Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

coolsearch and trek blue error nuker [CLOSED]

Started by James_mac , Oct 02 2005 02:10 PM

  • This topic is locked This topic is locked

#1
James_mac
Posted 02 October 2005 - 02:10 PM

James_mac

    New Member

  • Member
  • Pip
  • 5 posts
Hi

I have followed the steps on the Geeks to go page dealing with malware removal. The only thing that I have not been able to do is get the Microsoft service pack 3 update to load. Is this because my machine is still infected? There are a few things that seem to persist, coolweb search and trek blue error nuker which are identified by Spybot search and destroy but which it can not remove, even on rescanning after rebooting. Housecall also identified 4 viruses which it could not remove as they were in use, I have copied the name and file path of one down.

I don't really understand the results but looking at the number of problems that ewido found things were pretty messed up.

Hijack this log:
Logfile of HijackThis v1.99.1
Scan saved at 20:38:52, on 02/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\d3hg32.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\atlyw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Internet\icc\icc2000.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\James\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastmail.fm/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\euudr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://product.corel...=tutorial&ver=8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F9B855F1-C37E-F3A9-43FE-89E50B8A6AA5} - C:\WINDOWS\netqu32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [appyk32.exe] C:\WINDOWS\appyk32.exe
O4 - HKLM\..\Run: [ipmn32.exe] C:\WINDOWS\ipmn32.exe
O4 - HKLM\..\Run: [mfcqr32.exe] C:\WINDOWS\mfcqr32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [atlyw.exe] C:\WINDOWS\system32\atlyw.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E18C94-FE09-4506-ADA9-3FE713443068}: NameServer = 80.225.252.50 80.225.252.58
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3hg32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

ewido log (if it's any use)

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 15:49:26, 02/10/2005
+ Report-Checksum: 6B187DC5

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{00AF6BF7-1C8A-2F68-11A6-3DD4FD5A3DED} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{05971453-FE87-CB75-BB1F-338A196198B0} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{05C2ECE7-AB9F-8750-F571-7DD76F135929} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{06559367-A395-44B2-D6A0-0631D6323797} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{07A70617-8D17-A480-A5CF-0FCA3C65180D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{08A3BAAE-CEB8-766F-9585-A831A8E94068} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0AD1A770-F33D-516E-A6BD-A3AEB8568EAC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0ADD4D53-B7DD-20F8-2AC9-AB9CB538A46F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0ADEF183-C204-6BFB-2DA8-5C12061DE911} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0B4F9B2C-F81D-7C42-AE33-07F0FCB846EC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0ECEBD98-802F-9B4D-7308-C983A18EDBEC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{109FCEAD-8C5C-5B76-3BB3-A646D2B52C93} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1B9CEE94-E0D7-13CF-2DA8-CA3C766EAAD0} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1DE20533-9118-BF9A-A6C6-F8E881A5FD4B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1EA0CE66-D6D5-2CEB-D734-97906011F9A8} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{208BD4D8-3DA2-3736-A8E6-F3AF3479FA31} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{26F5CDB0-3ADD-70F3-F30F-8DD2B92D52FF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{29CDA41A-A8EB-6A68-BBF5-2877418D55C7} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B284248-D0FE-C340-0D87-ABD55DD24BFA} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2BFAB072-A3F3-0A97-6990-3673392B7DFC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2D9BB7B5-D27A-5907-A874-72E04FC719E8} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2FB10B1F-E342-08A1-CBAA-D4A2CD2ABAC6} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{30C5202D-2CDD-8C6D-6CD3-86CBAC73988B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{32FB9A97-C47A-795A-3B47-9A97C1448DFC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3508830D-8A20-1C38-52A8-8DC8B11EE6F4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3757D8EC-FD1D-A2F5-366B-C8C2FEE89B04} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{38D4E2FB-BB30-60CB-0D77-12064B5A0EE4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3BAA3AE9-9C0B-E08A-A982-9818F457337E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3C2E0AC2-347B-07FF-761D-31083C460F98} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3EA8A165-1EE8-2BEF-A8D1-9CDBD760FC43} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{44CE9131-E13C-D36A-083A-FAFF61E866CA} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{46C8C875-7053-566F-B7DF-A8735884B10E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4C96C433-2EDC-3926-B873-410DB1199685} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{529D86BB-85DC-FC40-1699-BECC09038E95} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{53741D3E-19CE-5959-0908-3BB13C3C3990} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5E60DAD4-D59A-D1EA-A0B3-BD226EE43523} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5F4B11A7-C0A8-0B95-8741-481C8B0029E3} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6327D790-4626-130D-8171-E0E6AB10B53B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{63DCBFC8-9F1C-3DA5-A957-E5BCF32589B1} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{65D75D06-7395-6352-09CD-E13B9059EFE9} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{67654C62-B847-D47B-7386-202E338F4761} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6A389597-708B-6F9D-B6EC-8D1A3EC9DFAF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6C652E08-1C50-09D2-7DC8-0714DB258C39} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6C69E2F6-F200-55DF-18C6-3C368029FD3E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{71476230-0B89-E69D-D223-279F989C21BB} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{714C2287-DB2D-3514-4785-8EC21BA5C5F1} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{72071605-48F5-CC68-B374-2CDDF451F27F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{76518006-D7C5-4C71-68F4-DA79559FA482} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{786A41BB-009D-DD27-EA3E-15DCD01EC75C} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7904D3DD-22E5-C0C1-0648-E66A3897E380} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{792A038A-9C16-9885-5B25-CE939788172A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{818D123D-B7CF-1169-DD32-2310AD262479} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{821C8BB3-C516-BEE5-C6A4-ECF0D92BF426} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{83CBE2FB-4038-4351-9B1C-E69BF75962AA} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{841CB982-C366-4290-3F00-95A1A5F3C340} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{85F1C7FC-7359-D6D5-C42B-F3E410DB4CAD} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8669ABB2-7410-3460-F449-E119DCA24CC4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{88289CAD-8761-B286-1697-48C2E3A53747} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{88A231A2-F032-EDB4-2CC3-64FC896F8F22} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8A50C2FE-C00E-0C19-DC1A-BCABABE155C3} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8BBD3FEB-8F56-FA45-F83E-0589E7E09434} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8CD1D4D3-8260-44A7-67DD-A71E995AB77F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8E883EC3-ABB5-0CD9-EC0A-78CB81A818D1} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8F60435F-DF74-6308-E8CB-509D69906821} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{905BD5E4-261C-4EFD-5456-CD124D7B9D18} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9320654E-9DD7-7B4E-FD11-BE169AC706F5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{952B27F0-D129-A966-5DF7-9E2D52C7E338} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{966FA744-197F-E95E-EB31-73BE39619DE2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96EEA21B-4AA3-4627-EA0A-176241DBD1A4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{97E37285-B9D3-035E-821F-3EBE4F849C3D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9B9D4A7D-1232-E364-432D-B58ECFAE5AF4} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9E2092B1-77DB-2A6A-A476-8BAA6CC65237} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F1D249D-1545-56CD-0C52-0C2EE115ABB1} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A167704A-0F01-8543-16A8-ECF3EBA5DC01} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A1BC7CDD-070B-7E5C-FEAD-F4789795AD1A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AB8789CE-01B6-4B58-C2C0-77D8144D5741} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{ABFF8236-DCBD-E17B-0A69-6FD85FA199FE} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B30EFD56-F6AF-2F6B-C3AB-6571E5627F1F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B38F516E-48F2-CDBB-7D76-E0CFBCDBEE45} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B4D50626-AAF0-64AC-F1D5-8A697DD0E515} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B53A1210-39B9-B7A9-EC40-490716CA4A8D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5872D9A-BAAF-EE65-E0A0-6D49EFD1D166} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B595A235-53A2-27D5-EFF6-D0208801D071} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B7F4D50B-EAC3-A3F3-769F-96194A8DECDE} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B91259B9-BE3B-D475-8861-62B879410E5E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC0DC8BD-646D-FA46-8739-116B4F8B8228} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BCA234F8-DBE0-1CBE-CE94-63240442E405} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BD757058-7180-2CE5-E5B6-8C70AEF236CC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C21C6790-58A0-81BD-58F6-11EF55D9BADF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C2FE095E-5BA7-FBC8-5387-2878C932A44F} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C39816D8-BA82-0890-929F-D27B4B0A27F0} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C3CBD491-14A8-F1D3-52CC-F2038BD5FDDE} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C42CF26E-2B02-05DE-7D7B-A16C5C2095