Free Malware Removal Forum

by **gnfnrs98** » December 18th, 2005, 9:01 pm

Here is my hijackthis log file:

Logfile of HijackThis v1.99.1
Scan saved at 7:58:10 PM, on 12/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\setup32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\batserv2.exe
C:\WINDOWS\system32\shdocha.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\nvsvc32.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\sysc.exe
C:\WINDOWS\System32\PdeSrv2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Don\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocha.dll/defAPI.htm#secirityx32;
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=382
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\byvur.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-90f0-f66ab581a933} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\urqom.dll
O2 - BHO: MyBHO - {784aa380-13f2-422e-8540-f2280f1dd4f1} - C:\WINDOWS\System32\bhoimpl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMax] C:\WINDOWS\System32\dll32\csrss.exe
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 - HKLM\..\Run: [FHAPage] C:\WINDOWS\system32\shdocha.exe home
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: OSA.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/364.chm::/file.exe
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - AppInit_DLLs: tdjsb7rb4pekcill.dll.dll.dll.dll.dll.dll
O20 - Winlogon Notify: byvur - byvur.dll (file missing)
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

by **amateur** » December 19th, 2005, 1:10 pm

Hi gnfnrs98,

Welcome to MRU.

I'll be glad to help you. I'll need to research the items in your log. It takes a considerable time. Please be patient and I'll get back to you as soon as I can.

by **amateur** » December 20th, 2005, 7:39 pm

Hi gnfnrs98,

I am working on this post now, I'll get back to you later. Thank you for being patient.

by **amateur** » December 22nd, 2005, 4:47 pm

Hi gnfnrs98

Thank you for being patient.

You have multiple infections, unfortunately.

We'll start dealing with SmitRem and continue with vundo infection later.

Open Spyware Doctor and disable the real-time protection.

" Click the Onguard button to the left.
" Remove the check from the "Activate OnGuard" option in the next window to disable all protection.

I am going to ask you to download some programs. Do not run them yet. We'll do that later.

If there's anything that you don't understand, please ask before you proceed with the fixes. Follow the instructions in the sequence they are given. Please read carefully and then print these instructions so that you'll have access to them later when you are in Safe Mode.

Trial version of Ewido Security Suite 3.5 from here:

" Install Ewido Security Suite.
" When installing, under Additional Options uncheck Install background guard and Install scan via context menu.
" When you run Ewido for the first time, you could get a warning "Database could not be found!". Click Ok.
" The program will prompt you to update. Click the Ok button.
" The program will now go to the main screen.
You will need to update Ewido to the latest definition files.
" On the left-hand side of the main screen click the Update Button.
" Click on Start.
The update will start and a progress bar will show the updates being installed.
Once finished updating, close Ewido.

If you are having problems with the updater, you can use this link Ewido manual updates to manually update ewido.
Make sure to close Ewido before installing the update.

When you have finished updating, EXIT Ewido.
=======
Place a shortcut to Panda ActiveScan on your desktop.
=======

SmitRem Fix Version 2.8
Double click on the file to extract it to it's own folder on the desktop. Do not run it yet.
=======

Ccleaner

=======

Ad-Aware SE and install it. If you already have Ad-Aware SE, please configure it as indicated below. If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06. Do not use it yet.

Download Kilbox Do NOT use it yet

==============================================

We need to show hidden files and folders.

Start>My Computer >Tools>Folder Options> View

Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Click OK.

You will be prompted to reboot... choose NO
Close out of the Control Panel
==============================================

Reboot in Safe Mode by restarting your computer and after the first 'beep' begin tapping on the F8 key. A black menu page will appear.
Use your arrow keys to choose Safe Mode (without networking!)
Click on the Enter key.
Your desktop will appear, although it will be very distorted. The words Safe Mode will be on each corner of the desktop.

===============================================

Go into Hijack This->Config->Misc. Tools->Open process manager. Select the following and click "Kill process" (If still exists, and if there is more than one instance, you must kill them all one at a time).

batserv2.exe
sysc.exe
shdocha.exe

Click on "back".

Then, click on Scan. Close all other windows except HijackThis. Put a checkmark against:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://C:\WINDOWS\system32\shdocha.dll/defAPI.htm#secirityx32;
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.makemesearch.com/?said=382
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\byvur.dll (file missing)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-90f0-f66ab581a933} - (no file)
O2 - BHO: MyBHO - {784aa380-13f2-422e-8540-f2280f1dd4f1} - C:\WINDOWS\System32\bhoimpl.dll
O4 - HKLM\..\Run: [Security iGuard] C:\Program Files\Security iGuard\Security iGuard.exe
O4 - HKLM\..\Run: [BatSrv] C:\WINDOWS\batserv2.exe
O4 - HKLM\..\Run: [FHAPage] C:\WINDOWS\system32\shdocha.exe home
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://c:\nosuch.mht!http://www.awmdabest.com/dlt/364.chm::/file.exe
O20 - AppInit_DLLs: tdjsb7rb4pekcill.dll.dll.dll.dll.dll.dll
O20 - Winlogon Notify: byvur - byvur.dll (file missing)

press the Fix checked button, and then close HijackThis.

===============================================

Still in Safe mode:

Open killbox.exe.

Click on Tools>Delete Temp Files

A box will open with a list of all user profiles.

Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then,

Check on the Button titled "Delete Selected Temp Files"

Exit by clicking the Button titled "Exit (Save Settings)"

Once back into the main killbox program.

Check the following boxes:

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

C:\WINDOWS\System32\setup32.exe

C:\WINDOWS\System32\sysc.exe

C:\WINDOWS\System32\bhoimpl.dll

C:\Program Files\Security iGuard\Security iGuard.exe

C:\WINDOWS\batserv2.exe

C:\WINDOWS\system32\shdocha.exe

Then in killbox click File>>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to click Yes to allow the reboot.

If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.
==========================================

Still in Safe Mode, on your keyboard, click on the Windows key and the E key to bring up your Windows Explorer. Click to expand the C:/ drive, navigate to and delete the following folderin bold, if found:

C:\Program Files\Security iGuard

While you still have your Windows Explorer open, scroll through the C:\Windows to the Prefetch folder. Open the folder. Go to Edit>Select All and delete the contents of the folder. Close Windows Explorer.
Empty your recycle bin.

=========================================

Still in Safe Mode Open and Run SmitRem

pen the smitRem Folder, then double-click the RunThis.bat file to start the tool. Follow the prompts on screen. Wait for the tool to complete and disk cleanup to finish.
The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

==============================================

Still in Safe Mode Run Ccleaner

Click on Options, Select Advanced Now UNCHECK "Only delete files in Windows Temp folders older than 48 hours"
Make sure the Cleaner block on the left is selected. (Do not use the "Issues" block) Choose the Windows tab.
Check everything EXCEPT cookies, the Autocomplete Form History and the Advanced part of the Menu.
Choose Run Cleaner. This process could take a while.
When CCleaner shows how much has been removed, cleaning is finished. Click Exit. Stay on Safe Mode.

==============================================

Run Ewido in Safe Mode.

Close ALL open Windows / Programs / Folders. Please start Ewido Security Suite, and run a full scan.
" Click on Scanner
" Click on Settings
o Under How to scan all boxes should be checked
o Under Unwanted Software all boxes should be checked
o Under What to scan select Scan every file
o Click on Ok
" Click on Complete System Scan to start the scan process.
" Let the program scan the machine.

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

Once the scan has completed, there will be a button located on the bottom of the screen named Save Report.
" Click "Save Report"
" Save the report to your Desktop

==============================================

Go to Control Panel > Internet Options. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

==============================================

Next go to Control Panel > Display. Click on the "Desktop" tab then click the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you should see an entry checked called something like "Security info" or similar. If it is there, select that entry and click the "Delete" button. Click OK then Apply and OK.

==============================================

Still in Safe Mode run Ad-Aware and Click on the Scan Now Button
o Choose Perform Full System Scan
o DESELECT Search for negligible risk entries, as negligible risk entries (MRU's) are not considered to be a threat. (make it show a red X)
Click Next to begin the scan. When the scan is completed, the Performing System Scan screen will change name to Scan Complete.

Click the Next Button to get to the Scanning Results Window where more information about the objects detected during the scan is available. Click the Critical Objects Tab. In general all of the items listed will be bad. To fix all the bad critical objects, right click on one of them, click the Select All entry in the pop-up menu to mark all entries. Click Next and then OK in the dialog box to confirm the removal.
Press Close to exit.
==============================================

Reboot in Normal Mode

==============================================

Run Panda's ActiveScan and perform a full system scan.
" Once you are on the Panda site click the Scan your PC button.
" A new window will open...click the big Check Now button.
" Enter your Country.
" Enter your State/Province.
" Enter your e-mail address.
" Select either Home User or Company.
" Click the big Scan Now button.
" Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
" Click on Local Disks to start the scan.
Click on the Panda Active Scan and run it.
Let it clean, disinfect, quarantine any items found. Save the report that it creates.
===============================================
Reboot and run HijackThis again.

Please post the new HijackThis log, Ewido report, results from smitfiles.txt, and the Panda online scan result in your next post.

If you're left with a white screen, move your mouse to the top right corner, where the X button usually is and one should appear (kind of in a "hide taskbar" sort of manner) Click it and the white screen goes away!

by **gnfnrs98** » December 26th, 2005, 6:53 pm

Logfile of HijackThis v1.99.1
Scan saved at 5:26:33 PM, on 12/26/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\nvsvc32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\PdeSrv2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Don\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\urqom.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe" /server /nosystray
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMax] C:\WINDOWS\System32\dll32\csrss.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Download] "C:\DOCUME~1\Don\LOCALS~1\Temp\BellSouth\SSGet.exe" 120 "http://download.fastaccess.com/download/HCUpgrade3.1.exe" "HCUpgrade3.1.exe" Log
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Ewido report:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:03:37 PM, 12/26/2005
+ Report-Checksum: 17BD6FD

+ Scan result:

HKLM\SOFTWARE\Classes\ANSMTP.OBJ -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ\CLSID -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ\CurVer -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\ANSMTP.OBJ.1 -> Spyware.007Spy : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C91E8926-D4BE-4685-99F4-0D996B96BAC0} -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CLSID -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents\CurVer -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\MSEvents.MSEvents.1 -> Spyware.VirtuMonde : Cleaned with backup
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CLSID -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer\CurVer -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Classes\WebP2PInstaller.Installer.1 -> Spyware.P2PNetworking : Cleaned with backup
HKLM\SOFTWARE\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
HKLM\SOFTWARE\Need2Find\bar\Partner -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_5021 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_5405 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_5407 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_6365 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5026 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5063 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5135 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5137 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5149 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5150 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5154 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5244 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5345 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5353 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5363 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5370 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5474 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5604 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5627 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5668 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5679 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5798 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5903 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5931 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5939 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5982 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5987 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5988 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_5991 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_6008 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_6116 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_6183 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_6221 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_6236 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_6315 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_6327 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_1\Seqn_6585 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1\Seqn_5187 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1\Seqn_5188 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1\Seqn_5196 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1\Seqn_5517 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1\Seqn_5913 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1\Seqn_6047 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_1\Seqn_6376 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_2 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_2\Seqn_5535 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_2\Seqn_6540 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_0\Seqn_6365 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5026 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5063 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5134 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5135 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5137 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5149 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5150 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5154 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5244 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5345 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5353 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5363 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5370 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5474 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5604 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5627 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5668 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5679 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5798 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5903 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5931 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5939 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5982 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5987 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5988 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_5991 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_6008 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_6116 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_6183 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_6221 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_6236 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_6315 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_6327 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_2\Level_1\Seqn_6585 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_5021 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_5405 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_5407 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_0\Seqn_6365 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5026 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5063 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5135 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5137 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5149 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5150 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5154 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5244 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5345 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5353 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5363 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5370 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5474 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5604 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5627 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5668 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5679 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5798 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5903 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5931 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5939 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5982 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5987 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5988 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_5991 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_6008 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_6116 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_6183 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_6221 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_6236 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_6315 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_6327 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_3\Level_1\Seqn_6585 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_5171 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_5409 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_5432 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_0\Seqn_5735 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_1 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_1\Seqn_5125 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_1\Seqn_5818 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_1\Seqn_5882 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_1\Seqn_6015 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2\Seqn_5043 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2\Seqn_5106 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2\Seqn_5120 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2\Seqn_5177 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2\Seqn_5534 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2\Seqn_5930 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2\Seqn_6070 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_2\Seqn_6831 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Loct_4\Level_4\Seqn_5465 -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Queue -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Kazaa\Promotions\Cydoor\Adwr_329\Services\Status -> Spyware.Cydoor : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Need2Find -> Spyware.Need2Find : Cleaned with backup
HKU\S-1-5-21-1860493358-3758347995-3366240910-1005\Software\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
C:\!KillBox\batserv2.exe -> Worm.Locksky.m : Cleaned with backup
C:\!KillBox\setup32.exe -> Backdoor.Rbot : Cleaned with backup
C:\!KillBox\shdocha.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\OSA.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\Program Files\Need2Find -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\History\search -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Need2Find\bar\Settings -> Spyware.Need2Find : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq75.tmp -> Downloader.WebP2PInstaller : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq77.tmp -> Spyware.P2PNetworking : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq78.tmp -> Spyware.P2PNetworking : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq79.tmp\P2P Networking.exe -> Spyware.P2PNetworking : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8C.tmp -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB1.tmp -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB2.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB3.tmp -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB5.tmp -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB6.tmp -> Spyware.Cookie.Centrport : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB8.tmp -> Spyware.Cookie.Com : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB9.tmp -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBB.tmp -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBC.tmp -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBD.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBE.tmp -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqBF.tmp -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC0.tmp -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC2.tmp -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC3.tmp -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC7.tmp -> Spyware.Cookie.Webtrendslive : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP109\A0058897.dll -> Downloader.Agent.ga : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP110\A0059056.dll -> Downloader.Small.bpk : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP110\A0059061.com -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP110\A0059062.com -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP110\A0059063.exe -> Worm.Locksky.m : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0059136.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0059138.exe -> Worm.Locksky.m : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0059139.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060137.dll -> Downloader.Agent.kf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060141.exe -> Downloader.Small.rr : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP78\A0036805.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP78\A0036806.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP89\A0044494.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP89\A0044495.DLL -> Spyware.MyWebSearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP89\A0044531.DLL -> Spyware.MySearch : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP89\A0044539.dll -> Spyware.MySearch : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\html.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\WINDOWS\enco64.exe -> Logger.VB.ec : Cleaned with backup
C:\WINDOWS\exref.exe -> Not-A-Virus.Monitor.WinSpy.a : Cleaned with backup
C:\WINDOWS\itshta.exe -> Trojan.Small.cr : Cleaned with backup
C:\WINDOWS\ntsvc32.exe -> Not-A-Virus.Monitor.WinSpy.d : Cleaned with backup
C:\WINDOWS\outlookr.exe -> Logger.WinSpy.a : Cleaned with backup
C:\WINDOWS\syst32.exe -> Not-A-Virus.Monitor.WinSpy.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\2s7jjgm8en.dll -> Downloader.Small.rr : Cleaned with backup
C:\WINDOWS\SYSTEM32\ANSMTP.dll -> Trojan.Winspy.A : Cleaned with backup
C:\WINDOWS\SYSTEM32\MTC.dll -> Downloader.Agent.ga : Cleaned with backup
C:\WINDOWS\SYSTEM32\nlgjzzzjx2x09.dll -> Downloader.Small.rr : Cleaned with backup
C:\WINDOWS\SYSTEM32\shdocha.dll -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\WINDOWS\winsyst32.exe -> Logger.WinSpy.a : Cleaned with backup
C:\WINDOWS\wldr.dll -> Downloader.Agent.kf : Cleaned with backup
C:\WINDOWS\wsdll.exe -> Logger.WinSpy.a : Cleaned with backup

::Report End

smitfiles.txt:

smitRem Â© log file
version 2.8

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 12/26/2005
The current time is: 12:43:08.66

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

spyaxe uninstaller NOT present
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

wldr.dll
logfiles

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of explorer.exe

Starting registry repairs

Deleting files

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

Panda:

Incident Status Location

Virus:W32/Locksky.M.worm Not disinfected C:\!KillBox\sysc.exe
Adware:adware/cws.searchmeup Not disinfected C:\new.exe
Adware:Adware/P2PNetworking Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp
Virus:Trojan Horse.AP2 Not disinfected C:\WINDOWS\dll\services.exe
Virus:Trj/Winspy.A Not disinfected C:\WINDOWS\mscomm.exe
Virus:Trojan Horse.AP2 Not disinfected C:\WINDOWS\rij12.exe
Adware:adware/spysheriff Not disinfected C:\WINDOWS\SYSTEM32\desktop.html
Adware:Adware/Tubby Not disinfected C:\WINDOWS\SYSTEM32\MTC.ini
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\urqom.dll

by **amateur** » December 26th, 2005, 10:21 pm

Hi gnfnrs98,

Thank you for the logs.

We managed to get some baddies off but there is more. Let's work on the Vundo infection now. It may be a good idea if you print the instructions so that you'll have access to them at all times. Make sure that you read and understand the instructions before we start the fix so that you'll not have any problem following them, in the sequence they are given, and not missing anything. If you have any questions, please come back to this thread and ask before you start.

Before we start the vundo fix, I would like you to please click on Jotti

Use the "Browse" button and locate the following file on your computer:
C:\DOCUMENTS AND SETTINGS\Don\LOCAL SETTINGS\Temp\BellSouth\SSGet.exe
Click the "Submit" button.
Please copy and post the reply with the results
====================================================
Please download VundoFix.exe to your desktop.

VundoFix

Do not Use it Yet.

IMPORTANT

VundoFix

====================================================
Show hidden files following my earlier instructions.
====================================================
You already know how to boot into Safe Mode, but if you would like to refresh your memory, instructions can be found here
====================================================
Log off from the internet and disconnect your modem cable

IMPORTANT
Some real-time protection programs may warn you of a possibly malicious script being detected when you run VundoFix. Please allow it to run - it is necessary to complete the fix. Alternatively, disable any script blocking software you have running before you start. ( e.g. Microsoft antispyware , Spybot teatimer, Spyware Doctor, etc)

In your case we'll need to disable Spyware Doctor as it may interfere with the fixes that we are going to make.

Open Spyware Doctor and
Click the Onguard button to the left.
Remove the check from the "Activate OnGuard" option in the next window to disable all protection.

After all of the fixes are complete it is very important that you enable Real-time Protection again.
====================================================

Please reboot your computer into Safe Mode

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning.
It should look like this
VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....
At this point press enter one time.
Next you will see:
Please Type in the filepath as instructed by the forum staff
and then press enter:
At this point please type the following file path (make sure to enter it exactly as below!):
Press Enter to continue with the fix.
Next you will see:
Please type in the second filepath as instructed by the forum
staff then press enter:
At this point please type the following file path (make sure to enter it exactly as below!):
Press Enter to continue with the fix.
The fix will run, then HijackThis will open. If it does not open automatically, please open it manually
In HiJackThis, please place a check next to the following items and click FIX CHECKED:

F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\urqom.dll
O4 - HKCU\..\Run: [Download] "C:\DOCUME~1\Don\LOCALS~1\Temp\BellSouth\SSGet.exe" 120 "http://download.fastaccess.com/download/HCUpgrade3.1.exe" "HCUpgrade3.1.exe" Log
O9 - Extra button: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll

After you have fixed these items, close Hijackthis. Stay in Safe Mode.

===========================================
Still in Safe mode:
Open killbox.exe.
Click on Tools>Delete Temp Files
A box will open with a list of all user profiles.
Check the following boxes at a minimum for each profile by clicking on the drop down and checking the boxes that are enabled. Some will not apply and those boxes will not be available to check. Make sure you do this for all the profiles listed.

Temporary Internet Files
Temp Files
XP Prefetch

If you want to clean your cookies, history, and list of recent files run you may check those boxes as well.

Then, check on the Button titled "Delete Selected Temp Files"
Exit by clicking the Button titled "Exit (Save Settings)"

Once back into the main killbox program.

Check the following boxes:

Delete on Reboot

Highlight all the entries in the quote box below and then Copy them.

C:\new.exe
C:\WINDOWS\dll\services.exe
C:\WINDOWS\mscomm.exe
C:\WINDOWS\rij12.exe
C:\WINDOWS\SYSTEM32\desktop.html
C:\WINDOWS\SYSTEM32\MTC.ini
C:\WINDOWS\SYSTEM32\urqom.dll
C:\DOCUMEMENTS AND SETTINGS\Don\LOCALS~1\Temp\BellSouth\SSGet.exe
C:\WINDOWS\System32\urqom.dll

Then in killbox click File>Paste from Clipboard

At this point the "All Files" button should be enabled so you can click it.

Click the "All Files" button.

Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes

A second message will ask to Reboot now? you will need to clickNo at this point.

Note: Killbox will let you know if a file does not exist. If that happens, just continue on.

If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X ...and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.
====================================================
Still in Safe Mode run Ewido
Click on the Scanner button in the left menu, then click on Settings, and under "What to scan?", select "Every file" then click ok. Click on Complete System Scan. This scan can take quite a while to run.

If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.

When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again. Do Not Reboot.
===============================================
Reconnect to the internet
Then, please run Panda Active Scan.
===============================================
Restart your computer one more time. Scan with HijackThis and save the report.
Copy the result of the virus scan and paste them here along with the new HiJackThis log, the vundofix.txt file from the vundofix folder, Jotti scan result, and the Ewido report .

by **gnfnrs98** » January 1st, 2006, 11:46 pm

Thank you so much for all your help. I'm slow getting this done because of the holidays but here are the results of the logs from this round of fixes:

Virus scan:

Service
Service load: 0% 100%

File: SSGet.exe
Status: OK
MD5 fef125f56a809ede4fad6abeb9b9ed93
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VBA32 Found nothing

Hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 10:32:40 PM, on 1/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\WINDOWS\nvsvc32.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\PdeSrv2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Don\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\urqom.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMax] C:\WINDOWS\System32\dll32\csrss.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

vundofix.log:
VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\urqom.dll

The second filepath entered was C:\WINDOWS\System32\moqru.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------

Killing PID 180 'smss.exe'

Error, Cannot find a process with an image name of explorer.exe

Killing PID 252 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\urqom.dll Deleted sucessfully.
C:\WINDOWS\System32\moqru.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

ewido report:
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:37:27 PM, 1/1/2006
+ Report-Checksum: C0506BB3

+ Scan result:

C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060169.exe -> Worm.Locksky.m : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060170.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060171.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060172.exe -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060173.exe -> Spyware.P2PNetworking : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060174.exe -> Logger.VB.ec : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060175.exe -> Not-A-Virus.Monitor.WinSpy.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060176.exe -> Trojan.Small.cr : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060177.exe -> Not-A-Virus.Monitor.WinSpy.d : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060178.exe -> Logger.WinSpy.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060179.exe -> Not-A-Virus.Monitor.WinSpy.b : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060180.dll -> Downloader.Small.rr : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060181.dll -> Trojan.Winspy.A : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060182.dll -> Downloader.Agent.ga : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060183.dll -> Downloader.Small.rr : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060184.dll -> Not-A-Virus.Hoax.Win32.EvidenceEliminator.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060185.exe -> Logger.WinSpy.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060186.dll -> Downloader.Agent.kf : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP111\A0060187.exe -> Logger.WinSpy.a : Cleaned with backup

::Report End

by **amateur** » January 2nd, 2006, 11:06 am

Hi gnfnrs98,

Thanks for the logs. We are getting closer and closer to a clean machine.

Let's continue. Please read the instructions carefully. It would be a good idea to print it out so that you can have access to it when you are in Safe Mode.

=============================================
We need to show hidden files and folders.

Start>My Computer >Tools>Folder Options> View

Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Click OK.

You will be prompted to reboot... choose NO
Close out of the Control Panel

============================================

Open Spyware Doctor and disable the real-time protection so that it will not interfere with the following fix.

" Click the Onguard button to the left.
" Remove the check from the "Activate OnGuard" option in the next window to disable all protection.

=============================================

Reboot in Safe Mode by restarting your computer and after the first 'beep' begin tapping on the F8 key. A black menu page will appear.
Use your arrow keys to choose Safe Mode (without networking!)
Click on the Enter key.
Your desktop will appear, although it will be very distorted. The words Safe Mode will be on each corner of the desktop.

============================================
Run HijackThis. Then, click on Scan. Close all other windows except HijackThis and put a check in front of the following:

F2 - REG:system.ini: UserInit=userinit.exe,setup32.exe

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\urqom.dll (file missing)

O9 - Extra button: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {D2EABF44-8A32-4B2E-822F-642BB7979132} - (no file) (HKCU)

O20 - Winlogon Notify: urqom - C:\WINDOWS\System32\urqom.dll (file missing)

Click on "Fix checked". Stay on Safe Mode.

============================================

Still in Safe Mode, go to Start>Search>All Files and Folders and scrolldown using the scroll bar on the right. Go down to More advanced options.
Be sure the first three boxes are selected:
Search System folders
Search Hidden Files and folders
Search SubFolders
Type in and search for:
setup32.exe and Delete it, if found.

============================================

Restart your computer in Normal Mode now.

============================================

Then, please run Panda Active Scan.

===============================================
Restart your computer one more time. Scan with HijackThis and save the report.
Copy the result of the virus scan and paste it here along with the new HiJackThis log,

by **gnfnrs98** » January 7th, 2006, 1:35 pm

Here are the new logs:

Incident Status Location

Virus:Trj/Winspy.A Disinfected C:\!KillBox\mscomm.exe
Adware:Adware/Tubby Not disinfected C:\!KillBox\MTC.ini
Adware:Adware/MediaTickets Not disinfected C:\!KillBox\rij12.exe
Adware:Adware/MediaTickets Not disinfected C:\!KillBox\services.exe
Virus:W32/Locksky.M.worm Disinfected C:\!KillBox\sysc.exe
Spyware:Cookie/2o7.net Not disinfected C:\Documents and Settings\Don\Cookies\don@2o7[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Don\Cookies\don@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Don\Cookies\don@adrevolver[3].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Don\Cookies\don@advertising[2].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Don\Cookies\don@adviva[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Don\Cookies\don@as-eu.falkag[1].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Don\Cookies\don@ask[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Don\Cookies\don@atdmt[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Don\Cookies\don@banner[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Don\Cookies\don@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Don\Cookies\don@bluestreak[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Don\Cookies\don@casalemedia[1].txt
Spyware:Cookie/CentrPort Not disinfected C:\Documents and Settings\Don\Cookies\don@centrport[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Don\Cookies\don@dist.belnk[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Don\Cookies\don@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Don\Cookies\don@fastclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Don\Cookies\don@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Don\Cookies\don@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Don\Cookies\don@questionmarket[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Don\Cookies\don@realmedia[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Don\Cookies\don@sel.as-eu.falkag[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Don\Cookies\don@statse.webtrendslive[2].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\Don\Cookies\don@tradedoubler[1].txt
Spyware:Cookie/Valueclick Not disinfected C:\Documents and Settings\Don\Cookies\don@valueclick[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Don\Cookies\don@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Don\Desktop\smitRem\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Don\Desktop\VundoFix\VundoFix\process.exe
Adware:Adware/P2PNetworking Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq76.tmp
Spyware:Cookie/Clicktracks Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqB7.tmp
Spyware:Cookie/Zedo Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppqC8.tmp
HiJackThis:

Logfile of HijackThis v1.99.1
Scan saved at 12:28:00 PM, on 1/7/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\pctspk.exe
C:\WINDOWS\System32\BacsTray.exe
C:\Program Files\Dell\QuickSet\QuickSet.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe
C:\Program Files\TiVo\Desktop\TiVoServer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\WINDOWS\nvsvc32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\BellSouth\Connection Manager\CManager.exe
C:\PROGRA~1\BROADJ~1\CORREC~1\CCD.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\PdeSrv2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Don\My Documents\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\QuickSet.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [VirusScan Online] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SoundMax] C:\WINDOWS\System32\dll32\csrss.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TivoTransfer] "C:\Program Files\Common Files\TiVo Shared\Transfer\TivoTransfer.exe" /auto:TivoTransfer /registry /service
O4 - HKCU\..\Run: [TivoServer] "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /auto:TivoServer /registry /service
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Startup: Connection Manager.lnk = C:\Program Files\BellSouth\Connection Manager\CManager.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - TiVo Inc. - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

by **amateur** » January 7th, 2006, 2:21 pm

Hi gnfnrs,

Your log is clean. :thumbright:

Great job.

Just a little cleaning and tidying up, and you are all set to go.

=====================================
Cleaning prefetch and temp files

Navigate to C:\Windows\ Prefetch
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Navigate to C:\Windows\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

You need to do the following for all the users on this computer:

Navigate to C:\Documents and Settings\(EVERY LISTED USER)\Local Settings\Temp
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Clean out your Temporary Internet files. Proceed like this:

" Quit Internet Explorer and quit any instances of Windows Explorer.
" Click Start, click Control Panel, and then double-click Internet Options.
" On the General tab, click Delete Files under Temporary Internet Files.
" In the Delete Files dialog box, click to select the Delete all offline content check box , and then click OK.
" On the General tab, click Delete Cookies under Temporary Internet Files, and then click OK.
" Click on the Programs tab then click the Reset Web Settings button. Click Apply then OK.
" Click OK.

=================================
Navigate to C:\Program Files\Yahoo!\YPSR\Quarantine
Click Edit, click Select All, press the DELETE key, and then click Yes to confirm that you want to send all the items to the Recycle Bin.

Delete the following folders in bold from your desktop:

Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Don\Desktop\smitRem
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Don\Desktop\VundoFix

Navigate and delete the following folder in bold:
C:\!KillBox

EMPTY THE RECYCLE BIN

------------------------------------------------------------------------------------------------------------

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure.

Open Spyware Doctor and re-enable the real-time protection.

" Click the Onguard button to the left.
" Check from the "Activate OnGuard" option in the next window to enable all protection.
==================================================

Remember to hide your system files again.

Start>My Computer>Tools>Folder Options>View
Under the Hidden files and Folders heading uncheck Show hidden files and folders.
check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
check the Hide file extensions for known file types.
Click OK.
==================================================
Disable and Enable System Restore If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point. Because Windows regularly sets restorepoints, it's very possible that the malware, you have removed, is still present in the System Restore. If you put Windows back to such a restorepoint, this malware will be put back, as well.

This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot in Normal Mode.

You can also find instructions on how to disable and re enable system restore here:
Windows XP System Restore Guide

And that's all. But to help protect you against further infections, and also to help prevent criminals using your computer to infect other people's computers on the web, I recommend the following: (You may already have some of the items)

Make your Internet Explorer more secure - This can be done by following these simple instructions:

From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialise and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.

Avoid illegal sites, because that's where most malware is present.

* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Keep your antivirus-program up-to-date and do regular scans with it. Please make sure that you have only one active antivirus program on your system.
If you haven't got a antivirus, you can download and install one of the following free ones: Make sure that you have only ONE antivirus running on your computer as more than one would cause conflict and render the computer vulnerable.

AntiVir here
AVG Free here
Avast here

It is essential to keep the anti-virus program fully updated. New virus infections are being produced all the time, and unless the program downloads the latest 'definitions', it cannot protect you against the newer versions. If you want to check for updates manually I'd recommended doing so at least once a week. However, a better option is to set the program to download and install updates automatically every time you are connected to the Internet. The first time you use it, please set it to perform a full system scan.
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site <http://windowsupdate.microsoft.com/> to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site <http://office.microsoft.com/officeupdate/maincatalog.aspx?lc=en-us> and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.

Keep your pestware-scanners up-to-date and do regular scans with them.

To keep your computer free of Spyware, Adware, Hijackers etc., download and install the following free pestware-scanners (if you haven't installed them allready):
AdAware here
Spybot here Remember to "immunize" after each update
Microsoft Antispyware here

Install realtime pestware-scanners and keep them up-to-date.

The following free realtime pestscanners prevent a number of malware-variants from entering your computer, in the first place:

SpywareBlaster here Remember to "enable all protection" after each update.
SpywareGuard here

If you haven't got one, already, install a firewall and keep it up-to-date. Please make sure that you have only one active firewall on your system.

A firewall will prevent unauthorized contact between your computer and internet.
If there is no firewall installed on your computer, you can download and install one of the following free firewalls:
ZoneAlarm here
Sygate here
Kerio Personal Firewall (Will be discontinued as from the end of 2005) here
Outposthere
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall!

Test your firewall here to make sure that it's working properly

Install these programs, to make surfing with Internet Explorer safer:

A popup-blocker, f.e. Google Toolbar here: A popup-blocker prevents popup-windows from opening, when you come along a websites that uses them, during internet-surfing.

IE-SPYAD here: This utility adds a long list of known bad sites to Internet Explorer's Restricted Sites zone. This prevents those sites from executing their malicious programs on your computer.

SiteHound by Firetrust
here:

Firetrust introduces the SiteHound Toolbar - the safe way to browse the Internet. With SiteHound, when you browse the Internet, you're shown a warning page every time you go to a site which is a known scam, potentially loads viruses or spyware on to your computer, has questionable content or anything you would not consider reasonable. You are shown a warning page with information about that site. From there you can choose to enter the site or go back. SiteHound is a free add-on to Internet Explorer. (Users of Firefox - a version for you is coming soon.) SiteHound's comprehensive database gathers the knowledge from other users and respected experts from the online security community to tell you which sites are real and which are bogus.

SiteHound will alert you when you enter a site which is known to contain:
Â· Fraudulent claims or scams
Â· Offensive material
Â· Security vulnerabilities
Â· Spyware or Adware
Â· Spam related material
Â· or other content deemed to be unsafe
Specifically, SiteHound blocks these categories:

â€¢ Adult â€¢ Spyware â€¢ Spam Advertising â€¢ Phishing â€¢ Possible scam or fraud â€¢ Misleading or False Advertising
â€¢ Pharming â€¢ Rogue or Suspect Product â€¢ Adware â€¢ Malware or Virus

System Requirements:
Internet Explorer 5.5+ and Windows 95/98/NT 4/ME/2000/XP

Install and use an alternative browser to surf on the internet.

Because Internet Explorer is the most-used browser on the planet, most of the hijackers, adware and spyware are made to abuse your computer thru Internet Explorer.
Here are some good alternative browsers:
Mozilla Suite here
Mozilla Firefox here
Opera here
Netscape here
Important: You can not uninstall Internet Explorer.
First of all, it's part of Windows and you'll need it to download and install Windows Updates.
Secondly, There are some sites that are only accessable with Internet Explorer, fe. most of the Online Malware-scanners.

But above all, keep all your software UP-TO-DATE at all time!!

Enjoy your surfing

by **gnfnrs98** » January 8th, 2006, 10:50 pm

Thank you for all your help in getting this cleaned up!!!!

by **amateur** » January 8th, 2006, 11:15 pm

Hi gnfnrs98,

You are welcome. Glad we could help.

by **NonSuch** » January 10th, 2006, 4:26 am

Glad we could be of assistance.

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.

Free Malware Removal Forum

Infected - Please help1

Infected - Please help1

Here are the new logs...

new logs

New Logs

Thank you

Who is online