Desperately need help with HOME SEARCH ASSISTANT removal - Jeeber's Hijack This log
Hello,
Thankyou in advance for looking at this, and apologies for posting a new thread about this. I realised pretty quickly that what I am dealing with is not Blue Trek Error Nuker, but Home Search Assistant (Only the Best).
Here's what I have done so far:
I have run several scans with the updated latest versions of Adaware and Spybot, as well as doing a Norton Scan. I have also tried using the HSremove.exe tool, which doesn't work for me.
I followed the instructions in the sticky thread 'Home Assistant Removal guide' as best I could, but was nervous about deleting multiple 04 HKLM RunOnce entries, and really didn't know if they were good or bad. I deleted some, but left others.
I did everything I could following the instructions, but on starting up again in normal mode discovered that I still have the problem. I deleted the registry key entries for the Network Security Service - which was actually called some nonsense name, but that doesn't seem to have worked either.
(I renamed a file called iewp32.exe, which seemed to be associated with Network Security Service, to iewp32.xxx and placed it in the quarantine folder, and on starting up after being in safe mode the laptop displayed an error message saying that it couldn't find the file, but it seems to be working ok despite that).
I have run scans again and cleaned up my system as much as possible, and have now scanned for the latest HJT log.
I basically need some help - detailing exactly what I should do, and what I should fix in Hijack This...some basic basic instructions if at all possible. I have tried my best to resolve this issue on my own, but just don't have enough expertise to get rid of HSA without some guidance.
Thankyou so much for any and all help.
Sorry this post is so longwinded, and here is my latest HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 18:07:11, on 03/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis Version 1.99.0.1\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0B1EC0AC-4B60-2E3C-6008-EA958BCC19DD} - C:\WINDOWS\ieug32.dll
O2 - BHO: Class - {1F83CE5B-58B8-4A43-4632-766347B9FF82} - C:\WINDOWS\ieas.dll
O2 - BHO: Class - {2D77C53A-EFF7-1325-3487-10C15FF6011D} - C:\WINDOWS\system32\atlpe.dll
O2 - BHO: Class - {3741C5ED-4EDB-B11A-EFEE-169A682E180C} - C:\WINDOWS\mfcvy.dll
O2 - BHO: Class - {43E7216F-4012-7D76-A982-D11BDBF82031} - C:\WINDOWS\atlrn.dll
O2 - BHO: Class - {5A197AF4-5935-49F9-0E5B-5ABD9A8F62AD} - C:\WINDOWS\system32\atlfu.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {CF22795E-F0CD-B9F1-BAF6-79B05A0373A3} - C:\WINDOWS\ntaa.dll
O2 - BHO: Class - {EE593523-B318-24B1-0D54-282F680B1C8C} - C:\WINDOWS\system32\netyz.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [DVD43] "C:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [crcx.exe] C:\WINDOWS\crcx.exe
O4 - HKLM\..\RunOnce: [mfcns.exe] C:\WINDOWS\mfcns.exe
O4 - HKLM\..\RunOnce: [d3bc32.exe] C:\WINDOWS\system32\d3bc32.exe
O4 - HKLM\..\RunOnce: [apiwd32.exe] C:\WINDOWS\system32\apiwd32.exe
O4 - HKLM\..\RunOnce: [netpo32.exe] C:\WINDOWS\system32\netpo32.exe
O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\addid32.exe
O4 - HKLM\..\RunOnce: [ipib32.exe] C:\WINDOWS\ipib32.exe
O4 - HKLM\..\RunOnce: [appke32.exe] C:\WINDOWS\system32\appke32.exe
O4 - HKLM\..\RunOnce: [d3pv32.exe] C:\WINDOWS\system32\d3pv32.exe
O4 - HKLM\..\RunOnce: [crcr32.exe] C:\WINDOWS\system32\crcr32.exe
O4 - HKLM\..\RunOnce: [addnd.exe] C:\WINDOWS\addnd.exe
O4 - HKLM\..\RunOnce: [sdkyd.exe] C:\WINDOWS\system32\sdkyd.exe
O4 - HKLM\..\RunOnce: [ntkl.exe] C:\WINDOWS\ntkl.exe
O4 - HKLM\..\RunOnce: [ipfe.exe] C:\WINDOWS\ipfe.exe
O4 - HKLM\..\RunOnce: [apisu.exe] C:\WINDOWS\apisu.exe
O4 - HKLM\..\RunOnce: [crbd.exe] C:\WINDOWS\system32\crbd.exe
O4 - HKLM\..\RunOnce: [winag.exe] C:\WINDOWS\winag.exe
O4 - HKLM\..\RunOnce: [crzo32.exe] C:\WINDOWS\crzo32.exe
O4 - HKLM\..\RunOnce: [ipxt.exe] C:\WINDOWS\system32\ipxt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
Thankyou in advance for looking at this, and apologies for posting a new thread about this. I realised pretty quickly that what I am dealing with is not Blue Trek Error Nuker, but Home Search Assistant (Only the Best).