BB} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C432F8C9-5E41-F564-674E-C21B8257061B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C436BE04-B80F-3F1B-B592-67B6C8C95688} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C927A651-6768-ED9E-C3ED-CBD9A6CF4B22} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CAEA3DE4-DAC7-8DF9-1A53-651E63E86CDF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{CC6B2B65-2D60-CC2D-B4A6-7C0945964771} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D02510A9-69A7-24D5-85DA-D3EC8E911C73} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D0EFC5AD-B041-13C1-482F-CF46EFEFF6C3} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D27DD7B4-A72B-4B66-2BD3-262B793A3C2C} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D377FF80-B093-7377-D7F1-2D8792CCF322} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D4451521-F203-568E-2657-C5AD1F0B1F77} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D605EAFF-2C3A-4619-43C1-4FFB062F68DE} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D6C7DB36-C0AC-C91F-B408-61A55E5AB6C5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D85FBAA5-5F33-6173-D800-EFD4E38AE63E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DB3FF0A6-7AD3-085E-3E59-A4318E82D4A8} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DE2D7676-D3B6-1EDB-60CA-DA72D6F9B006} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DF7066E9-8EE8-8682-F43E-2BF8E7E7D760} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DF7346F5-4EB1-7F19-9320-5E86CBCBDA80} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E365460D-7563-2763-5E38-85F172854EAC} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E43C16BE-9904-7881-7685-DEE7D759572D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E4E0C452-0B6D-5B6B-E0AD-5D2B7C054116} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EC6CC6A4-2DE4-7D97-7906-9D8567369627} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EDB7FF48-2CC7-7131-A993-53C8F83DD550} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EF24BEB1-9592-9F8F-4B29-99399FD2C231} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F1B10CDC-1975-EC0C-C522-2571525E92CF} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F6EB941E-9DCD-6E07-E139-D2AB90BAAE62} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F704A16D-BA8A-0DD4-CB9E-F0FA4A957D8D} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F99D5FC9-1F47-B6F5-F1D5-55AFEAD2853A} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FBC662AC-AA0D-1389-1431-40872CBDACA2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FBD21FB3-D80F-1A9B-2038-2D60684CDEE0} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FC955BB2-DAA2-E394-1DD3-E8A207B823A6} -> Spyware.BetterInternet : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FE0CF482-D7A9-BD18-0056-CF55E4EDD446} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\sjpnb.kweg\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\sjpnb.kweg.731\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\stxhh.lkxb\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\stxhh.lkxb.67\CLSID\\ -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-2402176205-2388694604-3376360526-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FBC662AC-AA0D-1389-1431-40872CBDACA2} -> Spyware.CoolWebSearch : Cleaned with backup
[1160] C:\WINDOWS\atlaj32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
[2680] C:\WINDOWS\netqu32.dll -> TrojanDownloader.Agent.bc : Error during cleaning
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-741f8e5f.class -> TrojanDownloader.Small.wv : Cleaned with backup
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-1199dff7-51ca946a.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-58581c27-786523e2.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar3.jar-7dbaf4a8-3f4630ab.zip/Gummy.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv410.jar-5d95cdd-42f913cf.zip/Matrix.class -> TrojanDownloader.Java.OpenStream.c : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\James\Cookies\james@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:cikvb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:erpqpm -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:gqzdm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:oqxhx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:rbkop -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:rqijp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:uhzbs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:xayce -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\adidsl.ini:gtnawx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\adidsl.ini:txxxl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\adidsl.ini:uxyik -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\adidsl.ini:yflds -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\adiras.ini:dxjcq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\adiras.ini:ldrkw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\adiras.ini:nwkdmh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appng.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlyg32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\awhqt.dat:osmvq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\awwsc.dat:hwbst -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\awwsc.dat:okxfh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\awwsc.dat:rhjsx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\awwsc.dat:robtu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\awwsc.dat:yawtt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\babnd.log:mzruh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bgvbi.txt:fpblt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bgvbi.txt:irgmw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\bgvbi.txt:osoxc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\bgvbi.txt:yrthz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\bicpw.dat:inixwc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:bccvc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:ckltm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:lvztu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:rgdyn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bootstat.dat:ewoan -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bootstat.dat:gevsj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\bootstat.dat:vdctp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bootstat.dat:vwavb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bootstat.dat:wjubj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\bootstat.dat:ztpfm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\bpvvp.txt:aoacqe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\bpvvp.txt:cnmea -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bpvvp.txt:tlxaew -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\bpvvp.txt:wcpfm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bqxwu.log:xtund -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\canwc.dat:srcye -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\cdplayer.ini:uosny -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\cdplayer.ini:vwddj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cjsya.log:lcqdg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\cjsya.log:vvfzd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\clock.avi:eybqh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\clock.avi:pjvri -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\clock.avi:wfuus -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\clock.avi:ykcxm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\cmsetacl.log:cpmlq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cmsetacl.log:ljbfi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cmsetacl.log:onjbt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cmsetacl.log:qqmwp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cmsetacl.log:sxnlp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Coffee Bean.bmp:fgqqh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Coffee Bean.bmp:mmqgyz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Coffee Bean.bmp:ujuct -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Coffee Bean.bmp:wiruw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\COM+.log:edfoz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\COM+.log:jkwip -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\COM+.log:pqrlj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\COM+.log:stlqw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\COM+.log:zpxhcz -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\comsetup.log:gxdox -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\comsetup.log:heayi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\comsetup.log:ttxxg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\control.ini:dlfja -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\control.ini:ejosn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\control.ini:jlyjx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\control.ini:noxpw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\control.ini:wdcod -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cpjgh.txt:acykf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cpjgh.txt:ilgpi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\cpjgh.txt:lgtui -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\cpjgh.txt:xvnsvr -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\cpjgh.txt:ypikz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crre32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\cyyaj.txt:oxili -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\cyyaj.txt:psfug -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dahotfix.log:qxavt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dahotfix.log:rtdwwi -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\dahotfix.log:sylew -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dahotfix.log:tcozn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\desktop.ini:escoyn -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\desktop.ini:ggqlf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\desktop.ini:rsrtz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\desktop.ini:tdrpz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\desktop.ini:wvihc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\dhall.txt:oacea -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dhall.txt:svcik -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dhall.txt:zyxqw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\djuyi.log:fmckd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\djuyi.log:xpnqd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dptrm.dat:cvekk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\dptrm.dat:fkdjy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dptrm.dat:smval -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\dptrm.dat:xbczj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\drogp.log:dawxt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\drogp.log:uhoeu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\drogp.log:xmezqu -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\drogp.log:xoqlo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\drogp.log:yvkwh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\DtcInstall.log:ctcmv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DtcInstall.log:iofca -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DtcInstall.log:ufqjb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DtcInstall.log:whenf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DtcInstall.log:xyndq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\DtcInstall.log:zcnpw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\dyesm.txt:dwfbg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\dyesm.txt:mxmzi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\dyesm.txt:qabeb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\efxfw.dat:baxoa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\efxfw.dat:bybrz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ewtif.txt:esaet -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ewtif.txt:iqzbr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ewtif.txt:lmpuh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ewtif.txt:qnwese -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ewtif.txt:ziwhe -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\explorer.scf:bylfh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\explorer.scf:dijrp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\explorer.scf:hpted -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\explorer.scf:ivpyc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\explorer.scf:qktwd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\explorer.scf:qlgcu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\explorer.scf:whmwj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\explorer.scf:xayow -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\explorer.scf:ytnye -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Fast800.ini:udtfx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Fast800.ini:wxdbq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FaxSetup.log:bmnzf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\FaxSetup.log:qeprd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\FaxSetup.log:yndrzd -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\fcdij.log:uwvwx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fcdij.log:xzxke -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\fdfbp.log:kfanl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fdfbp.log:mxeyy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fdfbp.log:mzecw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\fdfbp.log:twuwa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:lwhvo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fglhs.log:ckzrs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\fglhs.log:pudxp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\fglhs.log:qrqit -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fivkx.dat:acjgs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ftrcd.log:fyygt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ftrcd.log:nfqmn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ftrcd.log:vhegi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ftrcd.log:xzpju -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\fxsqu.dat:ggmgk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fxsqu.dat:kxvsw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fxsqu.dat:moqku -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\fxsqu.dat:qmrnb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gehml.dat:jyzwt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ggvbp.dat:blbsh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ggvbp.dat:kpagj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ggvbp.dat:rsxiq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ggvbp.dat:xdegg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ggvbp.dat:xewsu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ggvbp.dat:xpftr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ghger.txt:vzgks -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:cgotc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:dbjvo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:hwasn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:ilpbj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:jiodr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:jjxhe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:junux -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:mqrbc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:oqpeb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:rgqxs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:vecxne -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\gqehm.dat:bsqlv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gqehm.dat:cusci -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gqehm.dat:evyvv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\gqehm.dat:kvtnb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gqehm.dat:vdnjx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\gqehm.dat:vmedv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gqehm.dat:wpayl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:dxajy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:fxggd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:hryqa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:tfqkse -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:viiaj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:vqzuf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:xqgwt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:yhbxj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\gscuq.log:pdiyr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gscuq.log:tncyy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\gscuq.log:uhdjt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gscuq.log:uydbe -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gscuq.log:vpmphr -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\gscuq.log:zptfp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gtsmd.log:elakn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gtsmd.log:hcryf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\gtsmd.log:pvirj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gtsmd.log:ripry -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\gtsmd.log:zphiz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\gtuey.log:jflhp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\hbmdr.log:voefx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\hhkoz.dat:ctatn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\hhkoz.dat:mkojk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\hhkoz.dat:moqft -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\hhkoz.dat:qatus -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\hhkoz.dat:stozo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\hzagz.txt:dziuo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\hzagz.txt:efxfwm -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\hzagz.txt:gkmlf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ibmjb.txt:gimih -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ibmjb.txt:leescc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ibmjb.txt:njqzts -> Spyware.SearchPage : Cleaned with backup
C:\WINDOWS\ibmjb.txt:sqllk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ibmjb.txt:ybyhj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\idgaf.log:aetig -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\idgaf.log:fgedy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\idgaf.log:fsgta -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\idgaf.log:jyrkv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\idgaf.log:ksbjx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\idgaf.log:mutws -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\idgaf.log:nwuxd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\idgaf.log:rolxi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\idgaf.log:ufuvf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\idgaf.log:wkesb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iebhn.log:fhqjv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\iebhn.log:gdpub -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iebhn.log:nsvmk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iebhn.log:oxncqg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iebhn.log:pmdvk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iebhn.log:qzjqz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iebhn.log:vhiag -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iis6.log:awtbf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iis6.log:dmskl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iis6.log:efxfwm -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iis6.log:krwqe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iis6.log:lwbbx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iis6.log:qlohn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iis6.log:rytom -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\iis6.log:stizo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\iis6.log:wghkzo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\imsins.log:ckoix -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\imsins.log:nuihj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\imsins.log:rdpeo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\imsins.log:wpakw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipegw.log:bcwmo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipegw.log:dywze -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipegw.log:jqtiz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipegw.log:wlugj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipegw.log:xwkdeu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ixdsi.dat:fgfob -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jautoexp.dat:lqkmqf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jautoexp.dat:nktrt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\jsloi.log:hrlck -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jsloi.log:uruds -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jsloi.log:xsmey -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jwglr.dat:gtuey -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\jwglr.dat:oibil -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jwglr.dat:qddyl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\jwglr.dat:qihwu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jwglr.dat:qyypa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jwglr.dat:utmcs -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\jwglr.dat:zbsxd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\jwglr.dat:zsfpn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\jxtya.log:deiopg -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\jxtya.log:juplj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jzqag.dat:cewahz -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\jzqag.dat:ncqyq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\jzqag.dat:oehwql -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\jzqag.dat:qatus -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jzqag.dat:yrbtc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\kafmb.txt:ojxwu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB818332.log:dutrk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB818332.log:pvwqr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB818332.log:uzfhi -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB820128.log:nzzra -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB820128.log:sxdkk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB820128.log:zrgty -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB821187.log:begih -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB821187.log:cieaz -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB821187.log:jcviz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB821187.log:nmztt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB821187.log:rnfxv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB821187.log:vfgnbj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB822603.log:hmfrg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB822603.log:ydwcp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB823182.log:gihys -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB823182.log:ktihk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB823182.log:orezg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB823182.log:uyfng -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB823182.log:zmnwb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824076.log:bfayw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824076.log:fvxuo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB824076.log:gcdkd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824076.log:kjyly -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824076.log:yfawm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824076.log:yvtrn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB824105.log:knqcpt -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB824105.log:nczba -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824105.log:nocme -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB824105.log:ttdfju -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824141.log:bpdmf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824141.log:hmvxy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824141.log:mwdmn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB824141.log:spzjo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\K
  • 0

Advertisements

#2
Buckeye_Sam
Posted 04 October 2005 - 07:45 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Hi and welcome to GeeksToGo! My name is Sam and I will be helping you. :tazz:

Before we can get started on fixing your problem you must change the location of Hijackthis. It should not run directly from your desktop or a temp directory. Please create a directory on your c: drive called c:\hijackthis and download and unzip hijackthis into that directory. Run the program from that directory from now on. It is essential that you follow these steps or certain important features of the program will not function correctly.

Once you have Hijackthis running from a permanent folder, please reboot and post a new hijackthis log.
  • 0

#3
James_mac
Posted 04 October 2005 - 03:20 PM

James_mac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Sam

Thanks for having a look at my computer's problem. I have removed the hijackthis and downloaded it and reinstalled it in it's own folder as instructed.

This the new log:

Logfile of HijackThis v1.99.1
Scan saved at 22:04:13, on 04/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastmail.fm/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\euudr.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://product.corel...=tutorial&ver=8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F9B855F1-C37E-F3A9-43FE-89E50B8A6AA5} - C:\WINDOWS\netqu32.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [WinInit] Win86.exe
O4 - HKLM\..\Run: [WinLogin] win32x.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [appyk32.exe] C:\WINDOWS\appyk32.exe
O4 - HKLM\..\Run: [ipmn32.exe] C:\WINDOWS\ipmn32.exe
O4 - HKLM\..\Run: [mfcqr32.exe] C:\WINDOWS\mfcqr32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3hg32.exe" /s (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe


cheers

James
  • 0

#4
Buckeye_Sam
Posted 04 October 2005 - 07:09 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
We are going to need some tools to remove this infection. Please download, install, and update any of these programs that you don't already have. Do not run any of them yet.Please make sure that you can View Hidden Files
  • Click Start -> My Computer
  • Select Tools -> Folder options
  • Select the View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled.
  • Also make sure that 'Display the contents of system folders' is checked.
  • For more info on how to show hidden files click here.

If you have problems with any of these steps make a note of the problem and then continue on to the next step. Let me know of any problems in your next reply. Much of this fix has to be performed in Safe Mode where you won't be able to access the Internet.

Please print out these instructions.


Please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
* if you have trouble getting into Safe mode go here for more info.


=============

Once in Safe mode follow these steps:
  • Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\euudr.dll/sp.html#37049
    R3 - Default URLSearchHook is missing
    O2 - BHO: Class - {F9B855F1-C37E-F3A9-43FE-89E50B8A6AA5} - C:\WINDOWS\netqu32.dll (file missing)
    O4 - HKLM\..\Run: [WinInit] Win86.exe
    O4 - HKLM\..\Run: [WinLogin] win32x.exe
    O4 - HKLM\..\Run: [appyk32.exe] C:\WINDOWS\appyk32.exe
    O4 - HKLM\..\Run: [ipmn32.exe] C:\WINDOWS\ipmn32.exe
    O4 - HKLM\..\Run: [mfcqr32.exe] C:\WINDOWS\mfcqr32.exe
    O4 - Global Startup: winlogin.exe
    O23 - Service: Remote Procedure Call (RPC) Helper ( 11Fßä#·ºÄÖ`I) - Unknown owner - C:\WINDOWS\d3hg32.exe" /s (file missing)


  • Next run CWShredder, making sure to click "Fix".


  • Double click AboutBuster.exe that you downloaded earlier. Click OK, click Start, then click OK. This will scan your computer for the bad files and delete them. Save the report(copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

  • Run Ewido:
    • Click on scanner
    • Click Complete System Scan and the scan will begin.
    • During the scan it will prompt you to clean files, click OK
    • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
    • When the scan is finished, click the Save report button at the bottom of the screen.
    • Save the report to your desktop
    Close Ewido


  • Finally run a full scan with Adaware.


Reboot your computer to go back to normal mode and post a new hijackthis log, the Ewido log, and the log from About Buster.
* If the Ewido log is too large to post please attach it to your next reply so that I can still review it.
  • 0

#5
James_mac
Posted 08 October 2005 - 03:35 AM

James_mac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Sam

I have gone through the proceedures as you advised. There were some problems however.

1. About buster would not run or find updates - it unzipped fine but would keep comming up wiith "run time error 5 invalid proceedure, call or argument" I tried deleting it and downloading it a couple of times - never with any luck.

2. when I ran hijack this in safe mode I didn't find all of the lines you wanted me to check for removal - the first two in your list and the line beginning with R3 were not there.

so anyway this is my new HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 10:17:05, on 08/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\PROGRA~1\Internet\icc\icc2000.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastmail.fm/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://product.corel...=tutorial&ver=8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F3E18C94-FE09-4506-ADA9-3FE713443068}: NameServer = 80.225.252.50 80.225.252.58
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

I have put the ewide scan log on the attachments (formatting went strange in txt so I have pasted it into word where it is a bit more readable)

Thanks again

James

Attached Files


  • 0

#6
Buckeye_Sam
Posted 08 October 2005 - 08:43 AM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Ewido may have taken care of enough of it so that AboutBuster is not needed. Please disable Spyware Guard for this fix as it may interfere.

Run Hijackthis again, click scan, and Put a checkmark next to each of these. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cuvco.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: winlogin.exe


Please run at least two of these online scans.
Make sure they are set to clean automatically

Panda Virus Scan

Bit Defender

TrendMicro Housecall

There may be files that these scans will not remove. Please include that information in your next post.


Reboot and post a new hijackthis log and the info from your virus scans.
  • 0

#7
James_mac
Posted 09 October 2005 - 01:55 PM

James_mac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Hi Sam

It's getting there I think.

I removed the ones you told me to except for
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
which did not appear.

I've done two online scans and posted the results. Also attached is the HJT log

Cheers

James

Bit defender summary:




Backdoor.Netag.B
3

Trojan.Java.Classloader.Dummy.A
8

JS.Exploit.DialogArg.B
6

Trojan.Downloader.Agent.UO
22

Exploit.Html.MhtRedir.Gen
21

Trojan.Downloader.PN
3

Trojan.Downloader.Agent.EA
4

Trojan.Startpage.KB
2

Java.Trojan.Exploit.Bytverify
16

Trojan.Agent.BI
2823

Trojan.Downloader.Small.RK
2

Trojan.Downloader.Agent.BQ
408

GenPack:Trojan.Agent.BI
142

Trojan.Spy.Banker.IB
2

Exploit.Phel.Gen
3

Trojan.Agent.IU
1

GenPack:Trojan.Downloader.Agent.BQ
57

Trojan.Downloader.Small.WV
5

Trojan.Exploit.Java.Bytverify
7

Application.Adware.180solutions.A
1

Trojan.Agent.IF
1

Trojan.Dialer.CE
2

Trojan.Java.ClassLoader.C
4

Trojan.Downloader.Winshow.AK
104

Trojan.Java.ClassLoader.D
4


House call virus report

Results:
We have detected 4 infected file(s) with 4 virus(es) on your computer. Only 0 out of 0 infected files are displayed.
Detected File Associated Virus Name
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv101.jar-77bf84d4-57e5c6b5.zip
- Dummy.class JAVA_BYTEVER.A
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv314.jar-5ed3b975-72ef0be4.zip
- Dummy.class JAVA_BYTEVER.A
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv342.jar-63d61450-72d40239.zip
- Dummy.class JAVA_BYTEVER.A
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv64.jar-15563ff0-5eadbbf2.zip
- Dummy.class JAVA_BYTEVER.A


spyware report

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 1 spyware(s) on your computer. Only 0 out of 0 spywares are displayed.
Spyware Name Spyware Type
SPYW_FPTLBAR.100 Spyware

vulnerability

Results:
We have detected 1 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004

Virus Scan 0 virus cleaned, 4 viruses deleted


Results:
We have detected 4 infected file(s) with 4 virus(es) on your computer. Only 0 out of 0 infected files are displayed: - 0 virus(es) passed, 0 virus(es) no action available
- 0 virus(es) cleaned, 0 virus(es) uncleanable
- 4 virus(es) deleted, 0 virus(es) undeletable
- 0 virus(es) not found, 0 virus(es) unaccessible
Detected File Associated Virus Name Action Taken
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv101.jar-77bf84d4-57e5c6b5.zip
- Dummy.class JAVA_BYTEVER.A Deletion successful
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv314.jar-5ed3b975-72ef0be4.zip
- Dummy.class JAVA_BYTEVER.A Deletion successful
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv342.jar-63d61450-72d40239.zip
- Dummy.class JAVA_BYTEVER.A Deletion successful
C:\Documents and Settings\James\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv64.jar-15563ff0-5eadbbf2.zip
- Dummy.class JAVA_BYTEVER.A Deletion successful




Trojan/Worm Check 0 worm/Trojan horse deleted

What we checked:
Malicious activity by a Trojan horse program. Although a Trojan seems like a harmless program, it contains malicious code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your computer. Only 0 out of 0 Trojan horse programs and worms are displayed: - 0 worm(s)/Trojan(s) passed, 0 worm(s)/Trojan(s) no action available
- 0 Worm(s)/Trojan(s) deleted, 0 worm(s)/Trojan(s) undeletable
Trojan/Worm Name Trojan/Worm Type Action Taken




Spyware Check 1 spyware program removed

What we checked:
Whether personal information was tracked and reported by spyware. Spyware is often installed secretly with legitimate programs downloaded from the Internet.
Results:
We have detected 1 spyware(s) on your computer. Only 0 out of 0 spywares are displayed: - 0 spyware(s) passed, 0 spyware(s) no action available
- 1 spyware(s) removed, 0 spyware(s) unremovable
Spyware Name Spyware Type Action Taken
SPYW_FPTLBAR.100 Spyware Removal successful




Microsoft Vulnerability Check 1 vulnerability detected

What we checked:
Microsoft known security vulnerabilities. These are issues Microsoft has identified and released Critical Updates to fix.
Results:
We have detected 1 vulnerability/vulnerabilities on your computer. Only 0 out of 0 vulnerabilities are displayed.
Risk Level Issue How to Fix
Important A vulnerability in ASP.NET allows an attacker to bypass the security of an ASP.NET Web site, and access a machine. The attacker gains unauthorized access to some areas of the said Web site, and is able to control it accordingly. The actions that the attacker could take would depend on the specific content being protected. MS05-004






Logfile of HijackThis v1.99.1
Scan saved at 20:33:09, on 09/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fastmail.fm/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://product.corel...=tutorial&ver=8
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_18_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
  • 0

#8
James_mac
Posted 09 October 2005 - 02:05 PM

James_mac

    New Member

  • Topic Starter
  • Member
  • Pip
  • 5 posts
Sorry - attachment didn't attach
  • 0

#9
Buckeye_Sam
Posted 09 October 2005 - 03:27 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
I see one more issue that needs taken care of still.

Fix this line with Hijackthis.

O4 - Global Startup: winlogin.exe



Download KillBox and unzip it to your desktop.

Open Killbox and select the Delete on reboot option.
Place a checkmark next to "Use dummy".
Copy and paste the following file to the field labeled "Full path of file to delete"

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Press the Delete button (the button that looks like a red circle with a white X in it).
A first dialog box will ask if you want to delete the file on reboot, press the YES button.
A second dialog box will ask you if you want to REBOOT now. Press the YES button.

Your computer will reboot.


Please post a new hijackthis log and let me know how things are on your end.
  • 0

#10
Buckeye_Sam
Posted 23 October 2005 - 02:15 PM

Buckeye_Sam

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 10,019 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP