js Infected: Trojan-Downloader.JS.IstBar.ad
C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\SJZVMKP9\ysb_prompt[1].htm Infected: Trojan-Downloader.JS.IstBar.j
C:\Documents and Settings\Aneta Kruk\Local Settings\Temporary Internet Files\Content.IE5\TWSZHTWX\rcverlib[1].exe Infected: Trojan.Win32.Pakes
C:\Documents and Settings\Aneta Kruk\My Documents\My Pictures\jacksunset.exe/WISE0021.BIN Infected: Trojan-Dropper.Win32.Small.jh
C:\Documents and Settings\Aneta Kruk\My Documents\My Pictures\jacksunset.exe Infected: Trojan-Dropper.Win32.Small.jh
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP186\A0046041.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP186\A0046084.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP187\A0046112.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP187\A0046119.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP188\A0046152.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP189\A0046208.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP189\A0046219.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP190\A0046323.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP190\A0046336.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP190\A0046356.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP191\A0046415.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP192\A0046445.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP193\A0047081.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP195\A0047268.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP196\A0047324.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP197\A0047356.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP200\A0047606.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP200\A0047628.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP202\A0048628.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP208\A0048878.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP211\A0049272.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP218\A0049511.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP218\A0049530.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP220\A0050128.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP222\A0050328.ini Infected: Backdoor.Win32.ServU-based
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP222\A0050451.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP228\A0050922.bat Infected: Trojan.BAT.KillProc.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP228\A0051038.dll Infected: Trojan.Win32.EliteBar.d
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP228\A0051039.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP228\A0051045.dll Infected: Trojan.Win32.EliteBar.d
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP228\A0051094.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP228\A0051095.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP230\A0051139.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP230\A0051147.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP230\A0051148.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP230\A0051152.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP230\A0051160.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP230\A0051161.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP231\A0051211.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP231\A0051235.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP231\A0051236.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP232\A0052211.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP232\A0052219.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP232\A0052220.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP232\A0053211.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP232\A0053218.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP232\A0053219.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0053253.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0053273.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0053274.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0054253.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0054261.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0054262.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0054291.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0055253.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0055261.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0055262.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056253.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056261.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056262.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056269.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056277.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056278.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056281.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056313.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056314.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056318.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056326.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056327.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056336.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056344.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056345.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056369.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0056371.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0057363.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0057370.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0057371.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0057502.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0057545.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP233\A0057546.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0058502.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0058510.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0058511.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0059502.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0059510.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0059511.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0060502.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0060510.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP234\A0060511.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061502.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061510.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061511.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061520.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061522.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061525.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061528.dll Infected: Trojan.Win32.EliteBar.f
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061536.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061551.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061552.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061581.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061582.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061601.exe Infected: Trojan-Downloader.Win32.VB.hw
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061602.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061604.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061605.exe Infected: Trojan-Downloader.Win32.Agent.vp
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP235\A0061607.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\WINDOWS\ssk3b5doublemedia.exe/data0005 Infected: Trojan-Dropper.Win32.Small.qn
C:\WINDOWS\ssk3b5doublemedia.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\WINDOWS\system32\93_app13.exe Infected: Trojan-Dropper.Win32.Agent.xw
C:\WINDOWS\system32\eoaaa.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\WINDOWS\system32\fksssss.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\WINDOWS\system32\Macromed\servu\ServUDaemon.ini Infected: Backdoor.Win32.ServU-based
C:\WINDOWS\system32\mmxdoubleexe.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\WINDOWS\system32\s4ppsl.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\WINDOWS\system32\vgactl.cpl Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\WINDOWS\system32\wuauclt.dll Infected: Trojan-Downloader.Win32.Qoologic.ae
C:\WINDOWS\Temp\k_5CFF.tmp Infected: Trojan.Win32.EliteBar.f
C:\WINDOWS\Temp\k_94E3.tmp Infected: Trojan.Win32.EliteBar.f

Scan process completed.

Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:49:34 AM, on 10/17/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\QW5ldGEgS3J1awAA\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\exe82.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLServiceHost.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Adobe\Acrobat 5.0\Reader\AcroRd32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\HJT\HijackThis.exe

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107909060\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\s4ppsl.exe reg_run
O4 - HKLM\..\Run: [seli] C:\WINDOWS\exe82.exe
O4 - HKLM\..\Run: [elos] C:\WINDOWS\exe82.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093393851460
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW5ldGEgS3J1awAA\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#11
skate_punk_21

Posted 18 October 2005 - 07:51 AM

Malware Removal Expert

Retired Staff
1,049 posts

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! and install it. DO NOT RUN IT YET

Download WinPFind

Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Dont do anything with it yet!

Download Track qoo

Save it somewhere you will remember like the Desktop

Go to this file, and delete its contents, NOT THE FOLDER ITSELF:

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\

Download Killbox
Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Select each of the following files below with your mouse, then right click and select copy, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Now in Killbox go to, File then select, Paste from clipboard! Now hit the X button - choose YES when it asks if you want to reboot) Click Yes at the 'Pending Operations prompt'. if you see it:

C:\WINDOWS\system32\vgactl.cpl
C:\Documents and Settings\Aneta Kruk\My Documents\My Pictures\jacksunset.exe
C:\WINDOWS\ssk3b5doublemedia.exe
C:\WINDOWS\system32\93_app13.exe
C:\WINDOWS\system32\eoaaa.dll
C:\WINDOWS\system32\fksssss.dll
C:\WINDOWS\system32\Macromed\servu\ServUDaemon.ini
C:\WINDOWS\system32\mmxdoubleexe.exe
C:\WINDOWS\system32\s4ppsl.exe
C:\WINDOWS\system32\wuauclt.dll

Run CleanUp! Set the program up as follows:

Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following:
Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Scan local drives for temporary files (Please uncheck this option)
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program. Reboot/logoff when prompted.

Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Doubleclick WinPFind.exe

Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete
Go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post!

Reboot back to Normal Mode!

Double Click on "Track qoo.vbs"

Note - If you Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!

#12
Anker137

Posted 18 October 2005 - 01:27 PM

New Member

Topic Starter
Member
9 posts

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 10/16/2005 8:13:08 PM 16050847 C:\WINDOWS\LPT$VPN.893
qoologic 10/16/2005 8:13:08 PM 16050847 C:\WINDOWS\LPT$VPN.893
SAHAgent 10/16/2005 8:13:08 PM 16050847 C:\WINDOWS\LPT$VPN.893
UPX! 10/16/2005 8:13:12 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 10/16/2005 8:13:08 PM 16050847 C:\WINDOWS\VPTNFILE.893
qoologic 10/16/2005 8:13:08 PM 16050847 C:\WINDOWS\VPTNFILE.893
SAHAgent 10/16/2005 8:13:08 PM 16050847 C:\WINDOWS\VPTNFILE.893
UPX! 10/16/2005 8:13:10 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 10/16/2005 8:13:10 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
SAHAgent 4/2/2005 11:23:16 PM 35 C:\WINDOWS\SYSTEM32\bln02nqv.ini
PEC2 8/28/2002 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
SAHAgent 4/21/2005 8:05:32 PM 3107 C:\WINDOWS\SYSTEM32\gah95on6.ini
69.59.186.63 10/18/2005 1:59:38 PM 133120 C:\WINDOWS\SYSTEM32\krmmw.dll
209.66.67.134 10/18/2005 1:59:38 PM 133120 C:\WINDOWS\SYSTEM32\krmmw.dll
web-nex 10/18/2005 1:59:38 PM 133120 C:\WINDOWS\SYSTEM32\krmmw.dll
winsync 10/18/2005 1:59:38 PM 133120 C:\WINDOWS\SYSTEM32\krmmw.dll
PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
69.59.186.63 10/18/2005 1:59:38 PM 181760 C:\WINDOWS\SYSTEM32\ltccoic.dll
209.66.67.134 10/18/2005 1:59:38 PM 181760 C:\WINDOWS\SYSTEM32\ltccoic.dll
web-nex 10/18/2005 1:59:38 PM 181760 C:\WINDOWS\SYSTEM32\ltccoic.dll
winsync 10/18/2005 1:59:38 PM 181760 C:\WINDOWS\SYSTEM32\ltccoic.dll
PECompact2 10/4/2005 10:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 10/4/2005 10:09:08 PM 2293088 C:\WINDOWS\SYSTEM32\MRT.exe
UPX! 10/11/2005 1:09:34 AM 25105 C:\WINDOWS\SYSTEM32\MTE2ODM6ODoxNg.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 10/15/2005 1:26:26 PM 199709 C:\WINDOWS\SYSTEM32\SetupCasino.exe
winsync 8/28/2002 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
69.59.186.63 10/18/2005 1:59:18 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
209.66.67.134 10/18/2005 1:59:18 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.97 10/18/2005 1:59:18 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
66.63.167.77 10/18/2005 1:59:18 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
web-nex 10/18/2005 1:59:18 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
winsync 10/18/2005 1:59:18 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll
rec2_run 10/18/2005 1:59:18 PM 30720 C:\WINDOWS\SYSTEM32\wuauclt.dll

Checking %System%\Drivers folder and sub-folders...
UPX! 4/30/2004 3:54:02 PM 356256 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
FSG! 4/30/2004 3:54:02 PM 356256 C:\WINDOWS\SYSTEM32\drivers\avg7core.sys
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/18/2005 3:01:30 PM S 2048 C:\WINDOWS\bootstat.dat
10/18/2005 2:59:54 PM H 24 C:\WINDOWS\pqc5H
10/16/2005 8:32:54 PM H 54156 C:\WINDOWS\QTFont.qfn
10/4/2005 9:17:40 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
8/29/2005 9:25:44 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
8/22/2005 2:48:28 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905414.cat
8/22/2005 9:03:36 PM S 11084 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905749.cat
10/18/2005 3:01:18 PM H 8192 C:\WINDOWS\system32\config\default.LOG
10/18/2005 3:02:54 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/18/2005 3:01:34 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/18/2005 3:02:56 PM H 61440 C:\WINDOWS\system32\config\software.LOG
10/18/2005 3:01:42 PM H 1052672 C:\WINDOWS\system32\config\system.LOG
10/14/2005 1:51:34 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
10/18/2005 3:00:20 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
8/19/2003 3:20:04 AM 180224 C:\WINDOWS\SYSTEM32\ac3filter.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/28/2002 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/28/2002 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 12/14/2003 10:20:50 AM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/28/2002 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
10/16/2005 7:41:54 PM 31744 C:\WINDOWS\SYSTEM32\vgactl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
The Weather Channel Interactive8/23/2005 3:08:42 AM 3046016 C:\WINDOWS\SYSTEM32\wxfw.cpl
Microsoft Corporation 8/28/2002 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/28/2002 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/28/2002 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/9/2002 3:33:50 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
8/19/2004 6:48:38 PM 10 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameD.txt

Checking files in %USERPROFILE%\Startup folder...
10/14/2005 2:40:52 AM 1922 C:\Documents and Settings\Aneta Kruk\Start Menu\Programs\Startup\Clean Access Agent.lnk
9/9/2002 10:49:58 AM HS 84 C:\Documents and Settings\Aneta Kruk\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/9/2002 3:33:50 AM HS 62 C:\Documents and Settings\Aneta Kruk\Application Data\desktop.ini
10/15/2005 1:42:06 PM 58 C:\Documents and Settings\Aneta Kruk\Application Data\Sskdmns.dll
10/15/2005 10:21:12 AM 469355 C:\Documents and Settings\Aneta Kruk\Application Data\Sskknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
acc=jocker =
acc=ventura5 =
acc=none =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mtyyxfym
{1bcc5683-96e5-43eb-8d7a-de248e1897d6} = C:\WINDOWS\system32\krmmw.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}
= C:\WINDOWS\system32\wuauclt.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\CmdMapping
MenuText = :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{85d1f590-48f4-11d9-9669-0800200c9a66}
MenuText = Uninstall BitDefender Online Scanner v8 :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}
MenuText = Java :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{5776A2BC-D803-47F6-9DC0-8344DB8D604C} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{4982D40A-C53B-4615-B15B-B5B5E98D167C} = :
{5776A2BC-D803-47F6-9DC0-8344DB8D604C} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CARPService carpserv.exe
Cpqset C:\Program Files\HPQ\Default Settings\cpqset.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
PreloadApp c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
srmclean C:\Cpqs\Scom\srmclean.exe
Display Settings C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
QT4HPOT C:\Program Files\HPQ\One-Touch\OneTouch.EXE
SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
AVG7_CC C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
vptray C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
HostManager C:\Program Files\Common Files\AOL\1107909060\EE\AOLHostManager.exe
AOLDialer C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
winsync C:\WINDOWS\system32\drttia.exe reg_run
seli C:\WINDOWS\exe82.exe
elos C:\WINDOWS\exe82.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
DW4 "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
CMSystem "C:\Program Files\CMSystem\CMSystem.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINDOWS\System32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/18/2005 3:10:43 PM

AND THE TRACK LOG:

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PreloadApp"="c:\\hp\\drivers\\printers\\photosmart\\hphprld.exe c:\\hp\\drivers\\printers\\photosmart\\setup.exe -d"
"srmclean"="C:\\Cpqs\\Scom\\srmclean.exe"
"Display Settings"="C:\\Program Files\\HPQ\\Notebook Utilities\\hptasks.exe /s"
"QT4HPOT"="C:\\Program Files\\HPQ\\One-Touch\\OneTouch.EXE"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"vptray"="C:\\PROGRA~1\\SYMANT~1\\SYMANT~1\\vptray.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1107909060\\EE\\AOLHostManager.exe"
"AOLDialer"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"winsync"="C:\\WINDOWS\\system32\\drttia.exe reg_run"
"seli"="C:\\WINDOWS\\exe82.exe"
"elos"="C:\\WINDOWS\\exe82.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

-----------------
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- AVG7 Shell Extension
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}
C:\Program Files\Grisoft\AVG7\avgse.dll

Subkey --- ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}
C:\Program Files\ewido\security suite\context.dll

Subkey --- LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C}
C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll

Subkey --- mtyyxfym
{1bcc5683-96e5-43eb-8d7a-de248e1897d6}
C:\WINDOWS\system32\krmmw.dll

Subkey --- Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03}
C:\WINDOWS\System32\cscui.dll

Subkey --- Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinZip
{E0D79304-84BE-11CE-9641-444553540000}
C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin
C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}
C:\WINDOWS\system32\SHELL32.dll

Subkey --- {6EC11407-5B2E-4E25-8BDF-77445B52AB37}
C:\WINDOWS\system32\wuauclt.dll

==============================
C:\WINDOWS\system32\MsSvc16

==============================
C:\Documents and Settings\Aneta Kruk\Start Menu\Programs\Startup

Clean Access Agent.lnk
desktop.ini
==============================
C:\WINDOWS\system32 cpl files

ac3filter.cpl
appwiz.cpl Microsoft Corporation
bthprops.cpl Microsoft Corporation
desk.cpl Microsoft Corporation
firewall.cpl Microsoft Corporation
hdwwiz.cpl Microsoft Corporation
inetcpl.cpl Microsoft Corporation
intl.cpl Microsoft Corporation
irprops.cpl Microsoft Corporation
joy.cpl Microsoft Corporation
main.cpl Microsoft Corporation
mmsys.cpl Microsoft Corporation
ncpa.cpl Microsoft Corporation
netsetup.cpl Microsoft Corporation
nusrmgr.cpl Microsoft Corporation
odbccp32.cpl Microsoft Corporation
powercfg.cpl Microsoft Corporation
QuickTime.cpl Apple Computer, Inc.
sysdm.cpl Microsoft Corporation
telephon.cpl Microsoft Corporation
timedate.cpl Microsoft Corporation
vgactl.cpl
wscui.cpl Microsoft Corporation
wuaucpl.cpl Microsoft Corporation
wxfw.cpl The Weather Channel Interactive

THANK YOU :tazz:

#13
skate_punk_21

Posted 18 October 2005 - 10:04 PM

Malware Removal Expert

Retired Staff
1,049 posts

C:\WINDOWS\SYSTEM32\bln02nqv.ini
C:\WINDOWS\SYSTEM32\gah95on6.ini
C:\WINDOWS\SYSTEM32\krmmw.dll
C:\WINDOWS\SYSTEM32\ltccoic.dll
C:\WINDOWS\SYSTEM32\MTE2ODM6ODoxNg.exe
C:\WINDOWS\SYSTEM32\SetupCasino.exe
C:\WINDOWS\SYSTEM32\wuauclt.dll
C:\WINDOWS\SYSTEM32\ac3filter.cpl
C:\WINDOWS\SYSTEM32\vgactl.cpl
C:\Documents and Settings\Aneta Kruk\Application Data\Sskdmns.dll
C:\WINDOWS\system32\drttia.exe
C:\WINDOWS\exe82.exe

Reboot your computer NOW

Copy the following into Notepad, and save it as "delete.reg" WITH THE QUOTATIONS. Save this file to your desktop for easy access.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\mtyyxfym\{1bcc5683-96e5-43eb-8d7a-de248e1897d6}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"=-
"seli"=-
"elos"=-

Double click this file "delete.reg" and allow it to merge with the registry.

Reboot once more

Post a fresh HijackThis Log

#14
Anker137

Posted 18 October 2005 - 11:54 PM

New Member

Topic Starter
Member
9 posts

Logfile of HijackThis v1.99.1
Scan saved at 1:53:14 AM, on 10/19/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\QW5ldGEgS3J1awAA\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\110790~1\EE\AOLServiceHost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.newpaltz.edu/
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1107909060\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CMSystem] "C:\Program Files\CMSystem\CMSystem.exe"
O4 - Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m14: C:\Program Files\Modern Age Books\Vbook\NPVbok32.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O14 - IERESET.INF: START_PAGE_URL=http://qus8l.hpwis.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093393851460
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\QW5ldGEgS3J1awAA\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: FireDaemon Service: IRoffer (IRoffer) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: FireDaemon Service: ServU (ServU) - Sublime Solutions Pty Ltd - C:\WINDOWS\System32\Macromed\fdaemon\FireDaemon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Thank You! :tazz:

#15
skate_punk_21

Posted 19 October 2005 - 07:50 AM

Malware Removal Expert

Retired Staff
1,049 posts

Check and fix the following in HijackThis
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - C:\WINDOWS\system32\wuauclt.dll (file missing)

Perform an online scan with Internet Explorer with

Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Standard
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Take note the names and locations of any file it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Please Post the Results of this scan, as well as a fresh HijackThis Log.