[seno2krack]

I'm not good with computers, but i ran spybot and adaware and they picked up Begin2search, Virus Hunter, Zeno Search, Click Spring, Rads Quadrogram, Hotbar, A Better Internet.Aurora, Elitum.EliteBar, Hotsearch Bar, Sex List, and Web Nexus. A bunch of popups open everytime i open Internet Explorer and i have about 6-7 icons that appear on my desktop everytime i sign on to the internet. Just recently, whatever's on this computer has been preventing me from accessing websites. It redirects me to a different website every once in a while. Help please? )

[Advertisements]

Hi seno2krack and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

• Run HijackThis
  
• Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  
• POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

[Trevuren]

Hi seno2krack and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

Download and run the following HijackThis autoinstall program from Here . Please choose the default location of C:\Program Files\ as the destination. HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

• Run HijackThis
  
• Click SCAN and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')
  
• POST the log into this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER


Regards,

Trevuren

[seno2krack]

Logfile of HijackThis v1.99.1
Scan saved at 8:50:01 AM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\WINDOWS\System32\BROWSEUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\adsmsext.exe
C:\windows\system32\rqdsregj.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\system32\hpsw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\nrpn\osoa.exe
C:\WINDOWS\system32\wgse.exe
C:\WINDOWS\system32\l?[bleep].exe
C:\Program Files\Apoint\Apntex.exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.c...pz2uqxFxY0zy8 x
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.c...htOLePvhSdyGOEu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsm1B.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmyhtg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Starware - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll
O2 - BHO: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Hjq2.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost35.exe
O4 - HKLM\..\Run: [Wipe Bows] C:\PROGRA~1\Hide Hole Bore\Cash Shim.exe
O4 - HKLM\..\Run: [6407e5b024ba] C:\WINDOWS\System32\BROWSEUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [686559a7d273] C:\WINDOWS\system32\adsmsext.exe
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [{6C-C9-96-60-ZN}] C:\windows\system32\rqdsregj.exe FI002
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\sxggl4.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\Program Files\nrpn\osoa.exe" -vt yazb
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [Kodwemh] C:\WINDOWS\system32\l?[bleep].exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinrsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} (Starware) - http://files-pl.star...tarware_323.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A75C4D8E-CA1F-4471-94DA-C0A44A123C30}: NameServer = 209.210.176.8 209.210.176.9
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[Trevuren]

Looks as if you and I will be spending a lot of time together

Your system has a very stubborn infection called a Peper infection. To get rid of it, please do the following:

1. Download this removal tool :
http://downloads.sub...rg/PeperFix.exe

- Start the tool and click Find and Fix.
- Restart your computer (reboot it is called) to finish removing what it found.
- Run the tool a second time to make certain it has completed removed Peper.


2. Reboot your computer again and post a new HijackThis log.

Regards,

Trevuren

[seno2krack]

I ran the PeperFixer again and it said that no files were found. I'm still getting popups though.

Logfile of HijackThis v1.99.1
Scan saved at 10:15:12 AM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\WINDOWS\System32\IEHost35.exe
C:\WINDOWS\System32\BROWSEUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\adsmsext.exe
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\system32\hpsw.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\nrpn\osoa.exe
C:\WINDOWS\system32\l?[bleep].exe
C:\WINDOWS\system32\wgse.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\SYSTEM32\kwinrsap.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.c...htOLePvhSdyGOEu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsm1B.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmyhtg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O2 - BHO: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\Hjq2.exe
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost35.exe
O4 - HKLM\..\Run: [Wipe Bows] C:\PROGRA~1\Hide Hole Bore\Cash Shim.exe
O4 - HKLM\..\Run: [6407e5b024ba] C:\WINDOWS\System32\BROWSEUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [686559a7d273] C:\WINDOWS\system32\adsmsext.exe
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [{6C-C9-96-60-ZN}] c:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\sxggl4.exe reg_run
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\kwinrsap.exe FI002
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\Program Files\nrpn\osoa.exe" -vt yazb
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [Kodwemh] C:\WINDOWS\system32\l?[bleep].exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\kwinrsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\rqdsregj.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.star...tarware_323.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A75C4D8E-CA1F-4471-94DA-C0A44A123C30}: NameServer = 209.210.176.8 209.210.176.9
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[Trevuren]

You can expect to have popups for quite a while yet. There are so many different infections to contend with.

Please try this version of the Peper Trojan Fix:

• Download uninst.exe from HERE
• Double-click uninst.exe to run it.
• Let it terminate (it'll just blink briefly on your screen and won't appeared to have done much--this is normal)
• When all is finished, please post a fresh HJT log.

Regards,

Trevuren

[seno2krack]

Logfile of HijackThis v1.99.1
Scan saved at 12:19:00 PM, on 2/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\WINDOWS\System32\IEHost35.exe
C:\WINDOWS\System32\BROWSEUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\adsmsext.exe
C:\WINDOWS\elitemediapop.exe
C:\WINDOWS\system32\hpsw.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\nrpn\osoa.exe
C:\WINDOWS\system32\l?[bleep].exe
C:\WINDOWS\system32\wgse.exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Apoint\Apntex.exe
c:\windows\system32\dwdsregt.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\lwinlsap.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.c...htOLePvhSdyGOEu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: bitlocker - {01EB5130-FC0C-4d75-B9CE-4801B1B854F5} - C:\WINDOWS\system32\nsm1B.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Trecker Class - {39C78B50-7E98-4aa0-B007-D83114EA6E0F} - C:\PROGRA~1\Jalmp\jalmp.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmyhtg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - (no file)
O2 - BHO: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost35.exe
O4 - HKLM\..\Run: [Wipe Bows] C:\PROGRA~1\Hide Hole Bore\Cash Shim.exe
O4 - HKLM\..\Run: [6407e5b024ba] C:\WINDOWS\System32\BROWSEUI.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [686559a7d273] C:\WINDOWS\system32\adsmsext.exe
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [{6C-C9-96-60-ZN}] c:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [elitemedia] C:\WINDOWS\elitemediapop.exe
O4 - HKLM\..\Run: [susse] "C:\WINDOWS\system32\hpsw.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\sxggl4.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\Program Files\nrpn\osoa.exe" -vt yazb
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [Kodwemh] C:\WINDOWS\system32\l?[bleep].exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\lwinlsap.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\rqdsregj.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemed...s/mediaview.cab
O16 - DPF: {CA356D79-679B-4B4C-8E49-5AF97014F4C1} - http://files-pl.star...tarware_323.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A75C4D8E-CA1F-4471-94DA-C0A44A123C30}: NameServer = 209.210.176.8 209.210.176.9
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

[Trevuren]

The big one is gone, now to work on the others:

Please follow the instructions provided, you may want to print out these instructions and use them as a reference.

• Please download ewido security suite it is a trial version of the program.
  
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
  • Launch ewido, there should be an icon on your desktop double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
• You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed.
• Once the updates are installed do the following:
  • REBOOT into Safe Mode
  • Run EWIDO
  • Click on scanner
  • Click on Start Scan
  • Let the program scan the machine
  • While the scan is in progress you will be prompted to clean files, click OK
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
• Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply

Regards,

Trevuren

[seno2krack]

Logfile of HijackThis v1.99.1
Scan saved at 10:24:59 AM, on 2/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\WINDOWS\System32\IEHost35.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\onqkow.exe
C:\WINDOWS\SYSTEM32\pwinksai.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\l?[bleep].exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file://C:\WINDOWS\system32\SearchBar.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://as.starware.c...htOLePvhSdyGOEu
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{5D60FF48-95BE-4956-B4C6-6BB168A70310} - (no file)
R3 - URLSearchHook: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll (file missing)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: RieMon Class - {70F6A776-579A-4C95-BA88-134253907752} - C:\WINDOWS\system32\irsmyhtg.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C5AF2622-8C75-4dfb-9693-23AB7686A456} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost35.exe
O4 - HKLM\..\Run: [Wipe Bows] C:\PROGRA~1\Hide Hole Bore\Cash Shim.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [wversion] "C:\WINDOWS\system32\weather.exe "
O4 - HKLM\..\Run: [wsecure] "C:\WINDOWS\system32\onqkow.exe"
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\SYSTEM32\pwinksai.exe FI002
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Kodwemh] C:\WINDOWS\system32\l?[bleep].exe
O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\SYSTEM32\pwinksai.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: (no name) - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra 'Tools' menuitem: MaxSpeed - {120E090D-9136-4b78-8258-F0B44B4BD2AC} - C:\WINDOWS\System32\maxspeed.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {141F7D17-D5F2-44D4-B86B-07429C40688F} (Weather Control) - http://www.weatherwa...er1/weather.ocx
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} (Cadwkzctl Object) - http://apps.deskwizz.../ax/adwerkz.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} (Mirar_Dummy_ATS1 Class) - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} (elitectl.DemoCtl) - http://cabs.elitemed...s/mediaview.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A75C4D8E-CA1F-4471-94DA-C0A44A123C30}: NameServer = 209.210.176.8 209.210.176.9
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

.....................................................

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:10:12 AM, 2/18/2006
+ Report-Checksum: 241BF6DF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{01EB5130-FC0C-4d75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C5AF2622-8C75-4dfb-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid -> Adware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Dsi -> Adware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CA356D79-679B-4B4C-8E49-5AF97014F4C1} -> Adware.Starware : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01EB5130-FC0C-4d75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{39C78B50-7E98-4aa0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C5AF2622-8C75-4dfb-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CA356D79-679B-4b4c-8E49-5AF97014F4C1} -> Adware.Starware : Cleaned with backup
HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{01EB5130-FC0C-4D75-B9CE-4801B1B854F5} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{39C78B50-7E98-4AA0-B007-D83114EA6E0F} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{9ADE0443-2AB2-4B23-A3F8-AC520773DE12} -> Adware.Begin2Search : Cleaned with backup
HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C5AF2622-8C75-4DFB-9693-23AB7686A456} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{CA356D79-679B-4B4C-8E49-5AF97014F4C1} -> Adware.Starware : Cleaned with backup
HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D49E9D35-254C-4C6A-9D17-95018D228FF5} -> Adware.Starware : Cleaned with backup
C:\!PeperFix\Bxe0n.exe -> Downloader.VB.em : Cleaned with backup
C:\!PeperFix\Eah1q5.exe -> Downloader.VB.em : Cleaned with backup
C:\!PeperFix\Fah1q5.exe -> Downloader.VB.em : Cleaned with backup
C:\!PeperFix\Hjq2.exe -> Downloader.VB.em : Cleaned with backup
C:\!PeperFix\Oval63H.exe -> Backdoor.VB.oq : Cleaned with backup
C:\!PeperFix\PikqWgD1.exe -> Backdoor.VB.nb : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rukk.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\Malcom\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6f9d0b9-72d4ff43.class -> Not-A-Virus.Exploit.JS.ScriptSrc.a : Cleaned with backup
C:\Documents and Settings\Malcom\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-53b42299-2db7412f.zip/web.exe -> Trojan.Revop.e : Error during cleaning
C:\Documents and Settings\Malcom\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-53b4229a-34878864.zip/web.exe -> Trojan.Revop.e : Error during cleaning
C:\Documents and Settings\Malcom\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\malcom@click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\malcom@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\malcom@hypertracker[2].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\malcom@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\malcom@searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\malcom@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\malcom@web-stat[1].txt -> TrackingCookie.Web-stat : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Adtrak : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][2].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\[email protected][1].txt -> TrackingCookie.Click2begin : Cleaned with backup
C:\Documents and Settings\Malcom\Cookies\malcom@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Malcom\Local Settings\Temp\f284959.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\Documents and Settings\Malcom\Local Settings\Temp\F6E7.tmp/drwst.exe -> Adware.MDH : Error during cleaning
C:\Documents and Settings\Malcom\Local Settings\Temp\F8C4.tmp/drwst.exe -> Adware.MDH : Error during cleaning
C:\Documents and Settings\Malcom\Local Settings\Temp\ICD1.tmp\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\Documents and Settings\Malcom\Local Settings\Temp\mndcntas.tmp -> Adware.SafeSurfing : Cleaned with backup
C:\Documents and Settings\Malcom\Local Settings\Temporary Internet Files\Content.IE5\3A47RHG1\newfrn[1].exe -> Hijacker.VB.is : Cleaned with backup
C:\Documents and Settings\Malcom\Local Settings\Temporary Internet Files\Content.IE5\XDK2KJ9V\install[1].exe -> Trojan.SecondThought.c : Cleaned with backup
C:\install_tag002.exe -> Adware.PurityScan : Cleaned with backup
C:\Program Files\Jalmp\jalmp.dll -> Adware.Suggestor : Cleaned with backup
C:\Program Files\MaxSpeed -> Adware.SideFind : Cleaned with backup
C:\Program Files\nrpn\osoa.exe -> Downloader.PurityScan.be : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP428\A0025520.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP430\A0025572.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP431\A0025590.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP433\A0025633.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP434\A0025684.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP436\A0025786.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP438\A0025838.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP439\A0025889.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP446\A0026186.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP446\A0026189.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP446\A0026190.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP447\A0026246.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP447\A0026248.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026271.exe -> Downloader.Qoologic.al : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026276.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026277.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026281.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026282.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026292.exe -> Downloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026293.dll -> Downloader.Qoologic.ae : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026294.cpl -> Downloader.Qoologic.ad : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026295.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026299.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026314.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026316.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026317.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026319.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026332.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026334.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026335.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026337.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026354.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026355.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026356.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP448\A0026357.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026379.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026380.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026382.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026383.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026402.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026403.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026404.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026405.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026421.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026422.dll -> Adware.HotSearchBar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP449\A0026428.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP450\A0026434.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP450\A0026447.dll -> Adware.Sud : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP450\A0026451.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP450\A0026453.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP450\A0026455.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP450\A0026457.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026473.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026475.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026476.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026478.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026494.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026495.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026496.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026497.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026510.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026511.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026512.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026513.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026527.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026531.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026537.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026542.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026543.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026544.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026545.exe -> Downloader.VB.em : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026546.exe -> Backdoor.VB.oq : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026547.exe -> Backdoor.VB.nb : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026551.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026552.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026553.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP451\A0026554.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026572.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026573.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026574.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026575.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026591.dll -> Adware.Comet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026595.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026598.exe -> Downloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026599.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026606.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026607.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP452\A0026608.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP453\A0026743.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP453\A0026760.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP453\A0026761.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP453\A0026762.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP453\A0026778.exe -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP453\A0026779.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP454\A0026787.exe -> Downloader.Qoologic.al : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP454\A0026791.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP454\A0026793.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP454\A0026795.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP454\A0026807.exe -> Adware.EZula : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026816.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026820.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026822.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026823.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026824.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026840.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026844.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026845.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026846.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026857.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026861.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026862.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026863.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026882.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026886.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026888.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026889.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026890.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026907.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026911.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026912.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026913.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026930.dll -> Adware.Sud : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026931.dll -> Adware.Sud : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026932.dll -> Adware.Mirar : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026933.cpl -> Downloader.Qoologic.ad : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026939.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026940.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026944.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026945.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\A0026955.dll -> Hijacker.Small.jf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP455\snapshot\MFEX-1.DAT -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\876057.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\DH.dll -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\DH.dll_tobedeleted -> Hijacker.Small.jf : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\elite.ocx -> Adware.MediaMotor : Cleaned with backup
C:\WINDOWS\elitemediapop.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\htwfdr.exe -> Downloader.Small.bmx : Cleaned with backup
C:\WINDOWS\JUSTIN2.exe -> Adware.EZula : Cleaned with backup
C:\WINDOWS\m7.exe -> Downloader.Swizzor.bt : Cleaned with backup
C:\WINDOWS\SYSTEM32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINDOWS\SYSTEM32\adsmsext.exe -> Adware.UrlSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\BROWSEUI.exe -> Adware.IEDriver : Cleaned with backup
C:\WINDOWS\SYSTEM32\CCFGNT30.exe -> Adware.UrlSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CDDBUIRo.exe -> Adware.UrlSpy : Cleaned with backup
C:\WINDOWS\SYSTEM32\CDOSYS79.exe -> Downloader.Agent.adz : Cleaned with backup
C:\WINDOWS\SYSTEM32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\dxnnbrx.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\SYSTEM32\ernnj.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\SYSTEM32\ffjjskf.dll -> Downloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\SYSTEM32\hpsw.exe -> Adware.Suggestor : Cleaned with backup
C:\WINDOWS\SYSTEM32\iqo.dll -> Adware.PurityScan : Cleaned with backup
C:\WINDOWS\SYSTEM32\irismon.dll -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\SYSTEM32\irssyncd.exe -> Adware.SafeSurfing : Cleaned with backup
C:\WINDOWS\SYSTEM32\kwinksap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\kwinlsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\kwinrsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\lwinksap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\lwinlsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\mwinlsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\mwinnap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\owintsap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\pwinksap.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\rjdsregq.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\rjdsregr.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\rkdsregm.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\rqdsregj.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\rsdsregq.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\SWRT01.dll -> Adware.VirtualBouncer : Cleaned with backup
C:\WINDOWS\SYSTEM32\sxggl4.exe -> Downloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\SYSTEM32\wallpap.exe -> Hijacker.Agent.gp : Cleaned with backup
C:\WINDOWS\SYSTEM32\wgaap.dat -> Downloader.Qoologic.ac : Cleaned with backup
C:\WINDOWS\SYSTEM32\wgse.exe -> Trojan.Runner.h : Cleaned with backup
C:\WINDOWS\SYSTEM32\WinATS.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\SYSTEM32\WinNB57.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\SYSTEM32\wuauclt.dll -> Downloader.Qoologic.ae : Cleaned with backup
C:\WINDOWS\SYSTEM32\wuauclt.dll_tobedeleted -> Downloader.Qoologic.ae : Cleaned with backup
C:\WINDOWS\wsem217.dll -> Downloader.Dyfuca.cn : Cleaned with backup
C:\WINDOWS\ZIFI002.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

[Trevuren]

That sure cleaned up a lot

You have a LOP infection among other things:

A. First we will try and find some of the elements of the infection. If they are present, I will provide the necessary directions to remove them in the next post.

• Open notepad
  
• Copy and paste the text contained in the Code box into the new Notepad file:
  
  

  dir %Windir%\tasks /a h > files.txt
  notepad files.txt

• Save this as findjobs.bat , choose to save it as *all files and place it on your desktop.
  
• Doubleclick on op findjobs.bat and post the content of the textfile you get in your next reply.

B. 1. I want you to UNINSTALL the following programs through the ADD/REMOVE feature of your Control Panel:

SpySpotter

2. Now, using Windows Explorer, I need you to DELETE the following folder(s) and all their content:

C:\Program Files\SpySpotter

3. REBOOT your system

4. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review along with the log from the findjobs.bat.

Regards,

Trevuren

[seno2krack]

I copied the code into notepad and saved it, clicked on it and it opened up a window:
Volume in drive C has no label.
Volume Serial Number is EC66-C960

Directory of C:\WINDOWS\tasks

11/16/2004 09:27 AM <DIR> .
11/16/2004 09:27 AM <DIR> ..
08/29/2002 01:00 AM 65 DESKTOP.INI
01/28/2006 07:21 AM 466 Norton AntiVirus - Scan my computer.job
02/18/2006 10:21 AM 6 SA.DAT
02/18/2006 08:28 AM 366 Symantec NetDetect.job
4 File(s) 903 bytes

Directory of C:\Documents and Settings\Malcom\Desktop


When i went into the add/remove programs, spyspotter wasn't there. Norton Antivirus also picked up a virus Trojan.Adclicker

[Trevuren]

The LOP infection must be running under a different profile. Please run this program which should tell us where it is:


* Please click this link to download Silent Runners.

* Save it to the desktop.

* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.

* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)

* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Regards,

Trevuren

[seno2krack]

"Silent Runners.vbs", revision 43, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"Kodwemh" = (value not set)
"DHaxi.exe" = "C:\WINDOWS\system32\DHaxi.exe" [null data]
"Ncao" = ""C:\WINDOWS\system32\YSTEM3~1\regedit.exe" -vt ndrv" [** WMI GetObject error **]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIModeChange" = "Ati2mdxx.exe" ["ATI Technologies, Inc."]
"BCMSMMSG" = "BCMSMMSG.exe" ["Broadcom Corporation"]
"Apoint" = "C:\Program Files\Apoint\Apoint.exe" ["Alps Electric Co., Ltd."]
"bacstray" = "BacsTray.exe" ["Broadcom Corporation"]
"ATIPTA" = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" ["ATI Technologies, Inc."]
"Dell QuickSet" = "C:\Program Files\Dell\QuickSet\QuickSet.exe" [empty string]
"DVDSentry" = "C:\WINDOWS\System32\DSentry.exe" ["Dell - Advanced Desktop Engineering"]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"AdaptecDirectCD" = ""C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"" ["Roxio"]
"WLANSTA.EXE" = "WLANSTA.EXE START" ["NETGEAR"]
"Bakra" = "C:\WINDOWS\System32\IEHost35.exe" ["CSL"]
"Wipe Bows" = "C:\PROGRA~1\Hide Hole Bore\Cash Shim.exe" [null data]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"SpySpotter System Defender" = "C:\Program Files\SpySpotter3\Defender.exe -startup" [file not found]
"wversion" = ""C:\WINDOWS\system32\weather.exe " " [empty string]
"wsecure" = ""C:\WINDOWS\system32\onqkow.exe"" [empty string]
"BrowserUpdateSched" = "C:\WINDOWS\SYSTEM32\pwinksai.exe FI002" [empty string]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
{70F6A776-579A-4C95-BA88-134253907752}\(Default) = "RieMon Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\irsmyhtg.dll" [empty string]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "NAV Helper"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]
{E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\iqo.dll" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshellext.dll" ["RealNetworks"]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5E44E225-A408-11CF-B581-008029601108}" = "Adaptec DirectCD Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Roxio\EASYCD~1\DirectCD\Shellex.dll" ["Roxio"]
"{acb4a560-3606-11d3-aef4-00104bd0f92d}" = "KodakShellExtension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll" ["Eastman Kodak Company"]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/html\CLSID = "{2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Jalmp\jalmp.dll" [file not found]
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]
msnnftsg\(Default) = "{ce34e724-dce2-43c8-8c9b-d9002d525060}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\ernnj.dll" [file not found]
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-malware\context.dll" ["ewido networks"]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
Symantec.Norton.Antivirus.IEContextMenu\(Default) = "{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]


Active Desktop and Wallpaper:
-----------------------------

Active Desktop is enabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Software\Microsoft\Internet Explorer\Desktop\General\
"Wallpaper" = "C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Active Desktop web content:

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0\
"FriendlyName" = ""
"Source" = "C:\WINDOWS\system32\ad.html"
"SubscribedURL" = ""


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\

HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\1\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\scrnsave.scr" [MS]


Startup items in "Malcom" & "All Users" startup folders:
--------------------------------------------------------

C:\Documents and Settings\Malcom\Start Menu\Programs\Startup
"Zeno" -> shortcut to: "C:\WINDOWS\SYSTEM32\pwinksai.exe FI002" [empty string]
"Z_Start" -> shortcut to: "C:\WINDOWS\SYSTEM32\dwdsregt.exe FI002" [file not found]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Adobe Reader Speed Launch" -> shortcut to: "C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe" ["Adobe Systems Incorporated"]
"DllCmd32" -> shortcut to: "C:\jetsuite\DLLCMD32.EXE" ["JetFax Inc."]
"HP LaserJet 3100 Status" -> shortcut to: "C:\jetsuite\JETSTAT.EXE" ["JetFax Inc."]
"Kodak EasyShare software" -> shortcut to: "C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe -h" ["Eastman Kodak Company"]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer" -> launches: "C:\PROGRA~1\NORTON~1\NAVW32.exe /task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 21
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}" = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}" = "&Google" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\ = "&Research" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\ = "Real.com" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [file not found]

{120E090D-9136-4B78-8258-F0B44B4BD2AC}\
"MenuText" = "MaxSpeed"
"Exec" = "C:\WINDOWS\System32\maxspeed.exe" [file not found]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Miscellaneous IE Hijack Points
------------------------------

HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\

Missing lines (compared with English-language version):
"{E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE}" = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\iqo.dll" [file not found]


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido anti-malware\ewidoguard.exe" ["ewido networks"]
jsdaemon, jsdaemon, "c:\jetsuite\jsdaemon.exe" ["JetFax, Inc."]
Kodak Camera Connection Software, KodakCCS, "C:\WINDOWS\system32\drivers\KodakCCS.exe" ["Eastman Kodak Company"]
Machine Debug Manager, MDM, ""C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"" [MS]
MSSQL$MICROSOFTBCM, MSSQL$MICROSOFTBCM, "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -sMICROSOFTBCM" [MS]
Norton AntiVirus Auto Protect Service, navapsvc, ""C:\Program Files\Norton AntiVirus\navapsvc.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
WLTRYSVC, WLTRYSVC, "C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe" [null data]


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HPLJ3100 Port\Driver = "jsmuxmon.dll" ["JetFax Inc."]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]


----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 32 seconds, including 14 seconds for message boxes)

[Trevuren]

1. Would you please login under Administrator and run the bat file that I previously posted. Then please copy/paste the results into your reply.

2. Please download WebRoot SpySweeper from HERE (It's a 14-day trial):

• Click Download Now to download the program.
• Install it. Once the program is installed, it will open.
• It will prompt you to update to the latest definitions, click Yes.
• Once the definitions are installed, click Options on the left side.
• Click the Sweep Options tab.
• Under What to Sweep please put a check next to the following:
  • Sweep Memory
  • Sweep Registry
  • Sweep Cookies
  • Sweep All User Accounts
  • Enable Direct Disk Sweeping
  • Sweep Contents of Compressed Files
  • Sweep for Rootkits
  • Please UNCHECK Do not Sweep System Restore Folder.
• Click Sweep Now on the left side.
• Click the Start button.
• When it's done scanning, click the Next button.
• Make sure everything has a check next to it, then click the Next button.
• It will remove all of the items found.
• Click Session Log in the upper right corner, copy everything in that window.
• Click the Summary tab and click Finish.
• Paste the contents of the session log you copied into your next reply along with a fresh HJT log

Regards,

Trevuren

[seno2krack]

********
9:22 AM: | Start of Session, Monday, February 20, 2006 |
9:22 AM: Spy Sweeper started
9:22 AM: Sweep initiated using definitions version 617
9:22 AM: Starting Memory Sweep
9:26 AM: Memory Sweep Complete, Elapsed Time: 00:04:28
9:26 AM: Starting Registry Sweep
9:27 AM: Registry Sweep Complete, Elapsed Time:00:00:19
9:27 AM: Starting Cookie Sweep
9:27 AM: Found Spy Cookie: hbmediapro cookie
9:27 AM: [email protected][2].txt (ID = 2768)
9:27 AM: Found Spy Cookie: oinadserve cookie
9:27 AM: malcom@oinadserve[2].txt (ID = 3091)
9:27 AM: Found Spy Cookie: zenotecnico cookie
9:27 AM: malcom@zenotecnico[1].txt (ID = 3858)
9:27 AM: Cookie Sweep Complete, Elapsed Time: 00:00:01
9:27 AM: Starting File Sweep
9:28 AM: Found Adware: internet washer
9:28 AM: a0027045.exe (ID = 63994)
9:28 AM: Found Adware: elitemediagroup-pop64
9:28 AM: a0027044.exe (ID = 244416)
9:31 AM: a0026373.exe (ID = 244416)
9:31 AM: a0026290.exe (ID = 244416)
9:31 AM: a0026431.exe (ID = 244416)
9:31 AM: Found Adware: purityscan
9:31 AM: a0026784.exe (ID = 213484)
9:34 AM: Found Adware: deskwizz
9:34 AM: a0027043.dll (ID = 233175)
9:36 AM: a0026878.exe (ID = 244416)
9:36 AM: a0026467.exe (ID = 244416)
9:39 AM: a0026781.exe (ID = 213483)
9:40 AM: Found Adware: zipclix
9:40 AM: a0027049.exe (ID = 91180)
9:40 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:40 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:43 AM: a0026809.exe (ID = 244416)
9:43 AM: Found Adware: starware toolbar
9:43 AM: a0026536.exe (ID = 235200)
9:43 AM: a0026268.exe (ID = 185456)
9:43 AM: a0026586.exe (ID = 244416)
9:43 AM: Found Adware: quicklink search toolbar
9:43 AM: a0027040.cfg (ID = 208796)
9:43 AM: a0026783.exe (ID = 244416)
9:43 AM: Found Adware: ie driver
9:43 AM: a0027036.exe (ID = 63150)
9:44 AM: a0026487.exe (ID = 244416)
9:44 AM: a0027039.exe (ID = 213484)
9:44 AM: a0027035.exe (ID = 63051)
9:45 AM: Found Adware: safesearch
9:45 AM: a0027042.dll (ID = 246679)
9:45 AM: Found Adware: wfgtech
9:45 AM: a0027046.dll (ID = 242384)
9:46 AM: a0027038.exe (ID = 213483)
9:46 AM: Found Adware: zenosearchassistant
9:46 AM: a0026196.cfg (ID = 91140)
9:46 AM: a0026296.cfg (ID = 91140)
9:46 AM: a0026247.cfg (ID = 91140)
9:46 AM: a0026446.cfg (ID = 91140)
9:46 AM: a0026529.cfg (ID = 91140)
9:46 AM: a0026256.cfg (ID = 91140)
9:46 AM: mfex-10.dat (ID = 91140)
9:46 AM: a0026184.cfg (ID = 91140)
9:46 AM: a0026425.cfg (ID = 91140)
9:46 AM: a0026541.cfg (ID = 91140)
9:46 AM: a0026935.cfg (ID = 91140)
9:46 AM: a0027027.cfg (ID = 91140)
9:46 AM: Found Adware: java byteverify
9:46 AM: arc.zip-53b4229a-34878864.zip (ID = 64824)
9:46 AM: arc.zip-53b42299-2db7412f.zip (ID = 64824)
9:46 AM: Warning: Invalid file - not a PKZip file
9:46 AM: File Sweep Complete, Elapsed Time: 00:19:24
9:46 AM: Full Sweep has completed. Elapsed time 00:24:17
9:46 AM: Traces Found: 41
9:50 AM: Removal process initiated
9:50 AM: Quarantining All Traces: ie driver
9:51 AM: Quarantining All Traces: purityscan
9:51 AM: Quarantining All Traces: quicklink search toolbar
9:51 AM: Quarantining All Traces: safesearch
9:51 AM: Quarantining All Traces: starware toolbar
9:51 AM: Quarantining All Traces: deskwizz
9:51 AM: Quarantining All Traces: elitemediagroup-pop64
9:51 AM: Quarantining All Traces: internet washer
9:51 AM: Quarantining All Traces: java byteverify
9:51 AM: Quarantining All Traces: wfgtech
9:51 AM: Quarantining All Traces: zenosearchassistant
9:51 AM: Quarantining All Traces: zipclix
9:51 AM: Quarantining All Traces: hbmediapro cookie
9:51 AM: Quarantining All Traces: oinadserve cookie
9:51 AM: Quarantining All Traces: zenotecnico cookie
9:51 AM: Removal process completed. Elapsed time 00:00:19
********
1:31 PM: | Start of Session, Saturday, February 18, 2006 |
1:31 PM: Spy Sweeper started
1:31 PM: Sweep initiated using definitions version 617
1:31 PM: Starting Memory Sweep
1:31 PM: Found Adware: purityscan
1:31 PM: Detected running threat: C:\WINDOWS\system32\ewnjqt.dll (ID = 230)
1:31 PM: Found Adware: safesearch
1:31 PM: Detected running threat: C:\WINDOWS\system32\irsmyhtg.dll (ID = 246679)
1:33 PM: Found Adware: ie driver
1:33 PM: Detected running threat: C:\WINDOWS\SYSTEM32\iehost35.exe (ID = 63051)
1:33 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Bakra (ID = 0)
1:35 PM: Detected running threat: C:\WINDOWS\SYSTEM32\?ystem32\regedit.exe (ID = 230)
1:35 PM: Memory Sweep Complete, Elapsed Time: 00:04:12
1:35 PM: Starting Registry Sweep
1:35 PM: Found Trojan Horse: 2nd-thought
1:35 PM: HKCR\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 101977)
1:35 PM: HKCR\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101978)
1:35 PM: HKCR\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101979)
1:35 PM: HKCR\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101980)
1:35 PM: HKCR\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101981)
1:35 PM: HKCR\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101982)
1:35 PM: HKCR\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101983)
1:35 PM: HKCR\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101984)
1:35 PM: HKCR\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 101985)
1:35 PM: HKCR\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 101986)
1:35 PM: HKLM\software\classes\interface\{6e0ed53c-9908-49ed-b055-7cb31b162577}\ (7 subtraces) (ID = 101993)
1:35 PM: HKLM\software\classes\interface\{8c53bd8e-b12d-4c8f-ad0e-c9ddc39d1273}\ (8 subtraces) (ID = 101994)
1:35 PM: HKLM\software\classes\interface\{9bcdd51b-4a7b-446c-8452-d32d38004582}\ (7 subtraces) (ID = 101995)
1:35 PM: HKLM\software\classes\interface\{49db48ff-02b5-4645-b676-94a4df1aa026}\ (7 subtraces) (ID = 101996)
1:35 PM: HKLM\software\classes\interface\{830d3aed-2fa9-454f-b266-d931862bbf34}\ (7 subtraces) (ID = 101997)
1:35 PM: HKLM\software\classes\interface\{a986f4db-792e-4571-8974-0bb6e024766f}\ (7 subtraces) (ID = 101998)
1:35 PM: HKLM\software\classes\interface\{bccab53d-0895-40c3-a942-a03538ce227a}\ (7 subtraces) (ID = 101999)
1:35 PM: HKLM\software\classes\interface\{c0f88e9e-dceb-4655-968a-ae508a677c39}\ (7 subtraces) (ID = 102000)
1:35 PM: HKLM\software\classes\interface\{d7eac2d8-2d52-4010-a4ad-dfdf60c1706c}\ (7 subtraces) (ID = 102001)
1:35 PM: Found Adware: hotbar
1:35 PM: HKLM\software\classes\spamblockerconfig.application\ (3 subtraces) (ID = 127536)
1:35 PM: HKCR\spamblockerconfig.application\ (3 subtraces) (ID = 127634)
1:35 PM: HKU\.default\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127909)
1:35 PM: HKLM\software\microsoft\internet explorer\extensions\{120e090d-9136-4b78-8258-f0b44b4bd2ac}\ (4 subtraces) (ID = 127931)
1:35 PM: HKLM\software\microsoft\windows\currentversion\run\ || bakra (ID = 127986)
1:35 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{8f9fbeb8-d216-4d6c-8d21-513157e09c0d}\ (2 subtraces) (ID = 128062)
1:35 PM: HKLM\software\microsoft\windows\currentversion\uninstall\{120e090d-9136-4b78-8258-f0b44b4bd2ac}\ (2 subtraces) (ID = 128065)
1:35 PM: Found Adware: keyhost hijacker - jraun
1:35 PM: HKCR\clsid\{c1f444c9-d3c8-454c-9b4d-b4d18a7e70f4}\ (3 subtraces) (ID = 129589)
1:35 PM: HKCR\keyactivex.keyactivexctrl.1\ (3 subtraces) (ID = 129593)
1:35 PM: Found Adware: tibs dialer
1:35 PM: HKCR\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143694)
1:35 PM: HKLM\software\classes\interface\{db767162-0d30-4181-9ed6-8019f6452fff}\ (8 subtraces) (ID = 143720)
1:35 PM: Found Adware: virtualbouncer
1:35 PM: HKLM\software\classes\clsid\{8940e505-72c6-44de-be85-1d746780efbf}\ (13 subtraces) (ID = 145549)
1:35 PM: HKLM\software\classes\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145551)
1:35 PM: HKCR\typelib\{5e594162-60a9-487d-84b8-dbdd716cb862}\ (9 subtraces) (ID = 145565)
1:35 PM: Found Adware: zenosearchassistant
1:35 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\zeno search assistant\ (2 subtraces) (ID = 147930)
1:35 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\enhanced ads by zeno\ (2 subtraces) (ID = 147931)
1:35 PM: HKCR\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 392235)
1:35 PM: HKLM\software\classes\clsid\{18bbdf4d-611d-41ce-a7e7-b2dd23c250d1}\ (11 subtraces) (ID = 392390)
1:35 PM: HKLM\software\classes\clsid\{8551311d-f3bf-4718-ad66-96e302500735}\ (11 subtraces) (ID = 476604)
1:35 PM: Found Adware: quicklink search toolbar
1:35 PM: HKLM\software\microsoft\windows\currentversion\uninstall\quicklinks\ (2 subtraces) (ID = 909558)
1:35 PM: Found Adware: surfassistant
1:35 PM: HKLM\software\surfassistant.com\ (5 subtraces) (ID = 911968)
1:35 PM: Found Adware: multidial
1:35 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mfc42.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956094)
1:35 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/msvcrt.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956096)
1:35 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/olepro32.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956098)
1:35 PM: Found Adware: elitemediagroup-pop64
1:35 PM: HKCR\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967541)
1:35 PM: HKLM\software\classes\interface\{efdfe6ee-8888-422e-ab3c-b48589338ae3}\ (8 subtraces) (ID = 967601)
1:35 PM: HKCR\spamblockerconfig.application.1\ (3 subtraces) (ID = 968312)
1:35 PM: HKLM\software\classes\spamblockerconfig.application.1\ (3 subtraces) (ID = 968867)
1:35 PM: HKLM\software\spamblockerutility\ (7 subtraces) (ID = 978182)
1:35 PM: HKLM\software\microsoft\windows\currentversion\uninstall\elitemediagroup\ (2 subtraces) (ID = 1015939)
1:35 PM: HKLM\software\microsoft\windows\currentversion\uninstall\elitemediagroupoin\ (2 subtraces) (ID = 1070163)
1:35 PM: Found Adware: deskwizz
1:35 PM: HKCR\adwerkz.adwkzctl\ (5 subtraces) (ID = 1113980)
1:35 PM: HKCR\adwerkz.adwkzctl.1\ (3 subtraces) (ID = 1113986)
1:35 PM: HKCR\clsid\{4ad73894-a895-4fc2-b233-299867e08753}\ (20 subtraces) (ID = 1113990)
1:35 PM: HKCR\typelib\{c1dca09c-9342-4ee5-85ba-bcdbc5cfed8e}\ (9 subtraces) (ID = 1114011)
1:35 PM: HKLM\software\classes\clsid\{4ad73894-a895-4fc2-b233-299867e08753}\ || appid (ID = 1114021)
1:35 PM: HKLM\software\classes\typelib\{c1dca09c-9342-4ee5-85ba-bcdbc5cfed8e}\ (9 subtraces) (ID = 1114040)
1:35 PM: HKLM\software\classes\adwerkz.adwkzctl\ (5 subtraces) (ID = 1114050)
1:35 PM: HKLM\software\classes\adwerkz.adwkzctl.1\ (3 subtraces) (ID = 1114056)
1:35 PM: HKLM\software\microsoft\code store database\distribution units\{9ac54695-69a4-46f1-be10-10c74f9520d5}\ (17 subtraces) (ID = 1122691)
1:35 PM: HKCR\permeation.permeater\ (3 subtraces) (ID = 1133968)
1:35 PM: HKCR\permeation.permeater.1\ (3 subtraces) (ID = 1133972)
1:35 PM: HKCR\permeation.trecker\ (3 subtraces) (ID = 1133976)
1:35 PM: HKCR\permeation.trecker.1\ (3 subtraces) (ID = 1133980)
1:35 PM: HKCR\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1133998)
1:35 PM: HKCR\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134093)
1:35 PM: HKLM\software\classes\permeation.permeater\ (3 subtraces) (ID = 1134157)
1:35 PM: HKLM\software\classes\permeation.permeater.1\ (3 subtraces) (ID = 1134161)
1:35 PM: HKLM\software\classes\permeation.trecker\ (3 subtraces) (ID = 1134165)
1:35 PM: HKLM\software\classes\permeation.trecker.1\ (3 subtraces) (ID = 1134169)
1:35 PM: HKLM\software\classes\clsid\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (10 subtraces) (ID = 1134187)
1:35 PM: HKLM\software\classes\typelib\{2f6e85dc-8d2d-4896-8a4f-7df8a7b1749d}\ (9 subtraces) (ID = 1134251)
1:35 PM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/elite.ocx\ (2 subtraces) (ID = 1137453)
1:35 PM: Found Adware: ezula ilookup
1:35 PM: HKCR\le.toy24.1\ (3 subtraces) (ID = 1157600)
1:35 PM: HKCR\onone.thegimp.1\ (3 subtraces) (ID = 1157610)
1:35 PM: HKLM\software\classes\le.toy24.1\ (3 subtraces) (ID = 1157656)
1:35 PM: HKLM\software\classes\onone.thegimp.1\ (3 subtraces) (ID = 1157666)
1:35 PM: HKLM\software\microsoft\bit1ocker\ || refresh_time (ID = 1157743)
1:35 PM: HKCR\protocols\filter\text/html\ || clsid (ID = 1158007)
1:35 PM: HKLM\software\classes\protocols\filter\text/html\ || clsid (ID = 1158008)
1:35 PM: HKCR\clsid\{70f6a776-579a-4c95-ba88-134253907752}\ (11 subtraces) (ID = 1160010)
1:35 PM: HKCR\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1160022)
1:35 PM: HKCR\iman.riemon\ (5 subtraces) (ID = 1160080)
1:35 PM: HKCR\iman.riemon.1\ (3 subtraces) (ID = 1160086)
1:35 PM: HKLM\software\microsoft\windows\currentversion\app paths\irism\ (2 subtraces) (ID = 1160093)
1:35 PM: HKLM\software\microsoft\windows\currentversion\app paths\irssyncd\ (2 subtraces) (ID = 1160096)
1:35 PM: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objects\{70f6a776-579a-4c95-ba88-134253907752}\ (ID = 1160099)
1:35 PM: HKLM\software\irismon\ (18 subtraces) (ID = 1165615)
1:35 PM: HKLM\software\microsoft\windows\currentversion\uninstall\irismon\ (2 subtraces) (ID = 1165617)
1:35 PM: HKLM\software\classes\iman.riemon\ (5 subtraces) (ID = 1165636)
1:35 PM: HKLM\software\classes\iman.riemon.1\ (3 subtraces) (ID = 1165642)
1:35 PM: HKLM\software\classes\clsid\{70f6a776-579a-4c95-ba88-134253907752}\ (11 subtraces) (ID = 1165648)
1:35 PM: HKLM\software\classes\typelib\{72ec96e8-30eb-4da8-9446-b4366bf00249}\ (9 subtraces) (ID = 1165660)
1:35 PM: Found Adware: cws-aboutblank
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {946b3e9e-e21a-49c8-9f63-900533fafe14} (ID = 127575)
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {e77eda01-3c56-4a96-8d08-02b42891c169} (ID = 127576)
1:35 PM: Found Adware: hotsurprise
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\wdwctrl\ (3 subtraces) (ID = 127798)
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127930)
1:35 PM: Found Adware: isearch toolbar
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129028)
1:35 PM: Found Adware: keenvalue/perfectnav
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\urlsearchhooks\ || _{5d60ff48-95be-4956-b4c6-6bb168a70310} (ID = 129470)
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\windows\currentversion\run\ || ncao (ID = 138536)
1:35 PM: Found Adware: searchbar.html hijack
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\main\ || search bar (ID = 140818)
1:35 PM: Found Adware: starware toolbar
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\toolbar\webbrowser\ || {d49e9d35-254c-4c6a-9d17-95018d228ff5} (ID = 142862)
1:35 PM: Found Adware: sidesearch
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
1:35 PM: Found Adware: qsearch
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\program info\ (ID = 1028138)
1:35 PM: Found Adware: starware.com hijack
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\searchurl\ (ID = 1061688)
1:35 PM: Found Adware: zquest
1:35 PM: HKU\S-1-5-21-3360704705-3042970004-1030133460-1008\software\microsoft\internet explorer\desktop\components\0\ || source (ID = 1140816)
1:35 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127930)
1:35 PM: Registry Sweep Complete, Elapsed Time:00:00:18
1:35 PM: Starting Cookie Sweep
1:35 PM: Found Spy Cookie: primaryads cookie
1:35 PM: [email protected][2].txt (ID = 3190)
1:35 PM: Found Spy Cookie: 888 cookie
1:35 PM: malcom@888[1].txt (ID = 2019)
1:35 PM: malcom@888[2].txt (ID = 2019)
1:35 PM: Found Spy Cookie: websponsors cookie
1:35 PM: [email protected][2].txt (ID = 3665)
1:35 PM: Found Spy Cookie: yieldmanager cookie
1:35 PM: [email protected][1].txt (ID = 3751)
1:35 PM: Found Spy Cookie: adecn cookie
1:35 PM: malcom@adecn[2].txt (ID = 2063)
1:35 PM: Found Spy Cookie: adknowledge cookie
1:35 PM: malcom@adknowledge[1].txt (ID = 2072)
1:35 PM: Found Spy Cookie: hbmediapro cookie
1:35 PM: [email protected][2].txt (ID = 2768)
1:35 PM: Found Spy Cookie: cc214142 cookie
1:35 PM: [email protected][2].txt (ID = 2367)
1:35 PM: Found Spy Cookie: ask cookie
1:35 PM: malcom@ask[1].txt (ID = 2245)
1:35 PM: Found Spy Cookie: azjmp cookie
1:35 PM: malcom@azjmp[1].txt (ID = 2270)
1:35 PM: Found Spy Cookie: banners cookie
1:35 PM: malcom@banners[1].txt (ID = 2282)
1:35 PM: malcom@banners[2].txt (ID = 2282)
1:35 PM: malcom@banners[3].txt (ID = 2282)
1:35 PM: malcom@banners[4].txt (ID = 2282)
1:35 PM: malcom@banners[5].txt (ID = 2282)
1:35 PM: Found Spy Cookie: belnk cookie
1:35 PM: malcom@belnk[1].txt (ID = 2292)
1:35 PM: Found Spy Cookie: casalemedia cookie
1:35 PM: malcom@casalemedia[2].txt (ID = 2354)
1:35 PM: Found Spy Cookie: cassava cookie
1:35 PM: malcom@cassava[1].txt (ID = 2362)
1:35 PM: [email protected][2].txt (ID = 2293)
1:35 PM: Found Spy Cookie: elmer cookie
1:35 PM: malcom@elmer[1].txt (ID = 2601)
1:35 PM: Found Spy Cookie: exitexchange cookie
1:35 PM: malcom@exitexchange[2].txt (ID = 2633)
1:35 PM: malcom@hbmediapro[1].txt (ID = 2767)
1:35 PM: Found Spy Cookie: clickandtrack cookie
1:35 PM: [email protected][1].txt (ID = 2397)
1:35 PM: Found Spy Cookie: nextag cookie
1:35 PM: malcom@nextag[2].txt (ID = 5014)
1:35 PM: Found Spy Cookie: oinadserve cookie
1:35 PM: malcom@oinadserve[2].txt (ID = 3091)
1:35 PM: Found Spy Cookie: partypoker cookie
1:35 PM: malcom@partypoker[2].txt (ID = 3111)
1:35 PM: Found Spy Cookie: pro-market cookie
1:35 PM: malcom@pro-market[2].txt (ID = 3197)
1:35 PM: Found Spy Cookie: revenue.net cookie
1:35 PM: malcom@revenue[1].txt (ID = 3257)
1:35 PM: Found Spy Cookie: sirsearch cookie
1:35 PM: malcom@sirsearch[1].txt (ID = 3379)
1:35 PM: Found Spy Cookie: videodome cookie
1:35 PM: malcom@videodome[1].txt (ID = 3638)
1:35 PM: Found Spy Cookie: webpower cookie
1:35 PM: malcom@webpower[2].txt (ID = 3660)
1:35 PM: [email protected][2].txt (ID = 2020)
1:35 PM: Found Spy Cookie: redzip cookie
1:35 PM: [email protected][1].txt (ID = 3250)
1:35 PM: Found Spy Cookie: adserver cookie
1:35 PM: [email protected][1].txt (ID = 2142)
1:35 PM: Found Spy Cookie: zenotecnico cookie
1:35 PM: malcom@zenotecnico[1].txt (ID = 3858)
1:35 PM: Cookie Sweep Complete, Elapsed Time: 00:00:02
1:36 PM: Starting File Sweep
1:36 PM: Found Adware: netspry hijacker
1:36 PM: c:\program files\homepage (ID = -2147480543)
1:36 PM: c:\program files\jalmp (2 subtraces) (ID = -2147459072)
1:36 PM: c:\program files\lycos\sidesearch (ID = -2147480322)
1:36 PM: Found Adware: wild media - statblaster
1:36 PM: c:\program files\media\media (1 subtraces) (ID = -2147480222)
1:36 PM: Found Adware: delfin
1:36 PM: c:\program files\common files\dpi (ID = -2147481129)
1:36 PM: c:\documents and settings\all users\application data\pcsvc (23 subtraces) (ID = -2147481135)
1:36 PM: delfinst.ebd (ID = 57692)
1:36 PM: delfintg.ebd (ID = 57693)
1:36 PM: Found Adware: internet washer
1:36 PM: quick.exe (ID = 63994)
1:39 PM: Found Adware: 180search assistant/zango
1:39 PM: aurl.dat (ID = 70478)
1:40 PM: eliteunstall.exe (ID = 244416)
1:42 PM: setup.exe (ID = 63133)
1:42 PM: setup4.exe (ID = 63134)
1:43 PM: quick.dat (ID = 63993)
1:44 PM: adwerkz.dll (ID = 233175)
1:45 PM: elite.inf (ID = 187156)
1:46 PM: innervbinstall.log (ID = 82805)
1:49 PM: setup333.exe (ID = 63139)
1:50 PM: Found Adware: zipclix
1:50 PM: zipclix.exe (ID = 91180)
1:53 PM: arpf.cfg (ID = 208796)
1:53 PM: elitemediagroupoinuninstaller.exe (ID = 213484)
1:53 PM: terabyte.exe (ID = 63150)
1:53 PM: elite.inf (ID = 187156)
1:54 PM: iehost35.exe (ID = 63051)
1:54 PM: HKLM\Software\Microsoft\Windows\CurrentVersion\Run || Bakra (ID = 0)
1:54 PM: irsmyhtg.dll (ID = 246679)
1:54 PM: adwsetup_upd.exe (ID = 246178)
1:54 PM: Found Adware: wfgtech
1:54 PM: 0wsoyb02.dll (ID = 242384)
1:55 PM: z_start.lnk (ID = 235994)
1:55 PM: zeno.lnk (ID = 146127)
1:55 PM: yoinsi.exe (ID = 213483)
1:55 PM: delfindl.edx (ID = 57681)
1:55 PM: delfinid.edx (ID = 57691)
1:55 PM: delfinco.edx (ID = 57681)
1:55 PM: temp.frc157 (ID = 91140)
1:55 PM: delfinbd.edx (ID = 57681)
1:55 PM: delfined.edx (ID = 57681)
1:55 PM: delfinaf.edx (ID = 57679)
1:55 PM: delfinld.edx (ID = 57681)
1:55 PM: delfinky.edx (ID = 57685)
1:55 PM: delfinsi.edx (ID = 57691)
1:55 PM: office97.te (ID = 63987)
1:55 PM: temp.fr21ea (ID = 91140)
1:55 PM: temp.fra254 (ID = 91140)
1:55 PM: temp.fr8d6a (ID = 91140)
1:55 PM: setup.inf (ID = 76984)
1:55 PM: adwerkz.inf (ID = 233153)
1:55 PM: Sweep Canceled
1:55 PM: File Sweep Complete, Elapsed Time: 00:19:36
1:55 PM: Traces Found: 738
1:56 PM: Removal process initiated
1:56 PM: Quarantining All Traces: 180search assistant/zango
1:56 PM: Quarantining All Traces: 2nd-thought
1:56 PM: Quarantining All Traces: cws-aboutblank
1:56 PM: Quarantining All Traces: ie driver
1:56 PM: ie driver is in use. It will be removed on reboot.
1:56 PM: iehost35.exe is in use. It will be removed on reboot.
1:56 PM: Quarantining All Traces: purityscan
1:56 PM: Quarantining All Traces: qsearch
1:56 PM: Quarantining All Traces: delfin
1:56 PM: Quarantining All Traces: hotbar
1:56 PM: Quarantining All Traces: hotsurprise
1:56 PM: Quarantining All Traces: isearch toolbar
1:56 PM: Quarantining All Traces: netspry hijacker
1:56 PM: Quarantining All Traces: quicklink search toolbar
1:56 PM: Quarantining All Traces: safesearch
1:56 PM: safesearch is in use. It will be removed on reboot.
1:56 PM: irsmyhtg.dll is in use. It will be removed on reboot.
1:56 PM: Quarantining All Traces: sidesearch
1:56 PM: Quarantining All Traces: starware toolbar
1:56 PM: Quarantining All Traces: tibs dialer
1:56 PM: Quarantining All Traces: zquest
1:56 PM: Quarantining All Traces: deskwizz
1:56 PM: Quarantining All Traces: elitemediagroup-pop64
1:56 PM: Quarantining All Traces: ezula ilookup
1:56 PM: Quarantining All Traces: internet washer
1:56 PM: Quarantining All Traces: keenvalue/perfectnav
1:56 PM: Quarantining All Traces: keyhost hijacker - jraun
1:56 PM: Quarantining All Traces: multidial
1:56 PM: Quarantining All Traces: searchbar.html hijack
1:56 PM: Quarantining All Traces: starware.com hijack
1:56 PM: Quarantining All Traces: surfassistant
1:56 PM: Quarantining All Traces: virtualbouncer
1:56 PM: Quarantining All Traces: wfgtech
1:56 PM: Quarantining All Traces: wild media - statblaster
1:56 PM: Quarantining All Traces: zenosearchassistant
1:56 PM: Quarantining All Traces: zipclix
1:56 PM: Quarantining All Traces: 888 cookie
1:56 PM: Quarantining All Traces: adecn cookie
1:56 PM: Quarantining All Traces: adknowledge cookie
1:56 PM: Quarantining All Traces: adserver cookie
1:56 PM: Quarantining All Traces: ask cookie
1:56 PM: Quarantining All Traces: azjmp cookie
1:56 PM: Quarantining All Traces: banners cookie
1:56 PM: Quarantining All Traces: belnk cookie
1:56 PM: Quarantining All Traces: casalemedia cookie
1:56 PM: Quarantining All Traces: cassava cookie
1:56 PM: Quarantining All Traces: cc214142 cookie
1:56 PM: Quarantining All Traces: clickandtrack cookie
1:56 PM: Quarantining All Traces: elmer cookie
1:56 PM: Quarantining All Traces: exitexchange cookie
1:56 PM: Quarantining All Traces: hbmediapro cookie
1:56 PM: Quarantining All Traces: nextag cookie
1:56 PM: Quarantining All Traces: oinadserve cookie
1:56 PM: Quarantining All Traces: partypoker cookie
1:56 PM: Quarantining All Traces: primaryads cookie
1:56 PM: Quarantining All Traces: pro-market cookie
1:56 PM: Quarantining All Traces: redzip cookie
1:56 PM: Quarantining All Traces: revenue.net cookie
1:56 PM: Quarantining All Traces: sirsearch cookie
1:56 PM: Quarantining All Traces: videodome cookie
1:56 PM: Quarantining All Traces: webpower cookie
1:56 PM: Quarantining All Traces: websponsors cookie
1:56 PM: Quarantining All Traces: yieldmanager cookie
1:56 PM: Quarantining All Traces: zenotecnico cookie
1:57 PM: Removal process completed. Elapsed time 00:01:09
2:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
2:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
2:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
2:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
2:40 PM: The Spy Communication shield has blocked access to: update2.outerinfo.com
2:40 PM: The Spy Communication shield has blocked access to: update2.outerinfo.com
3:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
3:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
3:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
3:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
4:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
4:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
4:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
4:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
5:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
5:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
5:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
5:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
6:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
6:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
6:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
6:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
7:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
7:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
7:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
7:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
8:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
8:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
8:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
8:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:10 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:40 PM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
7:40 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
7:40 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
8:10 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
8:10 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
8:40 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
8:40 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:10 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:10 AM: The Spy Communication shield has blocked access to: campaigns.outerinfo.com
9:22 AM: | End of Session, Monday, February 20, 2006 |
********
1:06 PM: | Start of Session, Saturday, February 18, 2006 |
1:06 PM: Spy Sweeper started
1:12 PM: Memory Shield: Found: Memory-resident threat ie driver, version 1.0.0.0
1:12 PM: Detected running threat: ie driver
1:31 PM: Your spyware definitions have been updated.
1:31 PM: | End of Session, Saturday, February 18, 2006 |


Logfile of HijackThis v1.99.1
Scan saved at 9:53:46 AM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\WLANSTA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\onqkow.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\l?[bleep].exe
C:\jetsuite\DLLCMD32.EXE
C:\jetsuite\JETSTAT.EXE
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
c:\jetsuite\jsdaemon.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mail.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll (file missing)
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {146D337B-D590-A965-C80C-D298BC13F596} - (no file)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E57B54CD-EC25-95D5-7DE7-BC9EFC3657CE} - C:\WINDOWS\system32\iqo.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WLANSTA.EXE] WLANSTA.EXE START
O4 - HKLM\..\Run: [Wipe Bows] C:\PROGRA~1\Hide Hole Bore\Cash Shim.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySpotter System Defender] C:\Program Files\SpySpotter3\Defender.exe -startup
O4 - HKLM\..\Run: [wversion] "C:\WINDOWS\system32\weather.exe "
O4 - HKLM\..\Run: [wsecure] "C:\WINDOWS\system32\onqkow.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [Kodwemh] C:\WINDOWS\system32\l?[bleep].exe
O4 - HKCU\..\Run: [DHaxi.exe] C:\WINDOWS\system32\DHaxi.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: DllCmd32.lnk = C:\jetsuite\DLLCMD32.EXE
O4 - Global Startup: HP LaserJet 3100 Status.lnk = C:\jetsuite\JETSTAT.EXE
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O16 - DPF: {141F7D17-D5F2-44D4-B86B-07429C40688F} (Weather Control) - http://www.weatherwa...er1/weather.ocx
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} - http://apps.deskwizz.../ax/adwerkz.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A75C4D8E-CA1F-4471-94DA-C0A44A123C30}: NameServer = 209.210.176.8 209.210.176.9
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AutoComplete Service (Autocomplete) - Internet Washer - C:\PROGRA~1\SYSTEM~1\autocomp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: jsdaemon - JetFax, Inc. - c:\jetsuite\jsdaemon.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE