Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Help with lkcoexx.exe, rxyypyh.exe, and command.exe [RESOLVED]

Started by stoneduck , Nov 09 2005 11:13 PM

This topic is locked

#1
stoneduck

Posted 09 November 2005 - 11:13 PM

Member

Member
13 posts

Ok for my last post I didn't follow directions very well, so here is my new log after following the directions. If someone can help me with this I would be very much appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 12:12:04 AM, on 11/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\MQ\command.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\WINDOWS\rxyypyh.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\lkcoexx.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\1\LOCALS~1\Temp\Rar$EX00.859\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nso14.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasetnh.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsi6.dll
O2 - BHO: (no name) - {A088048C-F887-E62C-2A1D-0DCD0AABFCF8} - C:\WINDOWS\almthiia.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: Search - {61EF40EA-0F0E-0088-BF5E-BF422C605F00} - C:\WINDOWS\almthiia.dll
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [rxyypyh] C:\WINDOWS\rxyypyh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {07E9CDF4-20D2-46B1-B681-663968F527CE} - http://www.begin2sea...ar/winb2s32.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoft...s/AvDetInst.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0031.exe
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3ECD8B-8740-45C4-96AB-9E7C48482019}: NameServer = 172.16.1.103
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lkcoexx.exe

Edited by stoneduck, 09 November 2005 - 11:36 PM.

#2
miekiemoes

Posted 10 November 2005 - 08:41 AM

Malware Expert

Member
5,503 posts

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

First of all, you didn't extract Hijackthis, so it's still in your tempfolder, So please extract hijackthis (rightclick on it and choose extract) and save it to a permanent place such as your C: or Program Files.

* go via start > controlpanel > software > add/remove programs and uninstall:

Windows Overlay Components

REBOOT afterwards!!

* Please set your system to show all files; please see here if you're unsure how to do this. This is really necessary, because you won't be able to find some files otherwise to delete.

* Download and install CCleaner
Do not use it yet.

* Please download ewido:
http://www.ewido.net/en/download/
Let it update, but don't let it scan yet!!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: Band Class - {0007522A-2297-43C1-8EB1-C90B0FF20DA5} - C:\WINDOWS\enhtb.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nso14.dll
O2 - BHO: IRiras Class - {95C60327-8E17-44D6-98EB-7EB70CC606DD} - C:\WINDOWS\system32\irasetnh.dll
O2 - BHO: ohb - {9ADE0443-2AB2-4B23-A3F8-AC520773DE12} - C:\WINDOWS\system32\nsi6.dll
O2 - BHO: (no name) - {A088048C-F887-E62C-2A1D-0DCD0AABFCF8} - C:\WINDOWS\almthiia.dll
O3 - Toolbar: Search - {61EF40EA-0F0E-0088-BF5E-BF422C605F00} - C:\WINDOWS\almthiia.dll
O4 - HKLM\..\Run: [rxyypyh] C:\WINDOWS\rxyypyh.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {07E9CDF4-20D2-46B1-B681-663968F527CE} - http://www.begin2sea...ar/winb2s32.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...Bridge-c139.cab
O16 - DPF: {26098EA2-C95D-48EA-89B4-63C5A63BD42F} - http://www.pacimedia...ll/pcs_0031.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150...tzip/RdxIE2.cab
O16 - DPF: {666DDE35-E955-11D0-A707-000000521958} - http://69.56.176.227/webplugin.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://www.shockwave...mjolauncher.cab
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\lkcoexx.exe

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\WINDOWS\MQ <== folder
C:\WINDOWS\rxyypyh.exe
C:\WINDOWS\lkcoexx.exe
C:\WINDOWS\offun.exe

* Still in safe mode Start Ccleaner
click "Options", click the "Advanced" tab
Uncheck: "Only delete files older than 48 hrs.", click Ok
Click "Cleaner" and click Run Cleaner (bottom right)

* Open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

Post back a fresh HijackThis log and the log from ewido so I can take another look.

#3
stoneduck

Posted 11 November 2005 - 02:13 AM

Member

Topic Starter
Member
13 posts

ok when I went to add remove programs and tried to remove Windows overlay components I got an error message Run-time Error '53' File not found. Assuming that it was removed at an earlier time, I went ahead with the instructions and had a MASSIVE cleanout so here are the logs. I also saw a ycpork.exe in there somewhere, is that supposed to be running too?

Logfile of HijackThis v1.99.1
Scan saved at 3:09:20 AM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\ycpork.exe reg_run
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoft...s/AvDetInst.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3ECD8B-8740-45C4-96AB-9E7C48482019}: NameServer = 172.16.1.103
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\MQ\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

...........................................................................................................................................................
here is the log from my ewido, its going to be big......

...........................................................................................................................................................

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:53:39 AM, 11/11/2005
+ Report-Checksum: 34E9522F

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D22AC3EF-B7D8-11d5-A281-005056BF0101} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4A0F42B7-A61B-4131-BF41-BF05A2635BFD} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4A0F42B7-A61B-4131-BF41-BF05A2635BFD}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6D7D135E-F7C2-4A27-A87C-C0DFEB3A628F}\TypeLib\\ -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D1320CBB-403D-483D-AE9A-688960A96977} -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D1320CBB-403D-483D-AE9A-688960A96977}\TypeLib\\ -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544}\TypeLib\\ -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\POP.Loader\CLSID\\ -> Spyware.PeopleOnPage : Cleaned with backup
HKLM\SOFTWARE\Classes\QaBar -> Spyware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\QaBar\CLSID -> Spyware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\QaBar\CLSID\\ -> Spyware.AdultLinks : Cleaned with backup
HKLM\SOFTWARE\Classes\QaBar\CurVer -> Spyware.Adultlinks : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/activeinstaller.dll\\.Owner -> Spyware.RapidBlaster : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/activeinstaller.dll\\{F0AA2376-F073-4E57-86E8-0238F99087C7} -> Spyware.RapidBlaster : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/BridgeX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/BridgeX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.5/HDPlugin1015.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.5/HDPlugin1015.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1018.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll\\.Owner -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll\\{EF86873F-04C2-4A95-A373-5703C08EFC7B} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PdpPlugin5094.dll\\.Owner -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/PdpPlugin5094.dll\\{C7B05B62-C8D7-438C-840B-4994DAAA8EEE} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/QDow_AS2.dll\\.Owner -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/QDow_AS2.dll\\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/IEAccess2.dll\\.Owner -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/IEAccess2.dll\\{1D2DCA0D-B30F-40AD-9690-087105F214EC} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ObjSafe.tlb\\.Owner -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ObjSafe.tlb\\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
HKLM\SOFTWARE\Wast -> Spyware.BroadCastPC : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0007522A-2297-43C1-8EB1-C90B0FF20DA5} -> Spyware.ShopNav : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{00000000-F09C-02B4-6EC2-AD0300000000} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-59D4-4008-9058-080011001200} -> Spyware.VX2 : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-C1EC-0345-6EC2-4D0300000000} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000000-F09C-02B4-6EC2-AD0300000000} -> Spyware.Transponder : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0007522A-2297-43C1-8EB1-C90B0FF20DA5} -> Spyware.ShopNav : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01F44A8A-8C97-4325-A378-76E68DC4AB2E} -> Spyware.IEPlugin : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{7C559105-9ECF-42B8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{EEF29D20-9A47-4657-ADF7-283EC2504001} -> Spyware.i-Lookup : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FAA356E4-D317-42A6-AB41-A3021C6E7D52} -> Spyware.ISTBar : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\share_bwp -> Spyware.BigWebPortal : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\share_bwp\ffffaaa -> Spyware.BigWebPortal : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\share_bwp\iiii -> Spyware.BigWebPortal : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\share_bwp\kkkk -> Spyware.BigWebPortal : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\share_bwp\pppp -> Spyware.BigWebPortal : Cleaned with backup
HKU\S-1-5-21-1270689400-1815002781-3652652152-1005\Software\share_bwp\ssss -> Spyware.BigWebPortal : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Error during cleaning
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0007522A-2297-43C1-8EB1-C90B0FF20DA5} -> Spyware.ShopNav : Cleaned with backup
C:\WINDOWS\system32\xctbn.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\dlldate.exe -> Not-A-Virus.DoS.Sima : Cleaned with backup
C:\WINDOWS\system32\invbn.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\APD123.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\system32\rastmon.dll -> Spyware.SafeSurfing : Cleaned with backup
C:\WINDOWS\system32\MTE2ODM6ODoxNg.exe -> Spyware.ISearch : Cleaned with backup
C:\WINDOWS\system32\winenc32.dll -> TrojanSpy.Globar.d : Cleaned with backup
C:\WINDOWS\iedisco.exe -> TrojanDownloader.Calldal : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\HDPlugin1015.dll -> Spyware.Browsertoolbar : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\enhupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\WINDOWS\enhuninstall.exe -> Spyware.NoName : Cleaned with backup
C:\WINDOWS\dr_uninstall.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN6.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CREDITCARD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3SPORTSINT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEXBOX.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISSRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEIPOD2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN11.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3NETFLIX2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3HYDRO.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3DIRTYH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PASSION.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LMORON.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PCHSWEEPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3AMERS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PARTYPOKER.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3MYDISH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPECAUTO.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEIPOD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CHRISMORT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CHOCPBMM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3SUPERIOR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3MYINKS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ENDOMET.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LOWRATE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3WEIGHTL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LEXREPAIR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREECS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CCB.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CARQ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CARQ2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIPP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ACCUQ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN10.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3POP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ABSPLAT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPMTV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIRCPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\bspace.html -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ASKNOW2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN7.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSHOP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPG.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPJ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPF.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFIN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFAM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFI.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPHL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPW.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISS2RE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3HAIRLOSS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN12.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPECENTER.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ODYSSEY.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\mhqohupk.exe -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\NetworkService\Cookies\system@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\NetworkService\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\mynut2.exe/enhupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\DrTemp\mm_reco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\DrTemp\thnall2r.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\NVa03908\enhupdt.exe -> TrojanDownloader.Intexp.c : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\thnall1r.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Guest\Local Settings\Temp\randreco.exe -> Adware.BetterInternet : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@serving-sys[1].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@clubdicecasino[1].txt -> Spyware.Cookie.Clubdicecasino : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][2].txt -> Spyware.Cookie.Clubdicecasino : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\303.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\351.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\366.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\352.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\367.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\353.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\368.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\354.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\369.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\355.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\36A.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\356.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\36B.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\357.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\36C.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\358.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\36D.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\359.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\36E.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\35A.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\36F.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\35B.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\370.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\35C.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\371.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\35D.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\372.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\35E.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\373.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\35F.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\374.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\360.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\375.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\361.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\376.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\362.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\377.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\363.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\378.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\364.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\379.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\365.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\37A.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\2.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\37B.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\4.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\5.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\6.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\37C.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\37D.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\37E.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\37F.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\26B.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\380.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\26C.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\26D.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\26E.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\26F.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\270.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\381.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\382.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\383.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\384.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\385.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\2E3.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\386.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\2E4.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C7.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\387.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C8.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\388.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C9.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\389.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3CA.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\38A.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3CB.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\38B.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3CC.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\38C.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3CD.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\38D.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3CE.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\38E.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3CF.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\38F.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D0.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\390.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\391.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D1.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\392.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\393.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\394.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D2.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D3.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D4.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D5.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\395.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D6.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\396.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D7.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\397.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D8.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\398.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3D9.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\399.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3DA.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\39A.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3DB.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\39B.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3DC.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\39C.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3DD.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\39D.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3DE.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\39E.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3DF.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\39F.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E0.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A0.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E1.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A1.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E2.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A2.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E3.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A3.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E4.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A4.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E5.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A5.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E6.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A6.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E7.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A7.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E8.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A8.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3E9.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3A9.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3EA.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3AA.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\43E.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3AB.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\43F.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3AC.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\440.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3AD.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\441.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3AE.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\442.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3AF.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\443.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B0.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\444.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B1.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\445.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B2.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\446.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B3.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\447.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B4.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\448.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B5.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\449.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B6.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\44A.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B7.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\44B.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B8.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\44C.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3B9.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\44D.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3BA.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\44E.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3BB.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\44F.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3BC.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\450.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3BD.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\451.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3BE.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\452.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3BF.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\453.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C0.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\454.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C1.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\455.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C2.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\456.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C3.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\457.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C4.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\458.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C5.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\459.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\3C6.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\49A.tmp -> TrojanDownloader.Agent.bf : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\45A.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\49B.tmp -> TrojanDownloader.Briss.a : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\45B.tmp -> Spyware.CaptainCode : Cleaned with backup
C:\Program Files\Trend Micro\PC-cillin 2000\QUARANTINE\49C.tmp -> Spyware.CaptainCode : Cleaned with backup
C:&#

#4
miekiemoes

Posted 11 November 2005 - 02:23 AM

Malware Expert

Member
5,503 posts

Hello,

I see you're dealing with the apropos rootkit as well, so there are some extra steps needed..
But first perform next..

Go to start > run and copy and paste next command in the field:

sc delete cmdService

Click ok.

Let's deal with the rootkit now..

Please download AproposFix from here:
http://swandog46.gee.../aproposfix.exe

Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

This is really important this has to be performed in safe mode, because in normal mode, windows doesn't see this infection.

Once in Safe Mode, please double-click aproposfix.exe.
This will create a new folder on your desktop called aproposfix.
Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode.

Download FindQoologic.zip save it to your Desktop.
http://downloads.sub...nd-Qoologic.zip

Extract (unzip) the files inside into their own folder called FindQoologic.
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html

Open the FindQoologic folder. Preferable to your desktop.
Locate and double-click the Find-Qoologic.bat file to run it.
Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply together with the entire contents of the log.txt file in the aproposfix folder.

#5
stoneduck

Posted 14 November 2005 - 09:49 AM

Member

Topic Starter
Member
13 posts

Sorry for the delay but I was bogged down with work..... ok here is the logs..

apropos fix first..................................................

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\1\Desktop\aproposfix

************

Registry entries found:

[HKEY_LOCAL_MACHINE\Software\CqXT8Aw6cS65]
@="b.z73.3LMMLMMNMFXxzlsC4LMMLbOMvhmcnvrMDJDE:7SRM.C3G:CDMz7.C. DDNDJD"
"Device"="\\\\.\\u8YaMTrj"
"DriverPath"="C:\\WINDOWS\\system32\\drivers\\amdrdbss.sys"
"DriverName"="Cdamidi"
"HideUninstallerName"="C:\\Program Files\\Intktime\\vfwtowiz.exe"
"UninstallerPath"="C:\\WINDOWS\\system32\\ir3ninet.exe"
"UninstallerRegKey"="HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\{AA96A124-AFA2-4191-B287-068B2B21E9B0}"
"UninstallerParams"="/CTUN"
"HDll"="C:\\WINDOWS\\system32\\pipiveds.dll"
"ServerAddress"="adchannel.contextplus.net"
"LegalNote"="http://adchannel.con...onbranded.html"
"PartnerId"="CP.IST2"
"InstallationId"="{Xd3daa30-c06f-0b22-bf1f-b2714dafe15e}"
"PageFiltering"=dword:00000001
"ClientName"="C:\\Program Files\\Intktime\\fortrust.exe"

************

Removing hidden service:
Service Cdamidi removed.

Removing hidden folder:
Deletion of folder Intktime succeeded!

Deleting files:

Deletion of file C:\WINDOWS\system32\drivers\amdrdbss.sys succeeded!
Deletion of file C:\WINDOWS\system32\qwinput8.exe succeeded!
Deletion of file C:\WINDOWS\system32\pipiveds.dll succeeded!
Deletion of file C:\WINDOWS\system32\ir3ninet.exe succeeded!

Backing up files:
Done!

Removing registry entries:

REGEDIT4

[-HKEY_CURRENT_USER\Software\CqXT8Aw6cS65]
[-HKEY_LOCAL_MACHINE\Software\CqXT8Aw6cS65]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AA96A124-AFA2-4191-B287-068B2B21E9B0}]

Done!

Finished!
.........................................................................................................................................................
next is the other log.

Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\VirtualDeviceDrivers]
"VDD"=hex(7):00
.....
End vxd check
Please post this in the forum

...................................................................................................................................................

and now a hijackthis log just in case.

Logfile of HijackThis v1.99.1
Scan saved at 10:45:10 AM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .m3u: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoft...s/AvDetInst.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3ECD8B-8740-45C4-96AB-9E7C48482019}: NameServer = 172.16.1.103
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

#6
miekiemoes

Posted 14 November 2005 - 09:52 AM

Malware Expert

Member
5,503 posts

Ok, one infection gone again. :tazz:

I see you got an error while running findqoologic. To solve this, Doubleclick FindQoologic.bat again and choose option 2 by typing 2 and pressing enter.
This will open your browser where you have to download the fix to restore this auoexec.nt-error. Make sure you choose the right version for your system.
Then doubleclick Findqoologic.bat again and Choose option 1 for Run Findqoologic by typing 1 and pressing enter.
This will scan your system.
Wait until a text opens.
Post this in your next reply.

#7
stoneduck

Posted 15 November 2005 - 01:09 AM

Member

Topic Starter
Member
13 posts

Ok here is the new log.

Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\1\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD

FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE

FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found

»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup

files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup

»»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check --

0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini

User Startup:
C:\Documents and Settings\1\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...

C:\WINDOWS\SYSTEM32\VGACTL.CPL
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
C:\WINDOWS\BQNWLP.DAT
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmktqtm]
@="{511b3ba6-5892-44b1-bb31-fe543b21c016}"

[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-

77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-

4E25-8BDF-77445B52AB37}]
.....
[HKEY_LOCAL_MACHINE\Software\qstat]
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ru

n]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet

Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

#8
miekiemoes

Posted 15 November 2005 - 06:04 AM

Malware Expert

Member
5,503 posts

Hello, first of all, open notepad, On top, click Format >uncheck Word Wrap.

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\WINDOWS\SYSTEM32\VGACTL.CPL
C:\WINDOWS\SYSTEM32\WUAUCLT.DLL
C:\WINDOWS\BQNWLP.DAT

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
When it asks if you would like to Reboot now, click NO
You'll see that the file will disappear from the 'Ful Path of File to Delete'-field..
Click again on the red circle with the white X in it.
When it asks if you would like to Reboot now, click NO again.
And again, you'll see that this file will disappear from the 'Ful Path of File to Delete'-field.
Perform this untill all the files are gone in that field and the field is empty.
When the last file is gone, and killbox asks if you would like to Reboot now, click YES

Your computer must reboot now.

After reboot..

Open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\gxmktqtm]

[-HKEY_CLASSES_ROOT\CLSID\{511b3ba6-5892-44b1-bb31-fe543b21c016}]

[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]

[-HKEY_LOCAL_MACHINE\Software\qstat]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look afterwards: Posted Image

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Run Findqoologic again (option 1) and post a new log in your next reply.

#9
stoneduck

Posted 15 November 2005 - 08:22 PM

Member

Topic Starter
Member
13 posts

ok here's the latest.

Find Qoologic last edited 11/11/2005
Running from
C:\Documents and Settings\1\Desktop\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x7c90df5e

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
desktop.ini

User Startup:
C:\Documents and Settings\1\Start Menu\Programs\Startup
.
..
desktop.ini

»»»»» Search by size and name...
»»»»» Files found by this method are not necessarily bad...

.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
:tazz:

#10
miekiemoes

Posted 16 November 2005 - 01:17 AM

Malware Expert

Member
5,503 posts

Hello,

Looks good to me. How are things running now? Popups gone?

#11
stoneduck

Posted 16 November 2005 - 12:26 PM

Member

Topic Starter
Member
13 posts

ok popups are gone but I am still having a long load up time when I turn on my computer, is that normal?

#12
miekiemoes

Posted 16 November 2005 - 12:37 PM

Malware Expert

Member
5,503 posts

Hmm... I think there is still something hiding there.
I'm pretty sure you also disabled some startups via msconfig that had to get deleted instead of disabled. Don't enable them again.... I'll let you run a tool to show those entries as well as some other entries.

This is not going to improve your startup, but I can see what is maybe still present and needs to get deleted.

By the way.. I see you have Pop up stopper from PanicWare installed. This is a lousy popup blocker and can also cause a system slowdown. You have XP SP2 with a build in popupblocker which is much better! Also, when a system is clean, you won't have that many popups also, only when visiting some sites.

Reboot after uninstalling.

Then..

Download winpfind

Reboot in SAFE MODE !! Important !!
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

Doubleclick winpfind.exe
Click start Scan.
It will scan for a while, so please be patient.
Let it finish the job.

Reboot back to normal mode.

Post the contents of winpfind.txt which is present in the winpfind-folder in your next reply.

Edited by miekiemoes, 16 November 2005 - 12:38 PM.

#13
stoneduck

Posted 20 November 2005 - 12:39 AM

Member

Topic Starter
Member
13 posts

sorry for the delay, had another round of work related stuff.
Here is the latest.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 2/16/2005 11:06:16 AM 218112 C:\Program Files\HijackThis.exe

Checking %WinDir% folder...
PTech 8/13/2004 1:50:20 AM H 2764937 C:\WINDOWS\msbb_kyf.dat
UPX! 11/9/2005 1:47:38 AM 1044560 C:\WINDOWS\vsapi32.dll
aspack 11/9/2005 1:47:38 AM 1044560 C:\WINDOWS\vsapi32.dll
UPX! 11/9/2005 1:09:04 AM 170053 C:\WINDOWS\tsc.exe
PECompact2 11/9/2005 1:09:00 AM 16387149 C:\WINDOWS\VPTNFILE.935
qoologic 11/9/2005 1:09:00 AM 16387149 C:\WINDOWS\VPTNFILE.935
SAHAgent 11/9/2005 1:09:00 AM 16387149 C:\WINDOWS\VPTNFILE.935

Checking %System% folder...
PECompact2 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
qoologic 2/28/2005 4:42:22 PM 8645366 C:\WINDOWS\SYSTEM32\pav.sig
aspack 2/28/2005 4:42:22 PM 8645366 C:\WINDOWS\SYSTEM32\pav.sig
SAHAgent 2/28/2005 4:42:22 PM 8645366 C:\WINDOWS\SYSTEM32\pav.sig
winsync 2/28/2005 4:42:22 PM 8645366 C:\WINDOWS\SYSTEM32\pav.sig
UPX! 7/2/1999 1:36:36 AM 73216 C:\WINDOWS\SYSTEM32\wget.exe
UPX! 5/1/2002 8:32:26 PM 25600 C:\WINDOWS\SYSTEM32\Libparse.exe
PEC2 8/18/2001 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
SAHAgent 8/24/2005 2:09:52 AM 3550 C:\WINDOWS\SYSTEM32\5aru2qkg.ini
SAHAgent 8/23/2005 11:01:48 PM 35 C:\WINDOWS\SYSTEM32\ij2h203k.ini
SAHAgent 8/23/2005 11:01:48 PM 35 C:\WINDOWS\SYSTEM32\niol4eqc.ini
UPX! 10/20/2005 7:53:16 PM 67584 C:\WINDOWS\SYSTEM32\nso1F3.dll
winsync 8/18/2001 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
UPX! 11/28/2002 5:19:52 PM 19968 C:\WINDOWS\SYSTEM32\svchost32.exe
aspack 1/2/2004 7:06:20 AM 194560 C:\WINDOWS\SYSTEM32\Big Fish screensaver.scr
UPX! 9/7/2001 11:06:18 AM 54784 C:\WINDOWS\SYSTEM32\XpBlock.dll
UPX! 12/22/2002 1:38:32 AM 91648 C:\WINDOWS\SYSTEM32\DialerOffline.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll

Checking %System%\Drivers folder and sub-folders...
UPX! 7/21/2003 10:46:58 AM 839408 C:\WINDOWS\SYSTEM32\drivers\vsapint.sys
aspack 7/21/2003 10:46:58 AM 839408 C:\WINDOWS\SYSTEM32\drivers\vsapint.sys
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/19/2005 1:18:14 AM S 2048 C:\WINDOWS\bootstat.dat
11/14/2005 10:31:30 AM H 24 C:\WINDOWS\pqYsf
11/19/2005 1:17:28 AM H 909312 C:\WINDOWS\system32\config\system.LOG
11/19/2005 1:17:28 AM H 98304 C:\WINDOWS\system32\config\software.LOG
11/19/2005 1:17:28 AM H 8192 C:\WINDOWS\system32\config\default.LOG
11/19/2005 1:18:30 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/19/2005 1:18:16 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
11/8/2005 7:49:44 PM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
9/28/2005 11:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
10/4/2005 6:17:42 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
11/19/2005 1:17:08 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Apple Computer, Inc. 5/27/2003 12:42:58 PM 295936 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/18/2001 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/18/2001 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/18/2001 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Sony Corporation 12/4/1999 4:11:30 AM 151552 C:\WINDOWS\SYSTEM32\UILib.cpl
Sony Corporation 4/25/2001 5:36:14 PM 53248 C:\WINDOWS\SYSTEM32\VASetup.cpl
10/10/1998 6:01:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Apple Computer, Inc. 8/26/1996 2:12:00 AM R 341504 C:\WINDOWS\SYSTEM32\QTW32.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/8/2001 11:07:12 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/8/2001 10:58:54 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
9/8/2001 11:07:12 AM HS 84 C:\Documents and Settings\1\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/8/2001 10:58:52 AM HS 62 C:\Documents and Settings\1\Application Data\desktop.ini
12/15/2002 6:38:18 AM 784 C:\Documents and Settings\1\Application Data\mpauth.dat
11/8/2005 11:07:16 PM 30 C:\Documents and Settings\1\Application Data\Sskcwrd.dll
11/8/2005 9:53:30 PM 475546 C:\Documents and Settings\1\Application Data\Sskknwrd.dll
11/8/2005 10:57:38 PM 56 C:\Documents and Settings\1\Application Data\Sskuknwrd.dll

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2000\Tmdshell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{B95057E0-44DB-11CE-A5D1-00608C83BD3F}
= shellwp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\BriefcaseMenu
{85BBD920-42A0-1069-A2E4-08002B30309D} = syncui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\{48F45200-91E6-11CE-8A4F-0080C81A28D4}
= C:\Program Files\Trend Micro\PC-cillin 2000\Tmdshell.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\windows\downloaded program files\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\windows\downloaded program files\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\downloaded program files\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\windows\downloaded program files\googletoolbar2.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
Pop-Up Stopper "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.exe.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^EZVideo Chat.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EZVideo Chat.lnk
backup C:\WINDOWS\pss\EZVideo Chat.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Ezonics\EZVIDE~1.0\EzChat.exe
item EZVideo Chat
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\EZVideo Chat.lnk
backup C:\WINDOWS\pss\EZVideo Chat.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Ezonics\EZVIDE~1.0\EzChat.exe
item EZVideo Chat

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pjoq.exe
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pjoq.exe
backup C:\WINDOWS\pss\pjoq.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pjoq.exe
item pjoq
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pjoq.exe
backup C:\WINDOWS\pss\pjoq.exeCommon Startup
location Common Startup
command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\pjoq.exe
item pjoq

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Real-time Monitor.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Real-time Monitor.lnk
backup C:\WINDOWS\pss\Real-time Monitor.lnkCommon Startup
location Common Startup
command C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_299368D.exe
item Real-time Monitor
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Real-time Monitor.lnk
backup C:\WINDOWS\pss\Real-time Monitor.lnkCommon Startup
location Common Startup
command C:\WINDOWS\Installer\{A839294B-70A9-11D5-9F5A-0050DAD742CD}\_299368D.exe
item Real-time Monitor

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^VAIO Action Setup (Server).lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup C:\WINDOWS\pss\VAIO Action Setup (Server).lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Sony\VAIOAC~1\VAServ.exe
item VAIO Action Setup (Server)
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VAIO Action Setup (Server).lnk
backup C:\WINDOWS\pss\VAIO Action Setup (Server).lnkCommon Startup
location Common Startup
command C:\PROGRA~1\Sony\VAIOAC~1\VAServ.exe
item VAIO Action Setup (Server)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\APD123
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item APD123
hkey HKLM
command C:\WINDOWS\system32\APD123.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item APD123
hkey HKLM
command C:\WINDOWS\system32\APD123.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BNInv
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item invbn
hkey HKLM
command invbn.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item invbn
hkey HKLM
command invbn.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EbatesMoeMoneyMaker0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EbatesMoeMoneyMaker0
hkey HKLM
command "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item EbatesMoeMoneyMaker0
hkey HKLM
command "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Enh Win Updt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item enhupdt
hkey HKLM
command C:\WINDOWS\enhupdt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item enhupdt
hkey HKLM
command C:\WINDOWS\enhupdt.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\External Dependencies
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item External
hkey HKLM
command External.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item External
hkey HKLM
command External.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\farmmext
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item farmmext
hkey HKLM
command C:\WINDOWS\farmmext.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item farmmext
hkey HKLM
command C:\WINDOWS\farmmext.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dumprep 0 -k
hkey HKLM
command %systemroot%\system32\dumprep 0 -k
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item ?????? ????? ?L???
hkey HKCU
command ?????? ????? ?L???
inimapping 1
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item ?????? ????? ?L???
hkey HKCU
command ?????? ????? ?L???
inimapping 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mjbjthp
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item bzimjyzel
hkey HKLM
command C:\WINDOWS\bzimjyzel.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item bzimjyzel
hkey HKLM
command C:\WINDOWS\bzimjyzel.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MSMSGS
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msmsgs
hkey HKCU
command "C:\Program Files\Messenger\msmsgs.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ndllzxy
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ndllzxy
hkey HKLM
command c:\windows\system32\ndllzxy.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ndllzxy
hkey HKLM
command c:\windows\system32\ndllzxy.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\NvCplDaemon
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey HKLM
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
hkey HKLM
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pifyv
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pifyv
hkey HKLM
command C:\WINDOWS\pifyv.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item pifyv
hkey HKLM
command C:\WINDOWS\pifyv.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pop-Up Stopper
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dpps2
hkey HKLM
command "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item dpps2
hkey HKLM
command "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Pop3trap.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Pop3trap
hkey HKLM
command "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Pop3trap
hkey HKLM
command "C:\Program Files\Trend Micro\PC-cillin 2000\Pop3trap.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item ?????? ????? ?L???
hkey HKCU
command ?????? ????? ?L???
inimapping 1
key SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
item ?????? ????? ?L???
hkey HKCU
command ?????? ????? ?L???
inimapping 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SysExplore
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item explorer32
hkey HKLM
command C:\WINDOWS\System32\explorer32.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item explorer32
hkey HKLM
command C:\WINDOWS\System32\explorer32.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item realsched
hkey HKLM
command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VVSN
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item VVSN
hkey HKLM
command C:\Program Files\VVSN\VVSN.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item VVSN
hkey HKLM
command C:\Program Files\VVSN\VVSN.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebRebates0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebRebates0
hkey HKLM
command "C:\Program Files\Web_Rebates\WebRebates0.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebRebates0
hkey HKLM
command "C:\Program Files\Web_Rebates\WebRebates0.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebTrapNT.exe
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebTrapNT
hkey HKLM
command "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebTrapNT
hkey HKLM
command "C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Win Server Updt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wupdt
hkey HKLM
command C:\WINDOWS\wupdt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item wupdt
hkey HKLM
command C:\WINDOWS\wupdt.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winampa
hkey HKLM
command C:\Program Files\Winamp\winampa.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item winampa
hkey HKLM
command C:\Program Files\Winamp\winampa.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WindUpdates
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WinUpdt
hkey HKLM
command C:\Program Files\WindUpdates\WinUpdt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WinUpdt
hkey HKLM
command C:\Program Files\WindUpdates\WinUpdt.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\xgz
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item xgz
hkey HKLM
command C:\WINDOWS\xgz.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item xgz
hkey HKLM
command C:\WINDOWS\xgz.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/19/2005 1:34:55 AM

#14
miekiemoes

Posted 20 November 2005 - 04:37 AM

Malware Expert

Member
5,503 posts

Oh boy...

How long is your system already running like this?
You got trojaned as well, several worms are present etc..
I see you disabled a lot of them via msconfig. This is a bad idea because you just disable it, but don't delete it, so the malware is still present on your system and continues with its task.

Ok, please follow my next instructions:

Open notepad and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^pjoq.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\APD123]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\BNInv]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\EbatesMoeMoneyMaker0]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Enh Win Updt]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\External Dependencies]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\farmmext]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\KernelFaultCheck]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mjbjthp]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ndllzxy]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\pifyv]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Run]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\VVSN]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SysExplore]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebRebates0]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Win Server Updt]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WindUpdates]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\xgz]

Save this as remove.reg Choose to save as *all files and place it on your desktop.
This is how the regfix must look afterwards: Posted Image

Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Delete next files and folders:

C:\WINDOWS\msbb_kyf.dat
C:\WINDOWS\SYSTEM32\Libparse.exe
C:\WINDOWS\SYSTEM32\5aru2qkg.ini
C:\WINDOWS\SYSTEM32\ij2h203k.ini
C:\WINDOWS\SYSTEM32\niol4eqc.ini
C:\WINDOWS\SYSTEM32\nso1F3.dll
C:\WINDOWS\SYSTEM32\svchost32.exe <== don't try to delete svchost.exe !!
C:\WINDOWS\SYSTEM32\DialerOffline.dll
C:\WINDOWS\pqYsf
C:\Documents and Settings\1\Application Data\Sskcwrd.dll
C:\Documents and Settings\1\Application Data\Sskknwrd.dll
C:\Documents and Settings\1\Application Data\Sskuknwrd.dll
C:\WINDOWS\system32\APD123.exe
C:\Program Files\Ebates_MoeMoneyMaker <== folder
C:\WINDOWS\enhupdt.exe
C:\WINDOWS\farmmext.exe
C:\WINDOWS\bzimjyzel.exe
c:\windows\system32\ndllzxy.exe
C:\WINDOWS\pifyv.exe
C:\WINDOWS\System32\explorer32.exe
C:\Program Files\VVSN <== folder
C:\Program Files\Web_Rebates <= folder
C:\WINDOWS\wupdt.exe
C:\WINDOWS\xgz.exe

Then.. run Ccleaner again and click: Run Cleaner.

Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.gee...xplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image

When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/p2pnetwork.bfu

Click Ok
Then click execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

* Perform an online scan with Kaspersky Online Scanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log

Edited by miekiemoes, 20 November 2005 - 04:38 AM.

#15
stoneduck

Posted 21 November 2005 - 10:07 AM

Member

Topic Starter
Member
13 posts

ok I thought it was bad but I had no idea...

ok here is hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 11:04:07 AM, on 11/21/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.hotmail.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\windows\downloaded program files\googletoolbar2.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\YAHOO!\COMPAN~1\INSTALLS\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\windows\downloaded program files\googletoolbar2.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\PROGRA~1\PANICW~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: &Google Search - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\windows\downloaded program files\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: ConferenceRoom Java Client - http://chat.privatef...000/java/cr.cab
O16 - DPF: {01CA75F1-054B-4A63-9221-C6926369EC52} (HS_live Control) - http://install.homes...ive/HS_live.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} (DetInstaller Class) - http://www.pandasoft...s/AvDetInst.cab
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} - http://www.miniclip....pGameLoader.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z....meInstaller.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by2fd.bay2.ho...es/MsnPUpld.cab
O16 - DPF: {6CB5E471-C305-11D3-99A8-000086395495} - http://toolbar.googl...n/GoogleNav.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {87056D28-9730-4A47-B9F9-7E890B62C58A} (WildfireActiveXHost Class) - http://www.shockwave...bugs/axhost.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://www.shockwave...outLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...aploader_v5.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2A3ECD8B-8740-45C4-96AB-9E7C48482019}: NameServer = 172.16.1.103
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe

.................................................................................................................................................
and now the Kaspersky report.

.................................................................................................................................................

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, November 21, 2005 11:02:15
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 21/11/2005
Kaspersky Anti-Virus database records: 151107
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 83750
Number of viruses found: 10
Number of infected objects: 13
Number of suspicious objects: 6
Duration of the scan process: 6047 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\drivers\etc\hosts.bak Infected: Trojan.Win32.Qhost
C:\WINDOWS\system32\gmsys32.exe/data0003 Infected: DoS.Win32.Sima
C:\WINDOWS\system32\gmsys32.exe/data0005 Infected: Backdoor.IRC.Zcrew
C:\WINDOWS\system32\gmsys32.exe/data0006 Infected: DoS.Win32.SynFlood.b
C:\WINDOWS\system32\gmsys32.exe/data0011 Infected: Backdoor.IRC.Zapchast
C:\WINDOWS\system32\gmsys32.exe/data0013 Infected: Exploit.Win32.DCom.b
C:\WINDOWS\system32\gmsys32.exe Infected: Exploit.Win32.DCom.b
C:\WINDOWS\system32\fran-hot.exe Infected: Trojan-Dropper.Win32.Agent.abb
C:\WINDOWS\system32\qkwyb.dat Infected: Trojan-Downloader.Win32.Qoologic.ai
C:\WINDOWS\system32\kdjbdcd.exe Infected: Trojan-Downloader.Win32.Qoologic.ai
C:\WINDOWS\pss\pjoq.exeCommon Startup Infected: Trojan-Downloader.Win32.Qoologic.ai
C:\WINDOWS\lqmeleq.exe Infected: Trojan-Downloader.Win32.VB.hj
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch3.zip/istsvc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch3.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch8.zip/istsvc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch8.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch12.zip/istsvc.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ISTbarSlotch12.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\UNY3SRYH\b2search_v17[1].exe Infected: Trojan-Dropper.Win32.Agent.abb

Scan process completed.