Free Malware Removal Forum

[ccinmfd]

Logfile of HijackThis v1.99.1
Scan saved at 8:56:37 PM, on 2/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\mfcig.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Fcenprt\Czdmn.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\iPod\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
c:\program files\common files\aol\1101774857\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\HPWGTBX.exe
C:\WINDOWS\ippb.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bareh.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bareh.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Class - {6537283D-964A-CBD4-C67B-7091E7AC8979} - C:\WINDOWS\msav32.dll
O2 - BHO: Class - {7E652F00-83F5-AD05-9AAB-F6B25376211E} - C:\WINDOWS\system32\winbg32.dll
O2 - BHO: Class - {F1D7DCBA-0130-C987-716B-EE88E16B0371} - C:\WINDOWS\ipph.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Dwmkv] C:\Program Files\Fcenprt\Czdmn.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ntbl32.exe] C:\WINDOWS\ntbl32.exe
O4 - HKLM\..\Run: [155.tmp] C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
O4 - HKLM\..\Run: [156.tmp] C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
O4 - HKLM\..\Run: [155.tmp.exe] C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
O4 - HKLM\..\Run: [156.tmp.exe] C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
O4 - HKLM\..\Run: [addhm32.exe] C:\WINDOWS\addhm32.exe
O4 - HKLM\..\Run: [javaon32.exe] C:\WINDOWS\javaon32.exe
O4 - HKLM\..\Run: [addkz32.exe] C:\WINDOWS\system32\addkz32.exe
O4 - HKLM\..\Run: [atlrz32.exe] C:\WINDOWS\system32\atlrz32.exe
O4 - HKLM\..\Run: [mfcig32.exe] C:\WINDOWS\system32\mfcig32.exe
O4 - HKLM\..\Run: [atlih32.exe] C:\WINDOWS\atlih32.exe
O4 - HKLM\..\Run: [syskh.exe] C:\WINDOWS\syskh.exe
O4 - HKLM\..\Run: [addgb32.exe] C:\WINDOWS\addgb32.exe
O4 - HKLM\..\Run: [ntdo.exe] C:\WINDOWS\ntdo.exe
O4 - HKLM\..\Run: [d3xb32.exe] C:\WINDOWS\system32\d3xb32.exe
O4 - HKLM\..\Run: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\Run: [apiyj.exe] C:\WINDOWS\system32\apiyj.exe
O4 - HKLM\..\Run: [ieut.exe] C:\WINDOWS\ieut.exe
O4 - HKLM\..\Run: [javast.exe] C:\WINDOWS\javast.exe
O4 - HKLM\..\Run: [ntmm32.exe] C:\WINDOWS\ntmm32.exe
O4 - HKLM\..\Run: [addqs32.exe] C:\WINDOWS\addqs32.exe
O4 - HKLM\..\Run: [crgj32.exe] C:\WINDOWS\crgj32.exe
O4 - HKLM\..\Run: [sdkni.exe] C:\WINDOWS\sdkni.exe
O4 - HKLM\..\Run: [ipub32.exe] C:\WINDOWS\ipub32.exe
O4 - HKLM\..\Run: [atlql.exe] C:\WINDOWS\system32\atlql.exe
O4 - HKLM\..\Run: [d3jp32.exe] C:\WINDOWS\d3jp32.exe
O4 - HKLM\..\Run: [iefr32.exe] C:\WINDOWS\iefr32.exe
O4 - HKLM\..\Run: [ipjk.exe] C:\WINDOWS\system32\ipjk.exe
O4 - HKLM\..\Run: [d3sp32.exe] C:\WINDOWS\system32\d3sp32.exe
O4 - HKLM\..\Run: [apimn32.exe] C:\WINDOWS\system32\apimn32.exe
O4 - HKLM\..\Run: [ippb.exe] C:\WINDOWS\ippb.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "smartfinder" "2"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\EA SPORTS\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper ... helper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_2 ... lashAX.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/a ... 10_sp2.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0022.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFBC7FB-20CD-4ABB-A1A4-B64B40758E90}: Domain = boysvillage.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFBC7FB-20CD-4ABB-A1A4-B64B40758E90}: NameServer = 10.129.1.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = boysvillage.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = boysvillage.org
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

[ChrisRLG]

Hi

You have an About:Blank infection - I would like to see a up to date Hijackthis log so I can give you some advice.

Please try to use the computer for as little as possible on the internet till you are clean - and try not to reboot the machine too much as every time it is rebooted it has a chance to mutate.

[ccinmfd]

Logfile of HijackThis v1.99.1
Scan saved at 4:40:47 PM, on 2/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\Fcenprt\Czdmn.exe
C:\Program Files\iPod\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
c:\program files\common files\aol\1101774857\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\sdkyq32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\ipci32.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\HPWGTBX.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbixp.dll/sp.html#10001%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wvequ.dll/sp.html#10001%resultposition.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: Class - {6537283D-964A-CBD4-C67B-7091E7AC8979} - C:\WINDOWS\msav32.dll
O2 - BHO: Class - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - C:\WINDOWS\system32\mfczq32.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Dwmkv] C:\Program Files\Fcenprt\Czdmn.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [ntbl32.exe] C:\WINDOWS\ntbl32.exe
O4 - HKLM\..\Run: [155.tmp] C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
O4 - HKLM\..\Run: [156.tmp] C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
O4 - HKLM\..\Run: [155.tmp.exe] C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
O4 - HKLM\..\Run: [156.tmp.exe] C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
O4 - HKLM\..\Run: [addhm32.exe] C:\WINDOWS\addhm32.exe
O4 - HKLM\..\Run: [javaon32.exe] C:\WINDOWS\javaon32.exe
O4 - HKLM\..\Run: [addkz32.exe] C:\WINDOWS\system32\addkz32.exe
O4 - HKLM\..\Run: [atlrz32.exe] C:\WINDOWS\system32\atlrz32.exe
O4 - HKLM\..\Run: [mfcig32.exe] C:\WINDOWS\system32\mfcig32.exe
O4 - HKLM\..\Run: [atlih32.exe] C:\WINDOWS\atlih32.exe
O4 - HKLM\..\Run: [syskh.exe] C:\WINDOWS\syskh.exe
O4 - HKLM\..\Run: [addgb32.exe] C:\WINDOWS\addgb32.exe
O4 - HKLM\..\Run: [ntdo.exe] C:\WINDOWS\ntdo.exe
O4 - HKLM\..\Run: [d3xb32.exe] C:\WINDOWS\system32\d3xb32.exe
O4 - HKLM\..\Run: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\Run: [apiyj.exe] C:\WINDOWS\system32\apiyj.exe
O4 - HKLM\..\Run: [ieut.exe] C:\WINDOWS\ieut.exe
O4 - HKLM\..\Run: [javast.exe] C:\WINDOWS\javast.exe
O4 - HKLM\..\Run: [ntmm32.exe] C:\WINDOWS\ntmm32.exe
O4 - HKLM\..\Run: [addqs32.exe] C:\WINDOWS\addqs32.exe
O4 - HKLM\..\Run: [crgj32.exe] C:\WINDOWS\crgj32.exe
O4 - HKLM\..\Run: [sdkni.exe] C:\WINDOWS\sdkni.exe
O4 - HKLM\..\Run: [ipub32.exe] C:\WINDOWS\ipub32.exe
O4 - HKLM\..\Run: [atlql.exe] C:\WINDOWS\system32\atlql.exe
O4 - HKLM\..\Run: [d3jp32.exe] C:\WINDOWS\d3jp32.exe
O4 - HKLM\..\Run: [iefr32.exe] C:\WINDOWS\iefr32.exe
O4 - HKLM\..\Run: [ipjk.exe] C:\WINDOWS\system32\ipjk.exe
O4 - HKLM\..\Run: [d3sp32.exe] C:\WINDOWS\system32\d3sp32.exe
O4 - HKLM\..\Run: [apimn32.exe] C:\WINDOWS\system32\apimn32.exe
O4 - HKLM\..\Run: [ippb.exe] C:\WINDOWS\ippb.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [crsq.exe] C:\WINDOWS\crsq.exe
O4 - HKLM\..\Run: [d3yc.exe] C:\WINDOWS\d3yc.exe
O4 - HKLM\..\Run: [winwr32.exe] C:\WINDOWS\winwr32.exe
O4 - HKLM\..\Run: [ipes32.exe] C:\WINDOWS\ipes32.exe
O4 - HKLM\..\Run: [addjs32.exe] C:\WINDOWS\system32\addjs32.exe
O4 - HKLM\..\Run: [apidq.exe] C:\WINDOWS\apidq.exe
O4 - HKLM\..\Run: [apiaa32.exe] C:\WINDOWS\system32\apiaa32.exe
O4 - HKLM\..\Run: [d3is32.exe] C:\WINDOWS\d3is32.exe
O4 - HKLM\..\Run: [atlzg.exe] C:\WINDOWS\atlzg.exe
O4 - HKLM\..\Run: [iede.exe] C:\WINDOWS\system32\iede.exe
O4 - HKLM\..\Run: [ipci32.exe] C:\WINDOWS\ipci32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunOnce: [Pest Cleaning] "C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\ppclean.exe" "clean" "silent" "smartfinder" "2"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\EA SPORTS\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper ... helper.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_2 ... lashAX.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/a ... 10_sp2.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0022.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFBC7FB-20CD-4ABB-A1A4-B64B40758E90}: Domain = boysvillage.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFBC7FB-20CD-4ABB-A1A4-B64B40758E90}: NameServer = 10.129.1.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = boysvillage.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = boysvillage.org
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

[ChrisRLG]

sorry for the delay.

==========

First of all I need you to download some programs for use later.

Download this file and unzip it to your desktop

Download About:Buster from here. Once it is downloaded extract it to c:\aboutbuster. Do NOT use it yet

Download CWShredder from here, install it, check for updates but again, don't use it yet.

Download and install Ewido Security Suite Trial from here. Run and update the program but do not scan with it yet.

Ensure hidden files and folders are set to show;

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Show hidden files and folders.
• Uncheck the Hide protected operating system files (recommended) option.
• Click Yes to confirm.
• Click OK.

Next, go to Start->Run and type "Services.msc" (without quotes) then hit Ok

Please disconnect from the Internet and unplug your modem for the duration of this fix You may want to print the rest of these instructions.

Reboot your computer into Safe Mode by tapping F8 while booting up and continue for the rest of the fix in SAFE MODE

While in safe mode, double click on the HSfix.reg file you downloaded at the beginning. Grant it permission to add the registry items.

Then Open cwshredder that you downloaded in the first step. Close all browser windows and click on the fix/next button.

Bring up task manager Ctrl-Alt-Del and end these processes if they are present

C:\Program Files\Fcenprt\Czdmn.exe
C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
C:\WINDOWS\system32\sdkyq32.exe
C:\WINDOWS\ipci32.exe
C:\WINDOWS\system32\cbixp.dll
C:\WINDOWS\system32\drtfw.dll
C:\WINDOWS\system32\wvequ.dll
C:\WINDOWS\msav32.dll
C:\WINDOWS\system32\mfczq32.dll
C:\WINDOWS\ntbl32.exe
C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
C:\WINDOWS\addhm32.exe
C:\WINDOWS\javaon32.exe
C:\WINDOWS\system32\addkz32.exe
C:\WINDOWS\system32\atlrz32.exe
C:\WINDOWS\system32\mfcig32.exe
C:\WINDOWS\atlih32.exe
C:\WINDOWS\syskh.exe
C:\WINDOWS\addgb32.exe
C:\WINDOWS\ntdo.exe
C:\WINDOWS\system32\d3xb32.exe
C:\WINDOWS\system32\apisa32.exe
C:\WINDOWS\system32\apiyj.exe
C:\WINDOWS\ieut.exe
C:\WINDOWS\javast.exe
C:\WINDOWS\ntmm32.exe
C:\WINDOWS\addqs32.exe
C:\WINDOWS\crgj32.exe
C:\WINDOWS\sdkni.exe
C:\WINDOWS\ipub32.exe
C:\WINDOWS\system32\atlql.exe
C:\WINDOWS\d3jp32.exe
C:\WINDOWS\iefr32.exe
C:\WINDOWS\system32\ipjk.exe
C:\WINDOWS\system32\d3sp32.exe
C:\WINDOWS\system32\apimn32.exe
C:\WINDOWS\ippb.exe
C:\WINDOWS\crsq.exe
C:\WINDOWS\d3yc.exe
C:\WINDOWS\winwr32.exe
C:\WINDOWS\ipes32.exe
C:\WINDOWS\system32\addjs32.exe
C:\WINDOWS\apidq.exe
C:\WINDOWS\system32\apiaa32.exe
C:\WINDOWS\d3is32.exe
C:\WINDOWS\atlzg.exe
C:\WINDOWS\system32\iede.exe

Now find and delete these files, if you can't find one then don't worry.. just move on to the next one.


C:\Program Files\Fcenprt\Czdmn.exe
C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
C:\WINDOWS\system32\sdkyq32.exe
C:\WINDOWS\ipci32.exe
C:\WINDOWS\system32\cbixp.dll
C:\WINDOWS\system32\drtfw.dll
C:\WINDOWS\system32\wvequ.dll
C:\WINDOWS\msav32.dll
C:\WINDOWS\system32\mfczq32.dll
C:\WINDOWS\ntbl32.exe
C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
C:\WINDOWS\addhm32.exe
C:\WINDOWS\javaon32.exe
C:\WINDOWS\system32\addkz32.exe
C:\WINDOWS\system32\atlrz32.exe
C:\WINDOWS\system32\mfcig32.exe
C:\WINDOWS\atlih32.exe
C:\WINDOWS\syskh.exe
C:\WINDOWS\addgb32.exe
C:\WINDOWS\ntdo.exe
C:\WINDOWS\system32\d3xb32.exe
C:\WINDOWS\system32\apisa32.exe
C:\WINDOWS\system32\apiyj.exe
C:\WINDOWS\ieut.exe
C:\WINDOWS\javast.exe
C:\WINDOWS\ntmm32.exe
C:\WINDOWS\addqs32.exe
C:\WINDOWS\crgj32.exe
C:\WINDOWS\sdkni.exe
C:\WINDOWS\ipub32.exe
C:\WINDOWS\system32\atlql.exe
C:\WINDOWS\d3jp32.exe
C:\WINDOWS\iefr32.exe
C:\WINDOWS\system32\ipjk.exe
C:\WINDOWS\system32\d3sp32.exe
C:\WINDOWS\system32\apimn32.exe
C:\WINDOWS\ippb.exe
C:\WINDOWS\crsq.exe
C:\WINDOWS\d3yc.exe
C:\WINDOWS\winwr32.exe
C:\WINDOWS\ipes32.exe
C:\WINDOWS\system32\addjs32.exe
C:\WINDOWS\apidq.exe
C:\WINDOWS\system32\apiaa32.exe
C:\WINDOWS\d3is32.exe
C:\WINDOWS\atlzg.exe
C:\WINDOWS\system32\iede.exe


Now run hijackthis and click the scan button, when it has finished scanning put a check against the following and click 'fix checked'



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbixp.dll/sp.html#10001%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\wvequ.dll/sp.html#10001%resultposition.net
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: Class - {6537283D-964A-CBD4-C67B-7091E7AC8979} - C:\WINDOWS\msav32.dll
O2 - BHO: Class - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - C:\WINDOWS\system32\mfczq32.dll
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\Run: [ntbl32.exe] C:\WINDOWS\ntbl32.exe
O4 - HKLM\..\Run: [155.tmp] C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
O4 - HKLM\..\Run: [156.tmp] C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
O4 - HKLM\..\Run: [155.tmp.exe] C:\DOCUME~1\carrollc\LOCALS~1\Temp\155.tmp.exe
O4 - HKLM\..\Run: [156.tmp.exe] C:\DOCUME~1\carrollc\LOCALS~1\Temp\156.tmp.exe
O4 - HKLM\..\Run: [addhm32.exe] C:\WINDOWS\addhm32.exe
O4 - HKLM\..\Run: [javaon32.exe] C:\WINDOWS\javaon32.exe
O4 - HKLM\..\Run: [addkz32.exe] C:\WINDOWS\system32\addkz32.exe
O4 - HKLM\..\Run: [atlrz32.exe] C:\WINDOWS\system32\atlrz32.exe
O4 - HKLM\..\Run: [mfcig32.exe] C:\WINDOWS\system32\mfcig32.exe
O4 - HKLM\..\Run: [atlih32.exe] C:\WINDOWS\atlih32.exe
O4 - HKLM\..\Run: [syskh.exe] C:\WINDOWS\syskh.exe
O4 - HKLM\..\Run: [addgb32.exe] C:\WINDOWS\addgb32.exe
O4 - HKLM\..\Run: [ntdo.exe] C:\WINDOWS\ntdo.exe
O4 - HKLM\..\Run: [d3xb32.exe] C:\WINDOWS\system32\d3xb32.exe
O4 - HKLM\..\Run: [apisa32.exe] C:\WINDOWS\system32\apisa32.exe
O4 - HKLM\..\Run: [apiyj.exe] C:\WINDOWS\system32\apiyj.exe
O4 - HKLM\..\Run: [ieut.exe] C:\WINDOWS\ieut.exe
O4 - HKLM\..\Run: [javast.exe] C:\WINDOWS\javast.exe
O4 - HKLM\..\Run: [ntmm32.exe] C:\WINDOWS\ntmm32.exe
O4 - HKLM\..\Run: [addqs32.exe] C:\WINDOWS\addqs32.exe
O4 - HKLM\..\Run: [crgj32.exe] C:\WINDOWS\crgj32.exe
O4 - HKLM\..\Run: [sdkni.exe] C:\WINDOWS\sdkni.exe
O4 - HKLM\..\Run: [ipub32.exe] C:\WINDOWS\ipub32.exe
O4 - HKLM\..\Run: [atlql.exe] C:\WINDOWS\system32\atlql.exe
O4 - HKLM\..\Run: [d3jp32.exe] C:\WINDOWS\d3jp32.exe
O4 - HKLM\..\Run: [iefr32.exe] C:\WINDOWS\iefr32.exe
O4 - HKLM\..\Run: [ipjk.exe] C:\WINDOWS\system32\ipjk.exe
O4 - HKLM\..\Run: [d3sp32.exe] C:\WINDOWS\system32\d3sp32.exe
O4 - HKLM\..\Run: [apimn32.exe] C:\WINDOWS\system32\apimn32.exe
O4 - HKLM\..\Run: [ippb.exe] C:\WINDOWS\ippb.exe
O4 - HKLM\..\Run: [crsq.exe] C:\WINDOWS\crsq.exe
O4 - HKLM\..\Run: [d3yc.exe] C:\WINDOWS\d3yc.exe
O4 - HKLM\..\Run: [winwr32.exe] C:\WINDOWS\winwr32.exe
O4 - HKLM\..\Run: [ipes32.exe] C:\WINDOWS\ipes32.exe
O4 - HKLM\..\Run: [addjs32.exe] C:\WINDOWS\system32\addjs32.exe
O4 - HKLM\..\Run: [apidq.exe] C:\WINDOWS\apidq.exe
O4 - HKLM\..\Run: [apiaa32.exe] C:\WINDOWS\system32\apiaa32.exe
O4 - HKLM\..\Run: [d3is32.exe] C:\WINDOWS\d3is32.exe
O4 - HKLM\..\Run: [atlzg.exe] C:\WINDOWS\atlzg.exe
O4 - HKLM\..\Run: [iede.exe] C:\WINDOWS\system32\iede.exe
O4 - HKLM\..\Run: [ipci32.exe] C:\WINDOWS\ipci32.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] windir32.exe
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper ... helper.cab
O16 - DPF: {EC51659D-721F-4CBF-9CEA-5E776D89CEA9} - http://www.pacimedia.com/install/pcs_0022.exe


The following step is important as you may have several malware files in your temp directories.

Then browse to the C:\documents and settings\Your User Name (repeat for all other user names in documents and settings)\local settings\temp folder and delete all files and folders in it. Then browse to the C:\Window\Temp folder and delete all files and folders in it. Then in internet explore click tools>internet Options>General. Click on Delete Files make sure you get all offline content as well.

Now navigate to the c:\aboutbuster directory and double-click on AboutBuster.exe. Click Begin Removal to allow AboutBuster to scan. When it has finished, AboutBuster will open a 'Scan Completed' window. Click OK. Another information window will open. Click on Exit. AboutBuster will inform you that a log has been created. Click OK. I will need you to post that log later.

Run Ewido and do a full System Scan with it. Let it clean anything it finds. Save the report it creates.

Now reboot,and run hijackthis again and post a fresh log along with the about buster log and the Ewido log.

[ccinmfd]

... Hi again ... you certainly did not need to say you were "sorry for the delay," ... it is actually I who takes days and days to respond back ... you have been quite prompt! ... I appreciate it ...

... I took all or most of the steps you provided, above, including downloading all the programs you pointed to, investigated files, checked files and ran the software programs mostly in safe mode ... and I am posting the HiJack This but I can't seem to find log files for the Ewido and the AboutBuster scans I did ... although I did do them per your directions ... should I run both again and post those log files subsequent to this communication? ... let me know ... and look forward to your reply ... regards, cc


Logfile of HijackThis v1.99.1
Scan saved at 12:57:11 PM, on 2/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\iPod\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1101774857\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbixp.dll/sp.html#10001%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [Dwmkv] C:\Program Files\Fcenprt\Czdmn.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\EA SPORTS\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_2 ... lashAX.cab
O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/a ... 10_sp2.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

[ChrisRLG]

I am sorry to say my time is very much at a premium at the moment - starting a new website which will hopefully kick off next weekend - (watch this space).

So i have posted requesting another experienced fighter come and take this topic over. You should hear shortly

[Linkmaster]

Hi ccinmfd, I will be taking over for Chris !!

We need to rerun a few things that Chris had you run !!

You may wish to print out a copy of these instructions to follow while you complete this procedure

Download ATF (Atribune Temp File) Cleaner© by Atribune

Show Hidden Files :
Click Start
Open My Computer
Select the Tools menu and click Folder Options
Select the View Tab
Under the Hidden files and folders heading select Show hidden files and folders
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK

Please disconnect from the Internet and unplug your modem for the duration of this fix

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter.

Run HSfix.reg
Grant it permission to add the registry items.

Run CWShredder
Open CWShredder and click I AGREE
Click Fix and then Next, Make sure you let it fix all CWS Remnants

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\cbixp.dll/sp.html#10001%resultposition.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\drtfw.dll/sp.html#10001%resultposition.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)

O4 - HKLM\..\Run: [Dwmkv] C:\Program Files\Fcenprt\Czdmn.exe

O16 - DPF: {E9670165-86FE-4C34-8C4B-D3158DDC5D92} (Installer Class) - http://downloads.shopathomeselect.com/a ... 10_sp2.cab

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked

Open Windows Explorer, locate and Delete the following folders or files in BOLD : (if present)

C:\WINDOWS\system32\cbixp.dll
C:\WINDOWS\system32\drtfw.dll

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Click Exit on the Main menu to close the program

Run About:Buster
Open AboutBuster and click the "Begin Removal" button It will shut down all Explorer windows (if open) while it works.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log

Run Ewido Anti-Malware
Click on scanner
Click on Complete System Scan and the scan will begin.
When it finds the first infected item put a check next to "Perform action on all infections", then choose "remove"
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close Ewido Anti-Malware

Reboot to Normal Mode and post a fresh HijackThis log along with the Ewido log

[ccinmfd]

Hi ... I implemented your recommended fixes dated 2.18.06 10:38 p.m. ...

... with the following results:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:36 AM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Java\jre1.5.0_02\bin\jucheck.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1101774857\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe
C:\Program Files\SpywareGuard\sgbhp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\EA SPORTS\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_2 ... lashAX.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


... the ewido report is as follows:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 12:19:21 AM, 2/19/2006
+ Report-Checksum: BB9BDFF5

+ Scan result:

HKU\S-1-5-21-602162358-1592454029-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} -> Adware.CoolWebSearch : Cleaned with backup
HKU\S-1-5-21-602162358-1592454029-725345543-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6537283D-964A-CBD4-C67B-7091E7AC8979} -> Adware.CoolWebSearch : Cleaned with backup
:mozilla.18:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.19:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.20:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.21:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.22:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.23:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.25:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.43:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.64:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.66:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.67:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.68:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.97:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.104:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.109:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.110:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup
:mozilla.111:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.112:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup
:mozilla.113:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.114:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.116:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.117:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.118:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.119:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.120:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.121:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.122:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.123:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.124:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup
:mozilla.131:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.132:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.133:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.134:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.135:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
:mozilla.136:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.137:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned with backup
:mozilla.140:C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\l90e139b.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup


::Report End

... one complication upon startup ...

I have a warning window that came up labeled Spywareguard Browser Protection Alert (supposed anti-virus spyware on my desktop) saying "An attempt to change Internet Explorer settings has been detected. Warning! Your IE search page has been changed! Your Internet Explorer local machine search page has been changed from res://C:/system32/drtfw.dll/sp.htm/#10001%resultposition.net to <none> ...

what should I do to this? my choices are two buttons:

Restore Old Value and Keep New Value ...

... or is this really spyware posing as anti-spyware? that needs to be removed? ...

regards, ccinmfd

[ccinmfd]

... does it matter that we rarely use Internet Explorer? ... instead, we almost exclusively use the Mozilla Firefox browser that goes directly to the Google search page ... thanks ... ccinmfd

[Linkmaster]

I have a warning window that came up labeled Spywareguard Browser Protection Alert (supposed anti-virus spyware on my desktop) saying "An attempt to change Internet Explorer settings has been detected. Warning! Your IE search page has been changed! Your Internet Explorer local machine search page has been changed from res://C:/system32/drtfw.dll/sp.htm/#10001%resultposition.net to <none> ...

Spyware Guard picked up the removal of res://C:/system32/drtfw.dll/sp.htm/#10001%resultposition.net, which is CoolWebSearch Spyware, as your search page. That means 2 things :
We removed that part of the infection successfully and SpywareGuard is doing its job
Select Keep New Value

... does it matter that we rarely use Internet Explorer? ... instead, we almost exclusively use the Mozilla Firefox browser that goes directly to the Google search page ... thanks ... ccinmfd

Very good choice in using Firefox

Some things seem to be stubborn!!

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program

Run HSfix.reg
Grant it permission to add the registry items.

Run CWShredder
Open CWShredder and click I AGREE
Click Fix and then Next, Make sure you let it fix all CWS Remnants

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked

Run Ewido Anti-Malware

Reboot to Normal Mode

Run Kaspersky WebScanner

Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases
Click OK

Now under select a target to scan:
Select My Computer

Then the program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop

Reboot and post a fresh HijackThis log, the Ewido log and the Kaspersky Scan log here

[ccinmfd]

OK ... did all the procedures you recommended, above ... and will post the three logs, as requested:

First, the HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 3:51:12 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\program files\common files\aol\1101774857\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\EA SPORTS\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_2 ... lashAX.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


Second, the Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:02:01 AM, 2/19/2006
+ Report-Checksum: 54F3D887

+ Scan result:

No infected objects found.


::Report End


Finally, the Kapersky scan results log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, February 19, 2006 15:42:41
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 19/02/2006
Kaspersky Anti-Virus database records: 177515
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 42137
Number of viruses found: 38
Number of infected objects: 1118
Number of suspicious objects: 5
Duration of the scan process: 4427 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP1.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP2.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP3.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP4.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP5.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP6.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP7.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP8.exe Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00780000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00780001.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00780001.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00780001.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\00780001.VBN Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01240000.VBN Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01A40000.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\01B80000.VBN Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02040000.VBN Infected: Backdoor.Win32.SubSeven.210
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\020C0000.VBN Infected: Backdoor.Win32.SubSeven.21.Gold
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02200000.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02200001.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0000.VBN Infected: Exploit.VBS.Phel.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0001.VBN Infected: Exploit.VBS.Phel.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0002.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\022C0003.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340000.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340001.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340002.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340003.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340003.VBN/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340003.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340003.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340003.VBN Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340004.VBN Infected: not-a-virus:AdWare.Win32.Sahat.w
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02340005.VBN Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02380000.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0000.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0001.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0002.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0003.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0004.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0005.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0006.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0007.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0008.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C0009.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C000A.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C000B.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\023C000C.VBN Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02400000.VBN Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02400001.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02440000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02480000.VBN Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\024C0000.VBN Infected: Trojan-Downloader.Win32.Small.ya
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\024C0001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\024C0002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\024C0003.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\024C0004.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\024C0005.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\024C0006.VBN Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\024C0007.VBN Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02500000.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02540000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02540001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02540002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02540003.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02540004.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02540005.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02540006.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02580000.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02580000.VBN/InsecureClassLoader.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02580000.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02580000.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02580000.VBN Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02600000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02640000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02780000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02900000.VBN Infected: Backdoor.Win32.SubSeven.21.Gold
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02900001.VBN Infected: Backdoor.Win32.SubSeven.210
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02940000.VBN Infected: Backdoor.Win32.SubSeven.210
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02980000.VBN Infected: Backdoor.Win32.SubSeven.210
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02980001.VBN Infected: not-virus:Hoax.Win32.SpyWare.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02A80000.VBN Infected: Backdoor.Win32.SubSeven.210
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02A80001.VBN Infected: Backdoor.Win32.SubSeven.210
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02A80002.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02A80003.VBN Infected: Backdoor.Win32.SubSeven.214
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B40000.VBN Infected: Backdoor.Win32.SubSeven.21.Gold
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B40001.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B40002.VBN Infected: Backdoor.Win32.SubSeven.210
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B80000.VBN Infected: Trojan-Downloader.JS.Small.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B80001.VBN Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B80002.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02B80003.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0001.VBN Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0002.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0003.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0004.VBN Infected: Backdoor.Win32.SubSeven.21.Gold
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0005.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02BC0006.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C00000.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C00001.VBN Infected: Backdoor.Win32.SubSeven.214
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C00002.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C00003.VBN Infected: Backdoor.Win32.SubSeven.210
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C40000.VBN Infected: Trojan-Downloader.JS.Small.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02C40001.VBN Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02CC0000.VBN Infected: Trojan-Downloader.JS.Small.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02D00000.VBN Infected: Backdoor.Win32.SubSeven.21.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02DC0000.VBN Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02E00000.VBN Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02E80000.VBN Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02EC0000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02EC0001.VBN Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02F00000.VBN Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02F40000.VBN Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03040000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03580000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03580001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03580002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03780000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03900000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03C40000.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03C40001.VBN Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03C80000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03C80001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03CC0000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03CC0001.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03DC0000.VBN Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03DC0001.VBN Infected: not-virus:Hoax.Win32.SpyWare.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E80000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E80001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E80002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E80003.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E80004.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04040000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04040001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04080000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0000.VBN Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0003.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0004.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0005.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0006.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0007.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0008.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\040C0009.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04100000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04100001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04100002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\041C0000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\041C0001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04200000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04240000.VBN Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04240001.VBN Infected: Trojan-Downloader.Win32.Small.ya
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04240002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04240003.VBN Infected: not-a-virus:AdWare.Win32.EliteBar.z
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04240004.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04240005.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\044C0000.VBN Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04500000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04500001.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04500002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04740000.VBN Infected: Backdoor.Win32.Aimbot.ap
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04780000.VBN Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04780001.VBN Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04940000.VBN Infected: Backdoor.Win32.Aimbot.ap
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04A00000.VBN Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04A00001.VBN Infected: Trojan-Clicker.JS.Linker.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0001.VBN/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0001.VBN/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0001.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0001.VBN Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0003.VBN/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0003.VBN/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0003.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04BC0003.VBN Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05280000.VBN Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\052C0000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05600000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05600001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06100000.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06100001.VBN Infected: Trojan-Downloader.Win32.Agent.acd
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06140000.VBN Suspicious: Exploit.Win32.IMG-WMF
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08580000.VBN Infected: Trojan.Win32.Dialer.mi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\086C0000.VBN Infected: Trojan.Win32.Dialer.mi
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09D80000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09E40000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09E40001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09E40002.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09EC0000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09F00000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09F00001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09F40000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09F40001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A700000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A700001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A780000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A800000.VBN Infected: Backdoor.Win32.Aimbot.ap
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A840000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0CDC0000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0DF00000.VBN Suspicious: Exploit.Win32.IMG-WMF
C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\47cvf9kb.default\Cache\9662AE46d01 Infected: Trojan-Clicker.HTML.IFrame.b
C:\Documents and Settings\carrollc\My Documents\Data\all_files2.exe/data0002/data299033.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/3.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/5.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\all_files2.exe/data0002/data299033.zip Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\all_files2.exe/data0002 Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\all_files2.exe/data0004 Infected: Trojan-Downloader.Win32.Apropo.v
C:\Documents and Settings\carrollc\My Documents\Data\all_files2.exe Infected: Trojan-Downloader.Win32.Apropo.v
C:\Documents and Settings\carrollc\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/3.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/5.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\Data\all_files2.exe/data0002 Infected: not-a-virus:AdWare.Win32.IEDriver.b
C:\Documents and Settings\carrollc\My Documents\Data\Data\all_files2.exe/data0004 Infected: Trojan-Downloader.Win32.Apropo.v
C:\Documents and Settings\carrollc\My Documents\Data\Data\all_files2.exe Infected: Trojan-Downloader.Win32.Apropo.v
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:aywpm:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:bjpsoz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:bzcytl:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:bzuwec:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:cluxgp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:dcqxfu:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:dcvzn:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:ekdsln:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:eybpoj:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:ffosms:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:gerjbp:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:gxvgcf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:gywlqh:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:iaqpbc:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:igwpz:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:ipopsg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:kjfolt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:kjujay:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:kjxgm:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:oezehf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:pbowjx:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:pknlo:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:qaoxeo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:qflfps:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:qwtaio:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:riehsn:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:rwtqg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:ryweca:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:sgvafo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:ucexxg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:ucftf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:udkzqf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:uytzgr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:vemciz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:vlqhho:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:vrdlab:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:whqhqj:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:wytuit:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:xaerhm:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:xeakpr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:xguynp:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:yfyygf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:ylzbry:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:ziuwp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:zjbzfe:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:zrhqtj:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:zxlrax:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:zxwaxt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132311.pif:zynmeq:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:aywpm:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:bjpsoz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:bzcytl:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:bzuwec:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:cluxgp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:dcqxfu:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:dcvzn:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:ekdsln:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:eybpoj:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:ffosms:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:gerjbp:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:gxvgcf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:gywlqh:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:iaqpbc:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:igwpz:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:ipopsg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:kjfolt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:kjujay:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:kjxgm:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:oezehf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:pbowjx:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:pknlo:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:qaoxeo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:qflfps:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:qwtaio:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:riehsn:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:rwtqg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:ryweca:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:sgvafo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:ucexxg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:ucftf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:udkzqf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:uytzgr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:vemciz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:vlqhho:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:vrdlab:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:whqhqj:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:wytuit:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:xaerhm:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:xeakpr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:xguynp:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:yfyygf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:ylzbry:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:ziuwp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:zjbzfe:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:zrhqtj:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:zxlrax:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:zxwaxt:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132339.pif:zynmeq:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:aywpm:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:bjpsoz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:bzcytl:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:bzuwec:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:cluxgp:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:dcqxfu:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:dcvzn:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:ekdsln:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:eybpoj:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:ffosms:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:gerjbp:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:gxvgcf:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:gywlqh:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:iaqpbc:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:igwpz:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:ipopsg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:kjfolt:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:kjujay:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:kjxgm:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:oezehf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:pbowjx:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:pknlo:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:qaoxeo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:qflfps:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:qrxzt:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:qwtaio:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:riehsn:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:rwtqg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:ryweca:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:sgvafo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:ucexxg:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:ucftf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:udkzqf:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:uytzgr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:vemciz:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:vlqhho:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:vrdlab:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:whqhqj:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:wytuit:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:xaerhm:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:xeakpr:$DATA Infected: Trojan-Downloader.Win32.Agent.bc
C:\System Volume Information\_restore{36699502-75CE-4155-9423-6BB5C4A31529}\RP475\A0132366.pif:xguynp:$DATA Inf

[Linkmaster]

Please disable Spyware Guard, as it may hinder the removal of some entries. You can re-enable it after you're clean.

Right click the running icon of Spywareguard, it will open the program.
Click Menu, File, Exit, and confirm the programs close

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked

Reboot to Safe mode
Restart your computer and immediately begin tapping the F8 key on your keyboard.
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Open Windows Explorer, locate and Delete the following folders or files in BOLD : (if present)

C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp<all contents inside this folder>
C:\Documents and Settings\carrollc\My Documents\Data<all contents inside this folder>
C:\Documents and Settings\carrollc\Application Data\Mozilla\Firefox\Profiles\47cvf9kb.default\Cache\9662AE46d01

Delete the contents of the Norton AntiVirus Corporate Edition\7.5\Quarantine folder

Run ATF Cleaner
Double-click ATF Cleaner.exe
Under Main choose: Select All
Click the Empty Selected button.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt

Click Exit on the Main menu to close the program

Reboot to Normal mode

**Turn off System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
Check "Turn off System Restore"
Click Apply, then click OK and Reboot

**Turn ON System Restore**
On the Desktop, right-click My Computer
Click Properties
Click the System Restore tab.
UN-Check "Turn off System Restore"
Click Apply, then click OK and Reboot

Run the Kaspersky WebScanner again

Post a fresh HijackThis log and the Kaspersky Scan log

[ccinmfd]

I was able to complete all recommended steps this time ...

New HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:16:51 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
c:\program files\common files\aol\1101774857\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\EA SPORTS\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_2 ... lashAX.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


Updated Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, February 19, 2006 20:15:58
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/02/2006
Kaspersky Anti-Virus database records: 177544
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 40603
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 4154 sec

Infected Object Name - Virus Name
C:\WINDOWS\Downloaded Program Files\DeskAdX.dll Infected: not-a-virus:AdWare.Win32.WinAD.n

Scan process completed.

[Linkmaster]

Still have a few things to do !!

Reboot to Safe mode
Restart your computer and begin tapping the F8 key on your keyboard just before Windows starts to load
If done right a Windows Advanced Options menu will appear.
Select the Safe Mode option and press Enter

Right click the AOL Spyware Protection icon by your clock
Click on Exit, Close, or Stop to stop the app from running

Make sure Spyware Guard is disabled as well

Open Windows Explorer, locate and Delete the following folders or files in BOLD : (if present)

C:\WINDOWS\Downloaded Program Files\DeskAdX.dll

Empty your Recycle Bin

Run HijackThis
Scan and when it finishes, put a check mark only next to these following items : (if present)

O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)

Close all browsers and any open Windows, making sure that only HijackThis is open
Click Fix Checked

Reboot and post a fresh HijackThis log along with another Kaspersky Scan log here

[ccinmfd]

I did all the steps ... did not find the file or folder in Windows you listed ... and it seems the three O-2 filed ID'd in the HijackThis scan are still there ...

Logfile of HijackThis v1.99.1
Scan saved at 3:10:11 PM, on 2/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NavNT\vptray.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iPod\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\common files\aol\1101774857\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1101774857\ee\AOLServiceHost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Documents and Settings\carrollc\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.msn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: (no name) - {62B92B1B-2FF4-C0C0-407F-FD1EF3FDEB7A} - (no file)
O2 - BHO: (no name) - {6537283D-964A-CBD4-C67B-7091E7AC8979} - (no file)
O2 - BHO: (no name) - {EBB4A740-CDEF-2FEA-7B76-BB8815E8A690} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1101774857\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iPod\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0a\AOL.EXE" -b
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\EA SPORTS\Bodog Poker\GameClient.exe (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/ ... nicode.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://register3.valueactive.com/mpp_2 ... lashAX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFBC7FB-20CD-4ABB-A1A4-B64B40758E90}: Domain = boysvillage.org
O17 - HKLM\System\CCS\Services\Tcpip\..\{EEFBC7FB-20CD-4ABB-A1A4-B64B40758E90}: NameServer = 10.129.1.6
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = boysvillage.org
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = boysvillage.org
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe


the Kaspersky scan log is as follows:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, February 20, 2006 15:09:13
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 20/02/2006
Kaspersky Anti-Virus database records: 177717
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 40896
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 4810 sec

Infected Object Name - Virus Name
C:\WINDOWS\Downloaded Program Files\DeskAdX.dll Infected: not-a-virus:AdWare.Win32.WinAD.n

Scan process completed.

like I said, I did not find the C:\WINDOWS\Downloaded Program Files\DeskAdX.dll file to eliminate ... perhaps I am looking in the wrong place? I open My Computer ... click on WINDOWS folder .. click on Downloaded Program Files ... (C:\WINDOWS\Downloaded Program Files) ... but only seven files are inside, none of which are the DeskAdX.dll I am supposed to remove ... I also checked to make sure all files were viewable, and they were ... anyways ... looking forward to your next post ... regards, ccinmfd