Here's what I have done so far:
I have run several scans with the updated latest versions of Adaware and Spybot, as well as doing a Norton Scan. I have also tried using the HSremove.exe tool, which doesn't work for me.
I followed the instructions in the sticky thread 'Home Assistant Removal guide' as best I could, but was nervous about deleting multiple 04 HKLM RunOnce entries, and really didn't know if they were good or bad. I deleted some, but left others.
I did everything I could following the instructions, but on starting up again in normal mode discovered that I still have the problem. I deleted the registry key entries for the Network Security Service - which was actually called some nonsense name, but that doesn't seem to have worked either.
(I renamed a file called iewp32.exe, which seemed to be associated with Network Security Service, to iewp32.xxx and placed it in the quarantine folder, and on starting up after being in safe mode the laptop displayed an error message saying that it couldn't find the file, but it seems to be working ok despite that).
I have run scans again and cleaned up my system as much as possible, and have now scanned for the latest HJT log.
I basically need some help - detailing exactly what I should do, and what I should fix in Hijack This...some basic basic instructions if at all possible. I have tried my best to resolve this issue on my own, but just don't have enough expertise to get rid of HSA without some guidance.
Thankyou so much for any and all help.
Sorry this post is so longwinded, and here is my latest HJT logfile:
Logfile of HijackThis v1.99.1
Scan saved at 18:07:11, on 03/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\CtrlVol.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis Version 1.99.0.1\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {0B1EC0AC-4B60-2E3C-6008-EA958BCC19DD} - C:\WINDOWS\ieug32.dll
O2 - BHO: Class - {1F83CE5B-58B8-4A43-4632-766347B9FF82} - C:\WINDOWS\ieas.dll
O2 - BHO: Class - {2D77C53A-EFF7-1325-3487-10C15FF6011D} - C:\WINDOWS\system32\atlpe.dll
O2 - BHO: Class - {3741C5ED-4EDB-B11A-EFEE-169A682E180C} - C:\WINDOWS\mfcvy.dll
O2 - BHO: Class - {43E7216F-4012-7D76-A982-D11BDBF82031} - C:\WINDOWS\atlrn.dll
O2 - BHO: Class - {5A197AF4-5935-49F9-0E5B-5ABD9A8F62AD} - C:\WINDOWS\system32\atlfu.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {CF22795E-F0CD-B9F1-BAF6-79B05A0373A3} - C:\WINDOWS\ntaa.dll
O2 - BHO: Class - {EE593523-B318-24B1-0D54-282F680B1C8C} - C:\WINDOWS\system32\netyz.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] C:\Program Files\Launch Manager\LaunchAp.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [CtrlVol] C:\Program Files\Launch Manager\CtrlVol.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [DVD43] "C:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\RunOnce: [crcx.exe] C:\WINDOWS\crcx.exe
O4 - HKLM\..\RunOnce: [mfcns.exe] C:\WINDOWS\mfcns.exe
O4 - HKLM\..\RunOnce: [d3bc32.exe] C:\WINDOWS\system32\d3bc32.exe
O4 - HKLM\..\RunOnce: [apiwd32.exe] C:\WINDOWS\system32\apiwd32.exe
O4 - HKLM\..\RunOnce: [netpo32.exe] C:\WINDOWS\system32\netpo32.exe
O4 - HKLM\..\RunOnce: [addid32.exe] C:\WINDOWS\addid32.exe
O4 - HKLM\..\RunOnce: [ipib32.exe] C:\WINDOWS\ipib32.exe
O4 - HKLM\..\RunOnce: [appke32.exe] C:\WINDOWS\system32\appke32.exe
O4 - HKLM\..\RunOnce: [d3pv32.exe] C:\WINDOWS\system32\d3pv32.exe
O4 - HKLM\..\RunOnce: [crcr32.exe] C:\WINDOWS\system32\crcr32.exe
O4 - HKLM\..\RunOnce: [addnd.exe] C:\WINDOWS\addnd.exe
O4 - HKLM\..\RunOnce: [sdkyd.exe] C:\WINDOWS\system32\sdkyd.exe
O4 - HKLM\..\RunOnce: [ntkl.exe] C:\WINDOWS\ntkl.exe
O4 - HKLM\..\RunOnce: [ipfe.exe] C:\WINDOWS\ipfe.exe
O4 - HKLM\..\RunOnce: [apisu.exe] C:\WINDOWS\apisu.exe
O4 - HKLM\..\RunOnce: [crbd.exe] C:\WINDOWS\system32\crbd.exe
O4 - HKLM\..\RunOnce: [winag.exe] C:\WINDOWS\winag.exe
O4 - HKLM\..\RunOnce: [crzo32.exe] C:\WINDOWS\crzo32.exe
O4 - HKLM\..\RunOnce: [ipxt.exe] C:\WINDOWS\system32\ipxt.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
0
Comments
I'm still really struggling with this hijack of Home Search Asssitant. Every time I use internet explorer and run a Hijack This scan, I seem to have picked up numerous more entries - both Runonce entries and mulitple BHO's that weren't there before.
It makes me unsure whether any HJT logfile will stay the same for long enough for me to get detailed instructions on what to fix and how best to go about getting rid of this horrible infection. I haven't done a scan since the last HJT log I posted in this thread, but I am sure it will have changed by now.
Sorry to bump this up, I am just really really desperate and beginning to lose hope that I will ever manage to get rid of this. If anyone has any suggestions or ideas at all, I would be ever so grateful.
Thankyou very much
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do not run a scan yet!
==========
Download CWShredder 2.15 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.
==========
Download DelRunOnce and save it to your desktop. Unzip the files in it to a new folder on your desktop named DelRunOnce. Do NOT run it yet.
==========
Download AboutBuster 5:
http://www.besttechie.net/tools/AboutBuster5.zip
http://www.malwarebytes.biz/AboutBuster5.zip
Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.
Click Update. This will start updating AboutBuster with the latest definition database.
Once it's done updating and you see that dialog, click Ok.
Close AboutBuster.
==========
Reboot into safe mode following the instructions here.
Start AboutBuster and click Begin Removal.
When the scan is done, click Ok.
==========
Go to the DelRunOnce folder you have opened on your desktop earlier, and double click DelRunOnce to run it. After you do that, a logfile will open - copy it to us here.
You may also go to C:\delrunonce.txt and take the logfile from there.
==========
Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.
Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
I cannot tell you how grateful I am for your response - your instructions were simple to follow, and so far seem to have had very good results.
I did everything that you asked, and here are the latest logfiles.
Here is the Ewido scan log:
ewido security suite - Scan report
+ Created on: 23:51:06, 05/08/2005
+ Report-Checksum: 62EDCEE6
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{29CDA41A-A8EB-6A68-BBF5-2877418D55C7} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3C2E0AC2-347B-07FF-761D-31083C460F98} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{430B869B-EB6E-CBD3-5E4D-6D279372AA20} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{452C15DF-936D-C8CB-B825-97DD4A210ABD} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{47B70B6F-A6B0-230A-43C3-9F9B5C710209} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{62160EEF-9D84-4C19-B7B8-6AC2526CD726} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{779D4817-72EC-CAD1-C47C-A430B508B1E9} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8085E374-ACBB-42F9-873F-49EC7E244F97} -> Spyware.Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{81AE8953-3335-A1BB-5174-F82625372B4E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{82E8FF5B-20DA-4F43-9787-09FA534B7627} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A4405AD1-A13C-E10B-4B57-D5092B102F2B} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A903BF95-883E-4E70-AEC8-6C27CDC0A6B2} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A9BB7C1A-E63B-E0A9-63EB-7124FA52D1B0} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B91259B9-BE3B-D475-8861-62B879410E5E} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DB3FF0A6-7AD3-085E-3E59-A4318E82D4A8} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DE3BEBDB-AEE7-4277-8B6E-4EEFFA9508AE} -> Spyware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FF1518B7-D821-1BF0-0368-AD32CBCF17E0} -> Spyware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-3359896355-2304659736-1445258045-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{779D4817-72EC-CAD1-C47C-A430B508B1E9} -> Spyware.CoolWebSearch : Cleaned with backup
:mozilla.8:C:\Documents and Settings\katy\Application Data\Mozilla\Profiles\default\b3v57re0.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.9:C:\Documents and Settings\katy\Application Data\Mozilla\Profiles\default\b3v57re0.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.10:C:\Documents and Settings\katy\Application Data\Mozilla\Profiles\default\b3v57re0.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.31:C:\Documents and Settings\katy\Application Data\Mozilla\Profiles\default\b3v57re0.slt\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.42:C:\Documents and Settings\katy\Application Data\Mozilla\Profiles\default\b3v57re0.slt\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.45:C:\Documents and Settings\katy\Application Data\Mozilla\Profiles\default\b3v57re0.slt\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.46:C:\Documents and Settings\katy\Application Data\Mozilla\Profiles\default\b3v57re0.slt\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
:mozilla.47:C:\Documents and Settings\katy\Application Data\Mozilla\Profiles\default\b3v57re0.slt\cookies.txt -> Spyware.Cookie.Sitestat : Cleaned with backup
C:\Documents and Settings\katy\Cookies\katy@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-160011-580.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173933-539.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173933-588.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173933-730.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173933-890.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173934-260.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173934-338.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173934-343.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173934-489.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173934-843.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\HijackThis\HijackThis Version 1.99.0.1\backups\backup-20050803-173934-986.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\ms32.tmp -> TrojanDownloader.Small.azk : Cleaned with backup
C:\Program Files\KaZaA Lite\topsearch.dll -> Spyware.TopSearch : Cleaned with backup
C:\Quarantine\iewp32.xxx -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\002159_.tmp:otmsd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Active Setup Log.BAK:bcsii -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:jjaozb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ActiveSkin.INI:teznm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addac32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addid32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addmg.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addnd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addpn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addru32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addul.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\addvo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apidd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiih32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apikt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apilw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiru32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apisj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apisu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apiwq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apiwr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appdi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appdm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appga.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appgi.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\appmv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\apprz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\apput.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\appza32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlji32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlof.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\atlrn.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\atlyq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlzq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\BJCFDins.log:qlycw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\BJCFDins.log:yukld -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:bszyh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:ectdg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:xhghg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Blue Lace 16.bmp:yzfkl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\bootstat.dat:dvvfy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Coffee Bean.bmp:ixoqg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Coffee Bean.bmp:tnbus -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\comsetup.log:pdwnc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\control.ini:jbivh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\control.ini:mtkjd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crcx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crpm.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\crpm.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crrw32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\crta32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\cryy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\crzo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3dx.dat:opkws -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3dx.dat:oxyyu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\d3dx.dat:tlflo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\d3fi32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\d3hh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3ur.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\d3vd.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\desktop.ini:emqzo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\DHCPUPG.LOG:lzzid -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\DSE212.INI:weppj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\DtcInstall.log:emidk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\DVDRegionFree.INI:zrnoo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ebbmp2.ini:pfbrk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ebjpg2.ini:trffp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\edgdr.log:hfaif -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\empct2.ini:bthlrn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\empct2.ini:jrsnb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\empct2.ini:kkyia -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\emps_2.ini:ohcnw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\emwmf2.ini:qmdxy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\emwmf2.ini:wsipl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\eReg.dat:oxfyd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\EventSystem.log:spnur -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\explorer.scf:seryb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\explorer.scf:tlvjr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\FaxSetup.log:msvfx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FaxSetup.log:ntuln -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\FaxSetup.log:vmcaw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FCIC.INI:blvyzf -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\FCIC.INI:zanys -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:boopu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:yqqjz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FoneSync.INI:csyfs -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\FoneSync.INI:gxrfc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\fysqt.log:tlodup -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Gone Fishing.bmp:puqxb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:dqqfn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Greenstone.bmp:jrsbcl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\IE4 Error Log.txt:efyun -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\IE4 Error Log.txt:mowjab -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\IE4 Error Log.txt:vfcjx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ieas.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ieas.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iedk32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iehd.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ieln32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iema.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iens32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\IEPatchUninstall.log:yvfwk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iepg.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\iesv32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ieug32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\imsins.BAK:dnjskh -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\imsins.BAK:epgpum -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\imwmf2.ini:kcofj -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\imwmf2.ini:oklko -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\imwmf2.ini:svtqx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\INSTLOG.TXT:vobxmr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipfe.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipgl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iphr.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ipib32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ipix32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\iPlayer.INI:slbbkj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipov32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ipsm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\isgdi32.ini:hzjdr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\isgdi32.ini:lwkbx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\jautoexp.dat:pjaafp -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\jautoexp.dat:ueryf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\jautoexp.dat:zdodk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\javajs.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\javand.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\javaon.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javapi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javapn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaqx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javasg32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\javash.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javaxn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javayp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javayw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\javazu.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\KB821557.log:swrxh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\KB821557Uninst.log:txwbb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\KB823980.log:hksghr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\LEXSTAT.INI:kauoo -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\LEXSTAT.INI:oqntu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\LUINSTALL.LOG:dyupd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\LUINSTALL.LOG:zkdtbc -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\medctroc.Log:osusc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcak32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfccb32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcek32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcft.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcib32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcje32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcns.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcth32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcvc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mfcvg.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcvy.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\mfcvy.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ModemLog_Conexant-Ambit V.90(V.92) SoftK56 MDC Modem.txt:puyyd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\msbm32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mshp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msjn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mske.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msko32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msoffice.ini:zmxlz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mssy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mstf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\msuh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\mswt32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\msxm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netcg32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\netib.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\netnt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\neton.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netpj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netpr.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netps32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\netvc32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\netzc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\nsw.log:anjjz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\nsw.log:siggd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\nsw.log:tmtsgu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntaa.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntam.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntam32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntau.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntdq32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\ntdtcsetup.log:opsra -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntgt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntkl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntog32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\nttj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntts32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\nttw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ntwu.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntzl32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ntzl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\ocmsn.log:lkayp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\OP70.INI:fofcn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\OP70.INI:zrejx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.ini:nkcwt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\orun32.ini:zcurh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\orun32.isu:wddrm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\phbase.ini:wybwa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\pstudio.ini:ppivk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Ps_setup.ini:kvfjd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q306676.log:wybuq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q308677.log:hzfhw -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q308677.log:yiwdi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q308678.log:vhtag -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q308678.log:yeozu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q309521.log:lswww -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q309521.log:muyyb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q309521Uninst.log:exgvo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q309521Uninst.log:raehy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q309521Uninst.log:xugny -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q310601.log:hamfm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q311889.log:jjhwf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q311967.log:jgzrq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q311967Uninst.log:yjwsc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q313596.log:mzmtv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q313596.log:wlhok -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q314147.log:hokyu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q314147.log:hyjgk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q314147.log:xuevv -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q315403.log:rvkth -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q317277.log:xaplr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q319580.log:xvzjg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q319580Uninst.log:ivhor -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q323172.log:ourkb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q323172Uninst.log:cwnmd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q323255.log:yzdsk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q326830.log:zgnsm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q329048.log:cpqep -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q329048.log:iwdtc -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q329048.log:kfxle -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q329048Uninst.log:ofdzl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q329115.log:cwhaq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Q329115.log:zvcvx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q329390Uninst.log:adpit -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q329390Uninst.log:chyli -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q811630.log:nitpl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q817606.log:btzqa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q817606Uninst.log:npste -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\regopt.log:kqrmgi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\regopt.log:nasju -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\regopt.log:rzzxk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:hljaf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\sdkea.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkhb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkjj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkko32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkmx32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkqh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdkre32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sdksr32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkub32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sdkyi32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sessmgr.setup.log:hqwum -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\setup.log:jxltp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\setupapi.log:nhbwgx -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\setupapi.log.0.old:kshni -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\setupapi.log.0.old:smmlu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\smscfg.ini:rxash -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Soap Bubbles.bmp:uyoml -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\spupdsvc.log:mylsy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Sti_Trace.log:katdt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\svcpack.log:fktho -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\SynInst.log:cqddd -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysgb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\sysjq.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysra32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32:jeaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
C:\WINDOWS\system32\addet32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\addfj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addft.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addik32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addir32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addqe.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\addta.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addwz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\addyn.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\apihg32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apisf32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\apisf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\apiuc.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apiug.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\apiwd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apixb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appez.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\appis32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\appke32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appnv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\appoy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apppi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apppn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\apppp32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\apptn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlaz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\atlcw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlfn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlfu.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atlhy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atliq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlmd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlmt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlnb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlpe.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\atlqj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlsf32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlul32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlvk.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\atlvn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\atlwl.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crbd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crcf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crcr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crjr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crnd.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\crns32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crpm.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\crpq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\crtx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3bc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3hs32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\d3ld.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\d3oq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3pv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3tj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\d3tp32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iedd32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\iefu.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\iegi.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieho.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieim32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ielw32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iemy.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ieoi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iequ32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ievf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\iewc.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ieyl32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipae32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipcv.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ipdv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipec.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipga.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipjh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipjq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipks32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipkx.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ipmp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipqf32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ipsj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipvy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipxd32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ipxt.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaas.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\javaba32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javadb.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\javahs32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javajk32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\javakb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javamq32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaof.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\javaqt32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcdi32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcgm32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mfcjr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfclq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcmb.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcnf.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcsw.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfctp.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mfcwj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mfcwz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msas.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msck.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mseu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mskm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msna.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msoa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msol32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msqz32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msth.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\msur32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\msxh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\mszc32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\netfq.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\netgp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netkv.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netly32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netmu32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\netof32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netpo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netrm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netvx.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\netyz.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ntex.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ntim32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ntjy32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntoa32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\ntqq32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sdkdu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkeu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkff32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkgc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkqe32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sdkve.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkwh32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sdkwk32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sdkxn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sdkyd.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysbc32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sysca.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysfp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\syshm.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysim.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysjf.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sysmc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysno32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sysps.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysri.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sysrs32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\systh.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysun.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysux32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\sysxz32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sysyn.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winbk32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\winby32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\wineq.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\wingp.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winij32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winkk32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\winlu32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\winvn32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winwm32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winwr32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\system32\winzb32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syswj32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\syswo32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\tcdsv.log:wzolu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\tmp28.tmp:yylvn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\ulead32.ini:qlwrl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\vminst.log:hbavq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\vminst.log:ncptk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\vxscr.log:csyfp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\vxscr.log:zkrjo -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\WebCamMon.ini:bsogj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WebCamMon.ini:hbqqh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\win.ini:jeakt -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winag.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\windh32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\Windows Update.log:dwldi -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\Windows Update.log:roeve -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:nljqm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WindowsUpdate.log:xoaqh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\wineu32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\wininit.ini:khxttd -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\wininit.ini:sutbe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winli32.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winnd32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winni32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winnt.bmp:msiuc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winnt.bmp:ypxqb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winnt256.bmp:chqzvf -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt256.bmp:cqhfa -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winnt256.bmp:dhmmp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\winnt256.bmp:uglvp -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WINNT32.LOG:oqove -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\winpc32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winqv32.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\wintj.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winyo.exe -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\winzj32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wmsetup.log:fcusk -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\wmsetup.log:hpdie -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wmsetup.log:llmze -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wsdu.log:jqaby -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\wsdu.log:xmtez -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\XIIIHooligans.ini:gipfm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\xpsp1hfm.log:qvxcg -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\yacs.log:bgwsl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\yacs.log:ncyxg -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:aaazd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:aokgx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:atluk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:avpal -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:bdzoq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:bfizn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:bpuoc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:bufgb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:cktttm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:cuoxd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:cvham -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:cvwsu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ddbeq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:dijqdl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:diwzt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:dnnmyw -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:drbmm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:drjzh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:dtfkt -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:dyklh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ebolx -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:eievyw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:evniv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:fjcol -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:fmrxb -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:fnecr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:fwrha -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:fzgzw -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:gandv -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:gongp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:gpgct -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:gtmsf -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:gtnjh -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:hbgzy -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:hcrcs -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:hevhon -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:hjonm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:hpikx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:htals -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:htfzl -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:hwazc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ibmmy -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ignva -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ihdrp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ihwnd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:iikol -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ijgtx -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ilfzh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ilwcp -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:isjss -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ivvzb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:jgrue -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:jpact -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:jvyte -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:jzabyn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:kcqar -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:kulxq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ladln -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:lbdjr -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:lbslu -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:lcizog -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:lfdyl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:lhylii -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:liaid -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:lpnvd -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:madoa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:mbsmc -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:mefkl -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:mfczn -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:mgqpq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:mhlkj -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:mqfzz -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:mzzkh -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:nxbyr -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:nxkki -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:nynwa -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:oboej -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:olgwu -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:ppiun -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:prawe -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:qfukzj -> Trojan.Agent.bi : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:qqoae -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:qshbn -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:qtcof -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:rboxm -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:rpyrm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:rqjnq -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:rqvof -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:rutag -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:rutagk -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:rvxlb -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:rwnca -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:scsjm -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:sdcno -> TrojanDownloader.Agent.bq : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:sdopq -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\_MSRSTRT.EXE:silct -> TrojanDownloader.Agent.bq : Cleaned with backup
::Report End
(sorry that was so long)
***************************************************
Here is the DelRunOnce logfile:
(although there doesn't seem to be much there - this was all the text that was in C:\delrunonce.txt)
Random run once fix tool by Omerr V1.01
Please pay attention this removes only the files, not the entries.
1. Starting registry fix
-
DONE
2. Starting removal of files in windows directory
3. Starting removal of files in system directory
Finished fix process. Please copy the log and paste it in the forum.
***********************************************
And this is all the text there was in C:\log.txt:
>Opening...done
>Closing...done
>Opening...done
>Closing...done
>Opening...done
>Closing...done
>Opening...done
And here is my latest Hijack This log from today (after a Spybot and Adaware scan):
Logfile of HijackThis v1.99.1
Scan saved at 15:24:45, on 06/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis Version 1.99.0.1\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [DVD43] "C:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
*******************************************
I was wondering if the HJT log should have these entries? :
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
The other thing that I thought was a bit suspicious is a program listed in the running processes - a similar type of program was listed in last night's HJT log after I had completed your instructions, but the one that is there today has a different name - should that be there? (C:\WINDOWS\system32\wuauclt.exe ) I also can't seem to find it in the HJT log anywhere else.
The Ewido program seems to have been absolutely fantastic - thankyou for directing me towards that. I now have it installed and the guard is on and set to update automatically.
I should mention two more things - one is that every now and again, mainly when I am attempting to complete scans, the laptop will just die and turn off - like a power cut almost, except there is nothing wrong with the power connection. No bluescreen, no error messages, and nothing mentioned on re-starting after it turns itself off.
The last thing is that I did turn on system restore again - on wednesday I think, and I don't know whether that will have affected the success of your instructions.
Finally, thankyou so so much! I was totally lost with this, and you have helped me so much already. I hope that I have done everything right, and I will wait to hear your verdict!
Thankyou for taking the time to go through all of this,
Jeebers (Katy)
====
You will sometimes get these entries after having had nasties on your PC:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
======
Run HiJackThis, click "Scan", then check(tick) the following, if present:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".
===============
After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.
Hello Crunchie,
Thankyou so much - you have singlehandedly restored my sanity with all of your help and useful instructions.
I followed your latest advice, and fixed the checked entries. HJT displayed an error while it was trying to fix the 4 entries, but I rebooted anyway, did another scan and everything seems to be ok, and the 4 entries are in the HJT backups, so I assume they have been successfully fixed/removed.
Here is my latest HJT log after the fix and reboot:
Logfile of HijackThis v1.99.1
Scan saved at 13:08:09, on 07/08/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\WINDOWS\system32\atiptaxx.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\HijackThis\HijackThis Version 1.99.0.1\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HotkeyApp] C:\Program Files\Launch Manager\HotkeyApp.exe
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Program Files\ABBYY FineReader 7.0\AbbyyNewsReader.exe"
O4 - HKLM\..\Run: [DVD43] "C:\Program Files\DVD Region+CSS Free\DVDRegionFree.exe" /hidden
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.creative.com
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/games/clients/y/kt3_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct1_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
O16 - DPF: Yahoo! Hearts - http://download.games.yahoo.com/games/clients/y/ht0_x.cab
O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt0_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/games/clients/y/pt0_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/potc_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmessengersetupdownloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/popcap/zuma/popcaploader_v5.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
************************************************
It looks like my laptop is ok now?
I have no idea how I managed to get this hijack - I have always tried to be careful, have regularly updated and scanned with Norton, Adaware and Spybot, so if you have any tips on any other things I might do to prevent a future re-occurence I would be very interested.
One last question - should I install the Spybot S&D second layer of protection to permanently block bad downloads in Internet Explorer? I have never done that for some reason, and wondered if it would be a good idea to do that.
Also, is it ok to move the DelRunOnce and About Buster folders from my desktop now, and should I put them anywhere in particular?
Thankyou again,
Katy
Definitely a good idea. You can also get Spybot's Tea-Timer up and running too for extra protection. Ewido will only give you real-time protection until the end of the trial period, unless you actually go ahead and purchase it.
===============
Yes. I have a folder in My Documents that I have named 'security' where I put all those special tools .
===============
Congratulations! Your log looks clean - good work!
===============
Now that your PC is clean you need to follow these easy steps to keeping it this way:
Secure your Internet Explorer by going here and following the instructions there.
Better yet, use an alternative browser! Download FireFox and give it a run. It is far more secure than Internet Explorer. Or, you can get Opera which in my opinion, is better still.
Use a firewall to help prevent your PC's control being usurped by undesireables. There is a link to a good, free firewall in my signature.
Install and keep updated, Ad-Aware SE, and Spybot S&D.
Run them both on a regular basis, following the manufacturer's recommendations.
Install an anti-virus. There are some good, free AV's available today. Make sure that it is updated regularly and have it scan your system often.
Check for Windows Updates. Microsoft regularly post updates for your systems safe running. Make sure to take advantage of this. Reboot when installed and return to make sure there are no others.
Clear your Temp folders.
Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.
Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.
Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)
C:\Documents and Settings\username\Local Settings\Temp\
In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.
Empty the Recycle Bin.
For XP users.
After something like this it is a good idea to Flush the Restore Points and start fresh.
To flush the XP system Restore Points.
Go to Start>Run and type msconfig. Press enter.
When msconfig opens, click the Launch System Restore Button.
On the next page, click the System Restore Settings link on the left.
Check the box labelled 'Turn off System restore'.
Reboot. Go back in and Turn System Restore Back on. A new Restore Point will be created.
Note that all previous restore points will be lost.
===============
If you have any more problems, post back.
-
Happy surfing,
crunchie.
Thankyou so much for all of your help, and for the confirmation that my log looks clean.
I will definitely look into Mozilla Firefox - I've only heard good things about it, and I am sick of being compromised just because I use Internet Explorer!
Spybot S&D Tea Timer - does that offer similar kind of real-time protection to the ewido program, and if so - how do I get it? (as I chose not to select it as an extra option when I installed Spybot last).
I can't thank you enough - you really really made a difference. I hope you have a great day.
Katy
You are welcome .
Thanks Crunchie - that's all done now. You have been very helpful and kind. It is much appreciated!
Katy