Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Analysis of HijackThis Log; Persistent Dialer and Malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Analysis of HijackThis Log; Persistent Dialer and Malware

Unread postby rwskreen » June 22nd, 2005, 11:19 pm

Hello...and thank you...
I have malware on my WinXP system, as evidenced by a persistent dialer and spawning of multiple instances of MS Internet Explorer, also attempting to download the Trojan.Alwayup and Trojan.Downloader as well. Various other dialog boxes are also popped up.
I have tried various removal systems, AdAware, SpyBot, even MS AntiSpyware, and various registry and other modules have been removed, but the module/file sourcing this problem is still with my system.
After running HijackThis, I know that the following line is a problem or is created by the problem malware module, but after 'Fixing' it with HijackThis, it is recreated about one second later. The registry entry I am referring to is:

O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyub32.exe

I don't find any other obvious problems in my HijackThis logfile, but you might be able to. Here it is:

Logfile of HijackThis v1.99.1
Scan saved at 8:05:44 PM, on 6/22/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\PROGRA~1\NORTON~1\WinFax\WFXMOD32.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\PopUpBuster\popupbuster.exe
C:\WINDOWS\System32\uvknmz.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system\invefp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\dwwin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
O4 - HKLM\..\Run: [SSPrnAgent] C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\uvknmz.exe reg_run
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\eliteyub32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.com/us.yimg.com/i/cha ... acscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5227135562
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/se ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D5285F-1040-412C-8009-10F1803C7C20}: NameServer = 209.102.124.11 209.102.124.10
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE

I hope this is enough information to begin. I very much appreciate any help you might be able to provide.

Best Regards, Robert W. Skreen
rwskreen
Active Member
 
Posts: 5
Joined: June 22nd, 2005, 10:53 pm
Location: Longview, WA
Advertisement
Register to Remove

Unread postby LDTate » June 23rd, 2005, 5:10 pm

Hello rwskreen,

Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Install it, and update the definitions to the newest files. Do NOT run a scan yet.


Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, and run a full scan. Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Persistent Dialer, Trojans, Popups, getting out of hand

Unread postby rwskreen » June 24th, 2005, 10:17 pm

OK........ Here are the Ewido Log followed by the latest HijackThis Log,
both obtained as you suggested. Upon final reboot from Safe Mode,
however, I could not resist three prompts from Ewido to remove three Trojans, so I had Ewido do a remove/clean. Thus, the HijackThis log does NOT show the 'eliteyub32.exe' registry entry that was there before. I had 295 'infections' in my Ewido Log, however, so there is more to clean up. I very much appreciate your suggestion about the Ewido Suite... it's sweet.

So, do I just use Ewido to clean/remove all infected files? Thank you again.

So, here are the logs mentioned above:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:38:44 PM, 6/24/2005
+ Report-Checksum: F366703A

+ Date of database: 6/24/2005
+ Version of scan engine: v3.0

+ Duration: 101 min
+ Scanned Files: 133455
+ Speed: 21.85 Files/Second
+ Infected files: 295
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rnkt.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@85517197[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@adopt.hotbar[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@ads.addynamix[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@bfast[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@counter2.hitslink[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@dcswhhs4tpljwp5jjudlnp3nh_5i7r[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@ehg-kodak.hitbox[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@empnads.valuead[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@exitexchange[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@hitbox[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@servedby.advertising[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@statse.webtrendslive[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@targetnet[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@www.eadexchange[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@www.shopathomeselect[2].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@z1.adserver[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt -> Spyware.Tracking-Cookie -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\common.dll -> Spyware.WebSearch.aj -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\drp1B.tmp\thnall2c.exe -> Spyware.BetterInternet -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\f960437.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\installer_MARKETING18.exe -> TrojanDownloader.Adload.a -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\nst8B.EXE -> Spyware.SmartPops -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\pcs_0002.exe -> Spyware.Pacer.b -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\pcs_0006.exe -> Spyware.Pacer.b -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\ptf_0002.exe -> Spyware.Pacer -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\ptf_0015.exe -> Spyware.Pacer -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\TBPS.exe -> Spyware.WebSearch.aj -> Ignored
C:\Documents and Settings\Owner\Local Settings\Temp\THI3042.tmp\elitetrp.exe -> Spyware.EliteBar.ac -> Ignored
C:\Program Files\FwBarTemp\searchbar.exe -> TrojanDownloader.VB.eu -> Ignored
C:\Program Files\WeirdOnTheWeb\weirdontheweb.exe -> Spyware.WeirWeb -> Ignored
C:\Program Files\Windows Media Player\wmplayer.exe.tmp -> Spyware.Pacer -> Ignored
C:\RECYCLER\NPROTECT\00338118.EXE -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00338184.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00339467 -> Spyware.BookedSpace -> Ignored
C:\RECYCLER\NPROTECT\00339480 -> Spyware.BookedSpace -> Ignored
C:\RECYCLER\NPROTECT\00340010 -> Spyware.Apropos -> Ignored
C:\RECYCLER\NPROTECT\00340011 -> Spyware.Apropos -> Ignored
C:\RECYCLER\NPROTECT\00340012 -> Spyware.Apropos -> Ignored
C:\RECYCLER\NPROTECT\00340013 -> Spyware.Apropos -> Ignored
C:\RECYCLER\NPROTECT\00340014 -> Spyware.Apropos -> Ignored
C:\RECYCLER\NPROTECT\00340015 -> Spyware.Apropos -> Ignored
C:\RECYCLER\NPROTECT\00340016 -> Spyware.Apropos -> Ignored
C:\RECYCLER\NPROTECT\00340018 -> Spyware.Apropos -> Ignored
C:\RECYCLER\NPROTECT\00340027 -> Spyware.Apropos.f -> Ignored
C:\RECYCLER\NPROTECT\00340877.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\RECYCLER\NPROTECT\00340882.exe -> TrojanDownloader.Small.aly -> Ignored
C:\RECYCLER\S-1-5-21-1822439336-3719885985-2111342016-1003\Dc507\hijackthisUnzipped\backups\backup-20050604-111058-825.dll -> Spyware.SmartPops -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP913\A0047074.exe -> TrojanDownloader.Wintool.e -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP914\A0047139.exe -> Spyware.WebSearch -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP914\A0047140.dll -> Spyware.WebSearch.aa -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP915\A0047163.exe -> Spyware.WebSearch.ac -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP915\A0047166.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP915\A0047203.exe -> Spyware.WebSearch.ac -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP915\A0047216.dll -> Spyware.WebSearch.aa -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP915\A0047217.exe -> Spyware.WebSearch.ac -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047286.exe -> TrojanDownloader.Small.abd -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047288.exe -> Spyware.VirtualBouncer.c -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047293.exe -> TrojanDropper.Agent.hh -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047294.exe -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047307.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047310.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047315.exe -> Spyware.WebSearch.ac -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047318.EXE -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047321.exe -> Spyware.WebSearch.ac -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047368.EXE -> Spyware.Sahat.o -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047373.exe -> Spyware.WebSearch.ac -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP917\A0047375.dll -> Spyware.WebSearch.aa -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP921\A0048804.exe -> Spyware.Pacer.e -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP922\A0049079.exe -> Spyware.Pacer.e -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP923\A0049369.exe -> TrojanDownloader.Dyfuca.dx -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP923\A0049386.EXE -> TrojanDropper.Agent.hl -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP924\A0049426.exe -> Spyware.Pacer.e -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP926\A0049597.DLL -> Spyware.Sahat.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP932\A0050920.exe -> Spyware.Pacer -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP932\A0050924.exe -> TrojanDownloader.Adload.a -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP932\A0050925.exe -> TrojanDownloader.Small.abd -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP933\A0050945.exe -> TrojanDownloader.Agent.hw -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP933\A0050948.exe -> TrojanDownloader.VB.eu -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP933\A0050950.exe -> TrojanDropper.Agent.hh -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP933\A0050951.exe -> Spyware.WildTangent.DownloadWare -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP933\A0050954.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP934\A0050971.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP935\A0050984.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0050999.exe -> Spyware.VirtualBouncer.c -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0051002.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0051037.exe -> Trojan.Popmon.a -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0051038.dll -> Spyware.DealHelper.ab -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0051039.DLL -> Backdoor.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0051040.exe -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0051041.exe -> TrojanDropper.Agent.kd -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0051042.exe -> TrojanDropper.Agent.hh -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP937\A0051048.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP938\A0051061.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP938\A0051096.EXE -> Spyware.VirtualBouncer.j -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP938\A0051098.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP939\A0051107.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP940\A0051112.dll -> TrojanDownloader.Apropo.w -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP940\A0051113.exe -> TrojanDownloader.Apropo.r -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP940\A0051119.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP941\A0051169.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP941\A0051241.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP941\A0051242.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP942\A0051245.exe -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP942\A0051246.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP943\A0051252.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051268.exe -> TrojanDownloader.Wintool.e -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051269.exe -> Spyware.Sahat.m -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051270.exe -> Spyware.Apropos.i -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051317.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051338.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051345.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051346.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051374.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051400.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP945\A0051412.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP947\A0051423.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP947\A0051428.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP947\A0051440.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP947\A0051456.exe -> TrojanDownloader.VB.eu -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP947\A0051494.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP948\A0051502.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP949\A0051719.exe -> Spyware.DealHelper.ac -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP949\A0051720.exe -> Trojan.Popmon.a -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP949\A0051721.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP949\A0051735.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP949\A0051740.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP949\A0051742.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP950\A0051746.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP950\A0051747.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP950\A0051748.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP950\A0051750.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP950\A0051751.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP950\A0051752.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP950\A0051753.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051797.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051798.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051799.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051801.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051802.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051803.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051804.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051838.exe -> TrojanDownloader.VB.eu -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051858.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051861.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051862.exe -> Trojan.Nail -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051863.exe -> Trojan.Stervis.c -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051871.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051876.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051881.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051882.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP951\A0051900.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051933.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051938.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051939.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051942.exe -> TrojanDownloader.Small.akz -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051950.EXE -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051952.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051953.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051964.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051982.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051987.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP952\A0051994.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP953\A0052004.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP954\A0052010.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP954\A0052033.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP954\A0052070.EXE -> Spyware.Hijacker.Generic -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP954\A0052093.exe -> Spyware.Pacer -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP955\A0052111.exe -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP955\A0052115.exe -> Trojan.Stervis.c -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP955\A0052116.exe -> Trojan.Nail -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP955\A0052117.EXE -> Spyware.BetterInternet -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP955\A0052129.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052143.dll -> Spyware.BookedSpace -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052149.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052150.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052151.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052152.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052154.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052155.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052156.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP956\A0052169.exe -> TrojanDownloader.Small.abd -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052193.vxd -> Spyware.MediaPass -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052195.EXE -> Spyware.MediaPass -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052197.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052198.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052199.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052200.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052202.DLL -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052203.EXE -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052204.DLL -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052206.EXE -> TrojanDropper.Agent.hl -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052210.exe -> TrojanDownloader.Small.apm -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052217.exe -> Spyware.Pacer -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP957\A0052222.DLL -> Spyware.EliteBar.af -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP959\A0052251.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP959\A0052252.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP959\A0052253.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP959\A0052254.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP959\A0052256.DLL -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP959\A0052257.EXE -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP959\A0052258.DLL -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP960\A0052267.EXE -> Spyware.Adstart -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP960\A0052269.exe -> Spyware.Adstart.b2 -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP969\A0052356.dll -> TrojanDownloader.Qoologic.n -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP970\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP971\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP972\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052442.cpl -> TrojanDropper.Win32.Small.wc -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052444.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052445.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052446.dll -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052447.exe -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052449.DLL -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052450.EXE -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052451.DLL -> Trojan.Pakes -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052470.EXE -> Spyware.Adstart -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052504.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\A0052506.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP973\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP974\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP975\A0052558.dll -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP975\A0052567.DLL -> Spyware.SmartPops -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP975\snapshot\MFEX-1.DAT -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP982\A0053878.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP983\A0053932.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP984\A0053977.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP985\A0054000.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP989\A0054094.dll -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP991\A0054125.dll -> TrojanDownloader.Qoologic.q -> Ignored
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP991\A0054144.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\Temp\EDow.exe -> TrojanDownloader.Wintool.e -> Ignored
C:\Temp\sahagent-cdt1004.exe -> Spyware.Sahat.m -> Ignored
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace.e -> Ignored
C:\WINDOWS\dgerojhb.exe -> Spyware.BookedSpace.e -> Ignored
C:\WINDOWS\sideb.exe -> Spyware.EliteBar.z -> Ignored
C:\WINDOWS\SYSTEM\jnkki.exe -> TrojanDownloader.Small.ayh -> Ignored
C:\WINDOWS\SYSTEM32\20007.exe -> Spyware.WildTangent.DownloadWare -> Ignored
C:\WINDOWS\SYSTEM32\cdmdownld\itpwxmlcfa.exe -> Spyware.SmartPops -> Ignored
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LYB8PAR\protector_update[1].exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6QENFBH5\protector_update[1].exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Ignored
C:\WINDOWS\SYSTEM32\dbnorad.exe -> TrojanDownloader.Qoologic.q -> Ignored
C:\WINDOWS\SYSTEM32\eliteate32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitedrb32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitedze32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\eliteehz32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitefep32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\eliteidr32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitejgk32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitelvx32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitemar32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitenbw32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\eliteplv32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitersu32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitesai32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitesbo32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\eliteuja32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitevbs32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitexas32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitexix32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\elitexut32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\eliteyub32.exe -> Spyware.Hijacker.Generic -> Ignored
C:\WINDOWS\SYSTEM32\exp.exe -> TrojanDownloader.Small.abd -> Ignored
C:\WINDOWS\SYSTEM32\GSM2.exe -> Trojan.Registrator.b -> Ignored
C:\WINDOWS\SYSTEM32\HookPopup.dll -> Spyware.DealHelper.ab -> Ignored
C:\WINDOWS\SYSTEM32\installer_MARKETING18.exe -> TrojanDownloader.Adload.a -> Ignored
C:\WINDOWS\SYSTEM32\kdcyrc.exe -> Spyware.Adstart -> Ignored
C:\WINDOWS\SYSTEM32\kdcyrd.exe -> Spyware.Adstart -> Ignored
C:\WINDOWS\SYSTEM32\kdcyrf.exe -> Spyware.Adstart.b2 -> Ignored
C:\WINDOWS\SYSTEM32\main.exe -> TrojanDownloader.Agent.hw -> Ignored
C:\WINDOWS\SYSTEM32\ozighxo.dll -> TrojanDownloader.Qoologic.q -> Ignored
C:\WINDOWS\SYSTEM32\pacis.exe -> Spyware.Pacer.a -> Ignored
C:\WINDOWS\SYSTEM32\pop2.exe -> Spyware.MediaPass -> Ignored
C:\WINDOWS\SYSTEM32\psoft1.exe -> Spyware.Pacer.a -> Ignored
C:\WINDOWS\SYSTEM32\Qhblzj.exe -> Spyware.DealHelper.ac -> Ignored
C:\WINDOWS\SYSTEM32\redit.cpl -> TrojanDownloader.Qoologic.p -> Ignored
C:\WINDOWS\SYSTEM32\rtneg2.dll -> Spyware.Beginto.c -> Ignored
C:\WINDOWS\SYSTEM32\saie1108.exe -> Spyware.180solutions -> Ignored
C:\WINDOWS\SYSTEM32\SSK_B5 Verticlick 7.EXE -> TrojanDropper.Small.wd -> Ignored
C:\WINDOWS\SYSTEM32\supdate.dll -> TrojanDownloader.Qoologic.p -> Ignored
C:\WINDOWS\SYSTEM32\tool2_667279.exe -> Spyware.Beginto.c -> Ignored
C:\WINDOWS\SYSTEM32\uvknmz.exe -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\SYSTEM32\wintask.exe -> TrojanDownloader.Small.abd -> Ignored
C:\WINDOWS\SYSTEM32\wpavb.dat -> TrojanDownloader.Qoologic.n -> Ignored
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Ignored


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 6:45:27 PM, on 6/24/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\PROGRA~1\NORTON~1\WinFax\WFXMOD32.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\PopUpBuster\popupbuster.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
O4 - HKLM\..\Run: [SSPrnAgent] C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.com/us.yimg.com/i/cha ... acscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5227135562
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/se ... loader.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
rwskreen
Active Member
 
Posts: 5
Joined: June 22nd, 2005, 10:53 pm
Location: Longview, WA

Unread postby LDTate » June 24th, 2005, 10:21 pm

Duration: 101 min
+ Scanned Files: 133455
+ Speed: 21.85 Files/Second
+ Infected files: 295
+ Removed files: 0
+ Files put in quarantine: 0
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

Did you run the scan in Safe Mode?
It should have cleaned these.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby rwskreen » June 24th, 2005, 10:30 pm

Hello, glad you're there now. Yes, I did run the scan in Safe Mode, however I thought that you didn't want me to remove them at that time, so that the log would show the status before cleaning, so I did not have Ewido remove/clean the infections. So, go into Safe Mode and let Ewido do it's thing... right?
Clean/remove everything. I will do that now. Thank you again.
rwskreen
Active Member
 
Posts: 5
Joined: June 22nd, 2005, 10:53 pm
Location: Longview, WA

Unread postby LDTate » June 24th, 2005, 10:34 pm

So, go into Safe Mode and let Ewido do it's thing... right?
Clean/remove everything. I will do that now. Thank you again
Yes, it'll show what it deletes and what it can't. If it can't delete something then we'll clean it with a manual fix.

please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


Then please run Ewido, and run a full scan.Clean/remove everything Save the logfile from the scan.


Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby rwskreen » June 26th, 2005, 1:57 am

Finally back again... when I ran Ewido in Safe Mode to scan and delete/clean files, the Ewido software would experience an exception
fault and have to terminate, and this occurred the first five (5) times that I ran the scan. Each time I ran the scan, malware was removed, and when the exception occurred the scan was about 70%+ finished. But I just kept restarting the Ewido program, and initiated a new scan. On the sixth time, it got all the way through and finished, cleaning/removing 50 infected files on this last scan. So, my Ewido log posted below only has 50 removed files, because all the others (295-50=245, since there were initally 295 infected files from the initial scan) were removed during scans that were terminated prior to completion.
Anyway, my system seems to be just fine now, but time will tell. Posted below are the latest Ewido scan log and HijackThis scan log. Please let me know if you see anything suspicious. Once again, thank you so much for your help in this nasty matter.

Best Regards, Robert W. Skreen

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 10:42:27 AM, 6/25/2005
+ Report-Checksum: 7A5A8B70

+ Date of database: 6/25/2005
+ Version of scan engine: v3.0

+ Duration: 93 min
+ Scanned Files: 133417
+ Speed: 23.77 Files/Second
+ Infected files: 50
+ Removed files: 50
+ Files put in quarantine: 50
+ Files that could not be opened: 0
+ Files that could not be cleaned: 0

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\

+ Scan result:
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP991\A0054252.dll -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP991\A0054253.exe -> Spyware.BookedSpace.e -> Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP991\A0054254.exe -> Spyware.EliteBar.z -> Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP991\A0054255.exe -> TrojanDownloader.Small.ayh -> Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP991\A0054256.exe -> Spyware.WildTangent.DownloadWare -> Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP991\A0054257.exe -> Spyware.SmartPops -> Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\0LYB8PAR\protector_update[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\6QENFBH5\protector_update[1].exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\cxtpls_loader.exe -> TrojanDownloader.Apropo.ab -> Cleaned with backup
C:\WINDOWS\SYSTEM32\dbnorad.exe -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\SYSTEM32\eliteate32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitedrb32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitedze32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\eliteehz32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitefep32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\eliteidr32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitejgk32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitelvx32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitemar32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitenbw32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\eliteplv32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitersu32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitesai32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitesbo32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\eliteuja32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitevbs32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitexas32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitexix32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\elitexut32.exe -> Spyware.Hijacker.Generic -> Cleaned with backup
C:\WINDOWS\SYSTEM32\exp.exe -> TrojanDownloader.Small.abd -> Cleaned with backup
C:\WINDOWS\SYSTEM32\GSM2.exe -> Trojan.Registrator.b -> Cleaned with backup
C:\WINDOWS\SYSTEM32\HookPopup.dll -> Spyware.DealHelper.ab -> Cleaned with backup
C:\WINDOWS\SYSTEM32\installer_MARKETING18.exe -> TrojanDownloader.Adload.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\kdcyrc.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\SYSTEM32\kdcyrd.exe -> Spyware.Adstart -> Cleaned with backup
C:\WINDOWS\SYSTEM32\kdcyrf.exe -> Spyware.Adstart.b2 -> Cleaned with backup
C:\WINDOWS\SYSTEM32\main.exe -> TrojanDownloader.Agent.hw -> Cleaned with backup
C:\WINDOWS\SYSTEM32\ozighxo.dll -> TrojanDownloader.Qoologic.q -> Cleaned with backup
C:\WINDOWS\SYSTEM32\pacis.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\pop2.exe -> Spyware.MediaPass -> Cleaned with backup
C:\WINDOWS\SYSTEM32\psoft1.exe -> Spyware.Pacer.a -> Cleaned with backup
C:\WINDOWS\SYSTEM32\Qhblzj.exe -> Spyware.DealHelper.ac -> Cleaned with backup
C:\WINDOWS\SYSTEM32\redit.cpl -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINDOWS\SYSTEM32\rtneg2.dll -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\saie1108.exe -> Spyware.180solutions -> Cleaned with backup
C:\WINDOWS\SYSTEM32\SSK_B5 Verticlick 7.EXE -> TrojanDropper.Small.wd -> Cleaned with backup
C:\WINDOWS\SYSTEM32\supdate.dll -> TrojanDownloader.Qoologic.p -> Cleaned with backup
C:\WINDOWS\SYSTEM32\tool2_667279.exe -> Spyware.Beginto.c -> Cleaned with backup
C:\WINDOWS\SYSTEM32\wpavb.dat -> TrojanDownloader.Qoologic.n -> Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent.b -> Cleaned with backup


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 10:58:17 PM, on 6/25/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\PROGRA~1\NORTON~1\WinFax\WFXMOD32.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\PopUpBuster\popupbuster.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\SYSTEM32\calc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
O4 - HKLM\..\Run: [SSPrnAgent] C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.com/us.yimg.com/i/cha ... acscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5227135562
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/se ... loader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{22D5285F-1040-412C-8009-10F1803C7C20}: NameServer = 209.102.124.11 209.102.124.10
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
rwskreen
Active Member
 
Posts: 5
Joined: June 22nd, 2005, 10:53 pm
Location: Longview, WA

Unread postby LDTate » June 26th, 2005, 6:44 am

That looks much better


These are Optional resource hogs and not needed at startup.

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a Check in the box on the left side on these:

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000


Close ALL windows and browsers except HijackThis and click "Fix checked"


Empty Recycle Bin

Reboot and "copy/paste" a new log file into this thread.
Also please describe how your computer behaves at the moment.
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby rwskreen » June 28th, 2005, 1:19 am

Back again... I did as you suggested, deleting five registry entries to save resources, rebooted, and the new HijackThis log is posted below.
My computer is behaving quite well, and it looks like things are under control. This is a great forum, and this is the first time I have used a forum for help like this. I really appreciate your help and comments. I will be back! Thank you again... Robert Skreen

Logfile of HijackThis v1.99.1
Scan saved at 10:12:34 PM, on 6/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\PROGRA~1\NORTON~1\WinFax\WFXMOD32.EXE
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\PopUpBuster\popupbuster.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Nikon\NkView4\NkVwMon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://google.com
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [USB] C:\WINDOWS\system32\usb.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [WFXSwtch] C:\PROGRA~1\NORTON~1\WinFax\WFXSWTCH.exe
O4 - HKLM\..\Run: [checktime] c:\program files\HPSelect\Frontend\ct.exe
O4 - HKLM\..\Run: [DVDBitSet] "C:\Program Files\HP CD-DVD\Umbrella\DVDBitSet.exe" /NOUI
O4 - HKLM\..\Run: [DVDTray] "C:\Program Files\HP CD-DVD\Umbrella\DVDTray.exe"
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [WorkFlowTray] "C:\Program Files\ScanSoft\OmniPagePro14.0\WorkFlowTray.exe"
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [OpScheduler] "C:\Program Files\ScanSoft\OmniPagePro14.0\OpScheduler.exe"
O4 - HKLM\..\Run: [PDF Converter Registry Controller] "C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\RegistryController.exe"
O4 - HKLM\..\Run: [SSPrnAgent] C:\Program Files\ScanSoft\OmniPagePro14.0\PdfPrn\SPrnAgent.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PopUp Buster+] C:\Program Files\PopUpBuster\popupbuster.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Cleaner] "C:\Program Files\Spyware Cleaner\SpywareCleaner.Exe" /boot
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: NkVwMon.exe.lnk = C:\Program Files\Nikon\NkView4\NkVwMon.exe
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Open PDF in Word - res://C:\Program Files\ScanSoft\OmniPagePro14.0\PdfCnv\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program Files\PopUpBuster\popupbuster.exe
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid= ... lcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsup ... SupCtl.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.i1.yimg.com/us.yimg.com/i/cha ... acscom.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v ... 5227135562
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsup ... mAData.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/se ... loader.cab
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper Home Edition\DKService.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SpywareCleanerService - Unknown owner - C:\Program Files\Spyware Cleaner\SCService.exe (file missing)
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WinFax Basic Edition (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
rwskreen
Active Member
 
Posts: 5
Joined: June 22nd, 2005, 10:53 pm
Location: Longview, WA

Unread postby LDTate » June 28th, 2005, 6:39 am

Good Job :D


Log looks good :D

Note: This will remove all previous Restore Points

Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Restart your computer, turn it back on.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Remove the Check Turn off System Restore.
Click Apply, and then click OK.

Click Start> My Computer, select the Tools menu and then Folder Options, after the new window appears select the View tab…]
This time select the: Restore Defaults
Select: Apply, and click OK




If you dont have these three programs I would recommend that you get them. [color=red]Spywareblaster[/color], [color=red]Spywareguard[/color] and [color=red]IESPY AD[/color]. They will add 1000's of sites to your resticted zone and block some hijacks from happening. I also have a FREE FIREWALL and FREE ANTI VIRUS if you need one.

It is critical to have both a firewall and anti virus to protect your system.

Keep your system up to date and run Adaware & Spybot, once a week works, and hopefully you will be ok from here on. Both are available below.

Safe Surfing. :D
User avatar
LDTate
WTT Teacher
WTT Teacher
 
Posts: 3920
Joined: February 18th, 2005, 8:38 pm
Location: Missouri, USA

Unread postby ChrisRLG » July 24th, 2005, 6:29 pm

Glad we could be of assistance.

This topic is now closed. If you wish it
reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.


You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
ChrisRLG
Administrator Emeritus
 
Posts: 17759
Joined: December 16th, 2004, 10:04 am
Location: Southend, Essex, UK
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 484 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware