View Full Version : qoologic, cmdservice and other ohhh my
dabagboy
2006-01-31, 19:53
I'm losing my mind w/ popups and worries about keyloggers........
I have a Hijacker on board and cannot seem to kill it no matter what I try.
I've run spybot, hijack this, Ewido, ATF-Cleaner, Find-QooLogic, KillBox, Panda online won't run?
tried to run most of them in safe mode.....Killbox won't run in safe mode? and doesn't seem to kill anything?
tried to delete the QooLogic files several times myself "Access denied..."
Funny Norton in safe mode finds nothing (that useless piece of sh....)
my logs...............
Logfile of HijackThis v1.99.1
Scan saved at 8:13:20 AM, on 1/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\TWFzb24gR2lsbA\command.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Mercora\MercoraClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\mgill\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.pcso-ntp
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O17 - HKLM\Software\..\Telephony: DomainName = PCSO-DOM.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O18 - Filter: text/html - {2F6E85DC-8D2D-4896-8A4F-7DF8A7B1749D} - C:\PROGRA~1\Jalmp\jalmp.dll
O20 - AppInit_DLLs: repairs302972988.dll
O20 - Winlogon Notify: OemStartMenuData - C:\WINDOWS\system32\sie.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWFzb24gR2lsbA\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\mgill\Desktop\Malware removal tools\Find-Qoologic\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
C:\WINDOWS\SYSTEM32\KYPKKA.EXE
C:\WINDOWS\SYSTEM32\VQWVV.DAT
C:\WINDOWS\SYSTEM32\LGKLL.DLL
C:\WINDOWS\SYSTEM32\AQIAAPE.DLL
C:\WINDOWS\SYSTEM32\CKJCCVF.EXE
C:\WINDOWS\SYSTEM32\VQWVV.DAT
C:\WINDOWS\SYSTEM32\KYPKKA.EXE
C:\WINDOWS\PBNPPC.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\IPOI.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
--
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qgmqqyfg]
@="{5a53a267-2214-458d-921c-8097d78027cf}"
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"="C:\\WINDOWS\\system32\\kypkka.exe reg_run"
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
------------------------------------------------------------------------------------------------------------------------
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 10:23:35 AM, 1/31/2006
+ Report-Checksum: D1569031
+ Scan result:
HKLM\SOFTWARE\Classes\CLSID\{3643ABC2-21BF-46B9-B230-F247DB0C6FD6} -> Spyware.E2Give : Error during cleaning
HKLM\SOFTWARE\Classes\IeBHOs.Control.1 -> Spyware.E2G : Error during cleaning
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Surf SideKick -> Spyware.SurfSide : Error during cleaning
[788] C:\WINDOWS\system32\repairs302972988.dll -> Adware.SurfSide : Error during cleaning
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipoi.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Program Files\NewDotNet -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\NewDotNet\newdotnet7_22.dll -> Adware.NewDotNet : Error during cleaning
C:\Program Files\SurfSideKick 3 -> Adware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Adware.SurfSide : Error during cleaning
C:\Program Files\SurfSideKick 3\SskBho.dll -> Adware.SurfSide : Error during cleaning
C:\Program Files\SurfSideKick 3\SskCore.dll -> Adware.SurfSide : Error during cleaning
C:\Program Files\TheSearchAccelerator\IUCmore.dll -> Spyware.UCmore : Error during cleaning
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll -> Spyware.UCmore : Error during cleaning
C:\WINDOWS\myupdates.exe -> Downloader.Adload.l : Error during cleaning
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Error during cleaning
C:\WINDOWS\SYSTEM32\0s0s0raw.dll -> Adware.Sud : Error during cleaning
C:\WINDOWS\SYSTEM32\aqiaape.dll -> Downloader.Qoologic.az : Error during cleaning
C:\WINDOWS\SYSTEM32\ckjccvf.exe -> Trojan.Pakes : Error during cleaning
C:\WINDOWS\SYSTEM32\d20mlcd11f0.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\docdll.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\guard.tmp -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\hpsw.exe -> Adware.Suggestor : Error during cleaning
C:\WINDOWS\SYSTEM32\hr4s05h7e.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\kypkka.exe -> Downloader.Qoologic.at : Error during cleaning
C:\WINDOWS\SYSTEM32\lgkll.dll -> Downloader.Small : Error during cleaning
C:\WINDOWS\SYSTEM32\mdftedit.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\paytime.exe -> Hijacker.StartPage.adi : Error during cleaning
C:\WINDOWS\SYSTEM32\pi1_58.exe -> Downloader.Small.bue : Error during cleaning
C:\WINDOWS\SYSTEM32\repairs302972988.dll -> Adware.SurfSide : Error during cleaning
C:\WINDOWS\SYSTEM32\rif_32.dll -> Logger.Agent.gk : Error during cleaning
C:\WINDOWS\SYSTEM32\rif_32.exe -> Logger.Agent.gk : Error during cleaning
C:\WINDOWS\SYSTEM32\vqwvv.dat -> Downloader.Qoologic.at : Error during cleaning
C:\WINDOWS\SYSTEM32\wgse.exe -> Trojan.Runner.h : Error during cleaning
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Error during cleaning
C:\WINDOWS\toolbar.exe -> Downloader.Adload.j : Error during cleaning
C:\WINDOWS\TWFzb24gR2lsbA\command.exe -> Adware.CommAd : Error during cleaning
::Report End
dabagboy
2006-01-31, 19:54
ps: nosing around here I ran LMFix and the log is...
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt0sl7d71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{28C1850A-4133-5C6A-3762-840224F7C96E}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}"="Sony Digital Voice File Shell Extention Module"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{7D5C4BDD-B015-4401-8731-1507B87DE297}"="QBVersionTool"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{8A0BC9D8-296B-4294-BE97-D6E014C45373}"=""
"{88F83261-C87A-4FBD-8262-40008920D465}"=""
"{BD93DCFC-2712-4519-997E-0B882F938C52}"=""
**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\InprocServer32]
@="C:\\WINDOWS\\system32\\MDRDO20.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\InprocServer32]
@="C:\\WINDOWS\\system32\\wonbrand.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
**********************************************************************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
0s0s0raw.dll Mon Jan 30 2006 11:40:32a A.... 22,016 21.50 K
0s0skl6a.dll Mon Jan 30 2006 11:40:32a A.... 44,544 43.50 K
aqiaape.dll Tue Jan 31 2006 12:49:46p A.... 67,072 65.50 K
atmtd.dll Mon Jan 30 2006 1:01:36p A.... 687,592 671.48 K
browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K
d20mlc~1.dll Mon Jan 30 2006 1:19:22p ..S.R 234,272 228.78 K
danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M
gdi32.dll Wed Dec 28 2005 9:54:36p A.... 280,064 273.50 K
hr4s05~1.dll Tue Jan 31 2006 9:40:06a ..S.R 235,623 230.10 K
ilspolcy.dll Tue Jan 31 2006 12:13:16p ..S.R 236,852 231.30 K
k0pmla~1.dll Tue Jan 31 2006 12:14:16p ..S.R 236,852 231.30 K
kt0sl7~1.dll Tue Jan 31 2006 12:12:32p ..S.R 234,878 229.37 K
lgkll.dll Tue Jan 31 2006 12:49:46p A.... 24,064 23.50 K
mdftedit.dll Mon Jan 30 2006 11:48:56a ..S.R 234,272 228.78 K
mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M
repair~1.dll Mon Jan 30 2006 11:42:02a A.... 85,504 83.50 K
rif_32.dll Mon Jan 30 2006 12:55:18p A.... 52,224 51.00 K
shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M
sporder.dll Mon Jan 30 2006 11:42:16a A.... 8,464 8.27 K
urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K
wonbrand.dll Tue Jan 31 2006 12:49:34p ..S.R 234,878 229.37 K
21 items found: 21 files (7 H/S), 0 directories.
Total of file sizes: 10,113,283 bytes 9.64 M
Locate .tmp files:
No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is FC63-D5C0
Directory of C:\WINDOWS\System32
01/31/2006 12:49 PM 234,878 wonbrand.dll
01/31/2006 12:14 PM 236,852 k0pmla711d.dll
01/31/2006 12:13 PM 236,852 ILSPOLCY.DLL
01/31/2006 12:12 PM 234,878 kt0sl7d71.dll
01/31/2006 09:40 AM 235,623 hr4s05h7e.dll
01/30/2006 01:19 PM 234,272 d20mlcd11f0.dll
01/30/2006 11:48 AM 234,272 mdftedit.dll
06/27/2005 01:24 PM <DIR> DLLCACHE
07/18/2003 08:22 PM <DIR> Microsoft
7 File(s) 1,647,627 bytes
2 Dir(s) 107,593,986,048 bytes free
LonnyRJones
2006-02-01, 01:09
Hi dabagboy
Run option two in L2mfix
Close any programs you have open since this step requires a reboot.
Close the internet connection, Unplug your modem !! if on cable or satalite.
From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter. It will process then start. Your desktop and icons will disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, it will be ready for a reboot.
Press any key to reboot. After the reboot notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.
In windows control panel addremove programs uninstall these programs if there
E2give Plug-in
Network Monitor
Quicklinks
Surf SideKick
TSA
UCmore - The Search Accelerator
Uinstall Aze Bar
New.net Domains 7.22
Note: dont use >> Command and DH
dabagboy
2006-02-01, 03:00
Hi dabagboy
...............
Note: dont use >> Command and DH
Thanks I will try this all when I get back to the office Weds.
What do you mean "Command and DH"?
LonnyRJones
2006-02-01, 03:15
Hi
Dont try commands uninstall nor DH if they are there
Ewido and SyBot ran while the pc is in safe mode will get qoologic , while they are scanning do not open any folder's
Do run them in safe mode please (one at a time)
dabagboy
2006-02-01, 14:08
Hi
Dont try commands uninstall nor DH if they are there
Ewido and SyBot ran while the pc is in safe mode will get qoologic , while they are scanning do not open any folder's
Do run them in safe mode please (one at a time)
I've never heard of DH? so I guess it is not there?
When you say "EWIDO and Spyboot will get qoologic" do you mean detect or become infected?
LonnyRJones
2006-02-01, 14:25
Hi
Thay can remove it if ran while in safe mode while not opening any folders ;)
dabagboy
2006-02-01, 16:39
For some reason none of the programs are running after reboot?
I ran L2MFix -- it said it would run again on reboot it didn't...then I ran it again in safe mode it said it would run after reboot it didn't.
I ran Spybot in safe mode it said it would run again after reboot it didn't.
I ran EWIDO in safe mode it said it would run again after reboot it didn't.
my logs....
L2mfix 010406
Creating Account.
System error 5 has occurred.
Access is denied.
Adding Administrative privleges.
Checking for L2MFix account(0=no 1=yes):
0
Granting SeDebugPrivilege to L2MFIX OpenPolicy:
***Error*** OpenPolicy -1073741790
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
zip warning: name not matched: dlls\*.*
zip error: Nothing to do! (backup.zip)
updating: backregs/notibac.reg (164 bytes security) (deflated 72%)
L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\kt0sl7d71.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
**********************************************************************************
useragent:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{28C1850A-4133-5C6A-3762-840224F7C96E}"=""
**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{5a61f7a0-cde1-11cf-9113-00aa00425c62}"="IIS Shell Extension"
"{7CDDBD23-1B50-47b2-B28D-1B84D9A40ED1}"="Sony Digital Voice File Shell Extention Module"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{7D5C4BDD-B015-4401-8731-1507B87DE297}"="QBVersionTool"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{8A0BC9D8-296B-4294-BE97-D6E014C45373}"=""
"{88F83261-C87A-4FBD-8262-40008920D465}"=""
"{BD93DCFC-2712-4519-997E-0B882F938C52}"=""
***********
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\InprocServer32]
@="C:\\WINDOWS\\system32\\MDRDO20.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\InprocServer32]
@="C:\\WINDOWS\\system32\\wonbrand.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
************************
Files Found are not all bad files:
C:\WINDOWS\SYSTEM32\
0s0s0raw.dll Mon Jan 30 2006 11:40:32a A.... 22,016 21.50 K
0s0skl6a.dll Mon Jan 30 2006 11:40:32a A.... 44,544 43.50 K
aqiaape.dll Tue Jan 31 2006 12:49:46p A.... 67,072 65.50 K
atmtd.dll Mon Jan 30 2006 1:01:36p A.... 687,592 671.48 K
browseui.dll Wed Nov 23 2005 8:06:34p A.... 1,022,464 998.50 K
d20mlc~1.dll Mon Jan 30 2006 1:19:22p ..S.R 234,272 228.78 K
danim.dll Fri Nov 4 2005 10:16:24p A.... 1,054,208 1.00 M
gdi32.dll Wed Dec 28 2005 9:54:36p A.... 280,064 273.50 K
hr4s05~1.dll Tue Jan 31 2006 9:40:06a ..S.R 235,623 230.10 K
ilspolcy.dll Tue Jan 31 2006 12:13:16p ..S.R 236,852 231.30 K
k0pmla~1.dll Tue Jan 31 2006 12:14:16p ..S.R 236,852 231.30 K
kt0sl7~1.dll Tue Jan 31 2006 12:12:32p ..S.R 234,878 229.37 K
lgkll.dll Tue Jan 31 2006 12:49:46p A.... 24,064 23.50 K
mdftedit.dll Mon Jan 30 2006 11:48:56a ..S.R 234,272 228.78 K
mshtml.dll Wed Nov 23 2005 8:06:34p A.... 3,015,680 2.88 M
repair~1.dll Mon Jan 30 2006 11:42:02a A.... 85,504 83.50 K
rif_32.dll Mon Jan 30 2006 12:55:18p A.... 52,224 51.00 K
shdocvw.dll Wed Nov 30 2005 10:59:30p A.... 1,492,480 1.42 M
sporder.dll Mon Jan 30 2006 11:42:16a A.... 8,464 8.27 K
urlmon.dll Fri Nov 4 2005 10:16:28p A.... 609,280 595.00 K
wonbrand.dll Tue Jan 31 2006 12:49:34p ..S.R 234,878 229.37 K
21 items found: 21 files (7 H/S), 0 directories.
Total of file sizes: 10,113,283 bytes 9.64 M
Locate .tmp files:
No matches found.
************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is FC63-D5C0
Directory of C:\WINDOWS\System32
01/31/2006 12:49 PM 234,878 wonbrand.dll
01/31/2006 12:14 PM 236,852 k0pmla711d.dll
01/31/2006 12:13 PM 236,852 ILSPOLCY.DLL
01/31/2006 12:12 PM 234,878 kt0sl7d71.dll
01/31/2006 09:40 AM 235,623 hr4s05h7e.dll
01/30/2006 01:19 PM 234,272 d20mlcd11f0.dll
01/30/2006 11:48 AM 234,272 mdftedit.dll
06/27/2005 01:24 PM <DIR> DLLCACHE
07/18/2003 08:22 PM <DIR> Microsoft
7 File(s) 1,647,627 bytes
2 Dir(s) 107,593,986,048 bytes free
-------------------------------------------------------------
continued in next post...
dabagboy
2006-02-01, 16:40
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:53:21 AM, 2/1/2006
+ Report-Checksum: 85B42CAE
+ Scan result:
C:\WINDOWS\myupdates.exe -> Downloader.Adload.l : Error during cleaning
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Error during cleaning
C:\WINDOWS\SYSTEM32\0s0s0raw.dll -> Adware.Sud : Error during cleaning
C:\WINDOWS\SYSTEM32\aqiaape.dll -> Downloader.Qoologic.az : Error during cleaning
C:\WINDOWS\SYSTEM32\CBMMDLG.DLL -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\ckjccvf.exe -> Trojan.Pakes : Error during cleaning
C:\WINDOWS\SYSTEM32\d20mlcd11f0.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\drvenum.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\f40oled31h0.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\guard.tmp -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\hpsw.exe -> Adware.Suggestor : Error during cleaning
C:\WINDOWS\SYSTEM32\hr4s05h7e.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\i8loli3318.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\ILSPOLCY.DLL -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\kypkka.exe -> Downloader.Qoologic.at : Error during cleaning
C:\WINDOWS\SYSTEM32\lgkll.dll -> Downloader.Small : Error during cleaning
C:\WINDOWS\SYSTEM32\mdftedit.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\msricons.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\p0n8la5u1d.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\paytime.exe -> Hijacker.StartPage.adi : Error during cleaning
C:\WINDOWS\SYSTEM32\pi1_58.exe -> Downloader.Small.bue : Error during cleaning
C:\WINDOWS\SYSTEM32\rif_32.dll -> Logger.Agent.gk : Error during cleaning
C:\WINDOWS\SYSTEM32\rif_32.exe -> Logger.Agent.gk : Error during cleaning
C:\WINDOWS\SYSTEM32\rmmps.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\UARV80A.DLL -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\uilmon.dll -> Spyware.Look2Me : Error during cleaning
C:\WINDOWS\SYSTEM32\vqwvv.dat -> Downloader.Qoologic.at : Error during cleaning
C:\WINDOWS\SYSTEM32\wgse.exe -> Trojan.Runner.h : Error during cleaning
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Error during cleaning
C:\WINDOWS\toolbar.exe -> Downloader.Adload.j : Error during cleaning
C:\WINDOWS\TWFzb24gR2lsbA\command.exe -> Adware.CommAd : Error during cleaning
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 10:40:02 AM, on 2/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mercora\MercoraClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\PROGRA~1\MICROS~2\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\mgill\Desktop\Malware removal tools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kypkka.exe reg_run
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O15 - Trusted Zone: *.pcso-ntp
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O17 - HKLM\Software\..\Telephony: DomainName = PCSO-DOM.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O20 - Winlogon Notify: NetCache - C:\WINDOWS\system32\en4ql1h51.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
LonnyRJones
2006-02-01, 18:07
Hi
The infection, look2me will prevent any programs from using a runonce
In addremove programs uninstall New.Net
Post a report from this tool, (if any files show)
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
Download and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them.....
dabagboy
2006-02-01, 18:21
Here is the BlackLight TXT...
Lonny, thank you at least with your help I do feel like I am at least making progress. Despite what a PITA this process is I may not have to reformat the HD and reinstall windoze...
02/01/06 12:17:02 [Info]: BlackLight Engine 1.0.30 initialized
02/01/06 12:17:02 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/01/06 12:17:02 [Note]: 7019 4
02/01/06 12:17:02 [Note]: 7005 0
02/01/06 12:17:05 [Note]: 7006 0
02/01/06 12:17:05 [Note]: 7011 2296
02/01/06 12:17:06 [Note]: 7018 3200
02/01/06 12:17:06 [Info]: Hidden process: C:\WINDOWS\system32\kypkka.exe
02/01/06 12:17:06 [Note]: FSRAW library version 1.7.1014
02/01/06 12:18:11 [Info]: Hidden file: C:\WINDOWS\SYSTEM32\DRIVERS\sysbus32.sys
02/01/06 12:18:11 [Note]: 10002 1
02/01/06 12:19:11 [Note]: 7007 0
LonnyRJones
2006-02-01, 18:25
Run blacklite and have it rename
C:\WINDOWS\SYSTEM32\DRIVERS\sysbus32.sys
let blacklite restart your pc
then go start run type in
sc delete sysbus32
press ok
Try option two in l2m fix again
dabagboy
2006-02-01, 18:28
Run blacklite and have it rename
C:\WINDOWS\SYSTEM32\DRIVERS\sysbus32.sys
let blacklite restart your pc
then go start run type in
sc delete sysbus32
press ok
Try option two in l2m fix again
Lonny, that kypkka.exe was detected by some others as well....I'lll follow your directions first and let you know..thnx
LonnyRJones
2006-02-01, 18:35
Ignore kypkka.exe for now that's a qoologic file, unless we delete on reboot all its files at once it returns, we will get back it it later
Curious Was there any problems getting into safe mode
dabagboy
2006-02-01, 19:23
Ignore kypkka.exe for now that's a qoologic file, unless we delete on reboot all its files at once it returns, we will get back it it later
Curious Was there any problems getting into safe mode
I didn't run Blacklight in Safe Mode? I didn't see where you told me to do that?
after the BlackLight reboot I ran Spybot, it suggested I reboot again so I rebooted ran spybot again and my logs from BlackLight and HJT.
I'm finally connected w/ no popups ATM!!!! Firefox opened many of those popups as tabs and it was a huge PITA, amen, thank you again.
----------------------------------------------------
L2mfix 010406
Creating Account.
The command completed successfully.
Adding Administrative privleges.
The command completed successfully.
Checking for L2MFix account(0=no 1=yes):
1
Granting SeDebugPrivilege to L2MFIX ... successful
Running From:
C:\WINDOWS\system32
Killing Processes!
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 768 'smss.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 840 'winlogon.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 2148 'explorer.exe'
Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright(C) 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1448 'rundll32.exe'
Killing PID 2788 'rundll32.exe'
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
1 file(s) copied.
Deleting: C:\WINDOWS\system32\CBMMDLG.DLL
Successfully Deleted: C:\WINDOWS\system32\CBMMDLG.DLL
Deleting: C:\WINDOWS\system32\d20mlcd11f0.dll
Successfully Deleted: C:\WINDOWS\system32\d20mlcd11f0.dll
Deleting: C:\WINDOWS\system32\dgprop.dll
Successfully Deleted: C:\WINDOWS\system32\dgprop.dll
Deleting: C:\WINDOWS\system32\drvenum.dll
Successfully Deleted: C:\WINDOWS\system32\drvenum.dll
Deleting: C:\WINDOWS\system32\enj2l11o1.dll
Successfully Deleted: C:\WINDOWS\system32\enj2l11o1.dll
Deleting: C:\WINDOWS\system32\f40oled31h0.dll
Successfully Deleted: C:\WINDOWS\system32\f40oled31h0.dll
Deleting: C:\WINDOWS\system32\hr4s05h7e.dll
Successfully Deleted: C:\WINDOWS\system32\hr4s05h7e.dll
Deleting: C:\WINDOWS\system32\i8loli3318.dll
Successfully Deleted: C:\WINDOWS\system32\i8loli3318.dll
Deleting: C:\WINDOWS\system32\ILSPOLCY.DLL
Successfully Deleted: C:\WINDOWS\system32\ILSPOLCY.DLL
Deleting: C:\WINDOWS\system32\mdftedit.dll
Successfully Deleted: C:\WINDOWS\system32\mdftedit.dll
Deleting: C:\WINDOWS\system32\n6l8lg3u16.dll
Successfully Deleted: C:\WINDOWS\system32\n6l8lg3u16.dll
Deleting: C:\WINDOWS\system32\p0n8la5u1d.dll
Successfully Deleted: C:\WINDOWS\system32\p0n8la5u1d.dll
Deleting: C:\WINDOWS\system32\rmmps.dll
Successfully Deleted: C:\WINDOWS\system32\rmmps.dll
Deleting: C:\WINDOWS\system32\UARV80A.DLL
Successfully Deleted: C:\WINDOWS\system32\UARV80A.DLL
Deleting: C:\WINDOWS\system32\uilmon.dll
Successfully Deleted: C:\WINDOWS\system32\uilmon.dll
msg11?.dll
0 file(s) copied.
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\enj2l11o1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
The following are the files found:
****************************************************************************
C:\WINDOWS\system32\CBMMDLG.DLL
C:\WINDOWS\system32\d20mlcd11f0.dll
C:\WINDOWS\system32\dgprop.dll
C:\WINDOWS\system32\drvenum.dll
C:\WINDOWS\system32\enj2l11o1.dll
C:\WINDOWS\system32\f40oled31h0.dll
C:\WINDOWS\system32\hr4s05h7e.dll
C:\WINDOWS\system32\i8loli3318.dll
C:\WINDOWS\system32\ILSPOLCY.DLL
C:\WINDOWS\system32\mdftedit.dll
C:\WINDOWS\system32\n6l8lg3u16.dll
C:\WINDOWS\system32\p0n8la5u1d.dll
C:\WINDOWS\system32\rmmps.dll
C:\WINDOWS\system32\UARV80A.DLL
C:\WINDOWS\system32\uilmon.dll
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}]
@=""
"IDEx"="ADDR"
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}\InprocServer32]
@="C:\\WINDOWS\\system32\\MDRDO20.DLL"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}\InprocServer32]
@="C:\\WINDOWS\\system32\\dgprop.dll"
"ThreadingModel"="Apartment"
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\Implemented Categories]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""
[HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{8A0BC9D8-296B-4294-BE97-D6E014C45373}"=-
"{88F83261-C87A-4FBD-8262-40008920D465}"=-
"{BD93DCFC-2712-4519-997E-0B882F938C52}"=-
[-HKEY_CLASSES_ROOT\CLSID\{8A0BC9D8-296B-4294-BE97-D6E014C45373}]
[-HKEY_CLASSES_ROOT\CLSID\{88F83261-C87A-4FBD-8262-40008920D465}]
[-HKEY_CLASSES_ROOT\CLSID\{BD93DCFC-2712-4519-997E-0B882F938C52}]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************
Checking for L2MFix account(0=no 1=yes):
0
Zipping up files for submission:
adding: dlls/CBMMDLG.DLL (164 bytes security) (deflated 5%)
adding: dlls/d20mlcd11f0.dll (164 bytes security) (deflated 4%)
adding: dlls/dgprop.dll (164 bytes security) (deflated 5%)
adding: dlls/drvenum.dll (164 bytes security) (deflated 5%)
adding: dlls/enj2l11o1.dll (164 bytes security) (deflated 5%)
adding: dlls/f40oled31h0.dll (164 bytes security) (deflated 5%)
adding: dlls/hr4s05h7e.dll (164 bytes security) (deflated 5%)
adding: dlls/i8loli3318.dll (164 bytes security) (deflated 5%)
adding: dlls/ILSPOLCY.DLL (164 bytes security) (deflated 5%)
adding: dlls/mdftedit.dll (164 bytes security) (deflated 4%)
adding: dlls/n6l8lg3u16.dll (164 bytes security) (deflated 4%)
adding: dlls/p0n8la5u1d.dll (164 bytes security) (deflated 5%)
adding: dlls/rmmps.dll (164 bytes security) (deflated 5%)
adding: dlls/UARV80A.DLL (164 bytes security) (deflated 5%)
adding: dlls/uilmon.dll (164 bytes security) (deflated 5%)
adding: backregs/88F83261-C87A-4FBD-8262-40008920D465.reg (212 bytes security) (deflated 70%)
adding: backregs/8A0BC9D8-296B-4294-BE97-D6E014C45373.reg (212 bytes security) (deflated 69%)
adding: backregs/BD93DCFC-2712-4519-997E-0B882F938C52.reg (212 bytes security) (deflated 70%)
adding: backregs/notibac.reg (164 bytes security) (deflated 72%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)
Logfile of HijackThis v1.99.1
Scan saved at 1:18:11 PM, on 2/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mercora\MercoraClient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Documents and Settings\mgill\Desktop\Malware removal tools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.pcso-ntp
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O17 - HKLM\Software\..\Telephony: DomainName = PCSO-DOM.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\enj2l11o1.dll (file missing)
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
LonnyRJones
2006-02-01, 19:46
Hi
Start Hijackthis and place a check next to these items If there.
Close all browser windows and shut down all other programs that show in the taskbar.(even Folders)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} - http://adserver.sharewareonline.com/...er/Install.cab
O20 - Winlogon Notify: Setup - C:\WINDOWS\system32\enj2l11o1.dll (file missing)
====================================
Hit fix checked and close Hijackthis.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Restart your PC into safe mode and run SSD and then ewido again
save ewidow's report and post it when back
Post a fresh hijackthis log please, be sure to mention any current problems.
dabagboy
2006-02-01, 21:43
SSD ran and found Web-Nexus, said it would remove it on reboot, I don't think it ran.
EWIDO ran and log (and HJT log) is here
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 3:11:24 PM, 2/1/2006
+ Report-Checksum: 49D01DC9
+ Scan result:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipoi.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\myupdates.exe -> Downloader.Adload.l : Error during cleaning
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Error during cleaning
C:\WINDOWS\SYSTEM32\0s0s0raw.dll -> Adware.Sud : Error during cleaning
C:\WINDOWS\SYSTEM32\aqiaape.dll -> Downloader.Qoologic.az : Error during cleaning
C:\WINDOWS\SYSTEM32\ckjccvf.exe -> Trojan.Pakes : Error during cleaning
C:\WINDOWS\SYSTEM32\hpsw.exe -> Adware.Suggestor : Error during cleaning
C:\WINDOWS\SYSTEM32\kypkka.exe -> Downloader.Qoologic.at : Error during cleaning
C:\WINDOWS\SYSTEM32\lgkll.dll -> Downloader.Small : Error during cleaning
C:\WINDOWS\SYSTEM32\paytime.exe -> Hijacker.StartPage.adi : Error during cleaning
C:\WINDOWS\SYSTEM32\pi1_58.exe -> Downloader.Small.bue : Error during cleaning
C:\WINDOWS\SYSTEM32\rif_32.dll -> Logger.Agent.gk : Error during cleaning
C:\WINDOWS\SYSTEM32\rif_32.exe -> Logger.Agent.gk : Error during cleaning
C:\WINDOWS\SYSTEM32\vqwvv.dat -> Downloader.Qoologic.at : Error during cleaning
C:\WINDOWS\SYSTEM32\wgse.exe -> Trojan.Runner.h : Error during cleaning
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Error during cleaning
C:\WINDOWS\toolbar.exe -> Downloader.Adload.j : Error during cleaning
C:\WINDOWS\TWFzb24gR2lsbA\command.exe -> Adware.CommAd : Error during cleaning
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 3:42:46 PM, on 2/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Mercora\MercoraClient.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopCrawl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\mgill\Desktop\Malware removal tools\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.com/
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Norton Ghost 9.0] C:\Program Files\Symantec\Norton Ghost\Agent\GhostTray.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Mercora] "C:\Program Files\Mercora\MercoraClient.exe" -startup
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kypkka.exe reg_run
O4 - HKCU\..\Run: [AccuWeatherDesktopAlerts] C:\Program Files\AccuWeatherDesktopAlerts\AccuWeatherDesktopAlerts.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Device Detector 2.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.pcso-ntp
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O17 - HKLM\Software\..\Telephony: DomainName = PCSO-DOM.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = PCSO-DOM.local
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: DM1Service - OLYMPUS OPTICAL CO.,LTD - C:\Program Files\Olympus\DeviceDetector\DM1Service.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Symantec\Norton Ghost\Agent\PQV2iSvc.exe
dabagboy
2006-02-01, 21:49
Ignore kypkka.exe for now that's a qoologic file, unless we delete on reboot all its files at once it returns, we will get back it it later
Curious Was there any problems getting into safe mode
See my message above for EWIDO and HJT....
I thought I'd also show you this...
02/01/06 15:43:37 [Info]: BlackLight Engine 1.0.30 initialized
02/01/06 15:43:37 [Info]: OS: 5.1 build 2600 (Service Pack 2)
02/01/06 15:43:38 [Note]: 7019 4
02/01/06 15:43:38 [Note]: 7005 0
02/01/06 15:43:40 [Note]: 7006 0
02/01/06 15:43:40 [Note]: 7011 2960
02/01/06 15:43:41 [Note]: 7018 2424
02/01/06 15:43:41 [Info]: Hidden process: C:\WINDOWS\system32\kypkka.exe
02/01/06 15:43:41 [Note]: FSRAW library version 1.7.1014
02/01/06 15:47:52 [Note]: 7007 0
LonnyRJones
2006-02-01, 23:29
What version of ewido is it you have ? current is 3.5
It shouldnt have problems removing most of those files
You mentioned killbox, what version is it ?
We need to ignore qoologic and let it have time to put back its files,
dont have any programs attempt to delete its files for now.
Start Killbox place a tick next to [x]delete on reboot
Copy this whole list into the windows clipboard, all the Bolded below.
C:\WINDOWS\myupdates.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\WINDOWS\SYSTEM32\0s0s0raw.dll
C:\WINDOWS\SYSTEM32\aqiaape.dll
C:\WINDOWS\SYSTEM32\ckjccvf.exe
C:\WINDOWS\SYSTEM32\hpsw.exe
C:\WINDOWS\SYSTEM32\lgkll.dll
C:\WINDOWS\SYSTEM32\paytime.exe
C:\WINDOWS\SYSTEM32\pi1_58.exe
C:\WINDOWS\SYSTEM32\rif_32.dll
C:\WINDOWS\SYSTEM32\rif_32.exe
C:\WINDOWS\SYSTEM32\vqwvv.dat
C:\WINDOWS\SYSTEM32\wgse.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\toolbar.exe
C:\WINDOWS\TWFzb24gR2lsbA\command.exe
Back in Killbox go > file > paste from clipboard,
Click the all files button > Click the red highlighted X button and say yes to the prompt to restart the pc.
Use the pc for a few hours then run findqoologic.bat and post its log
dabagboy
2006-02-02, 15:36
[QUOTE=LonnyRJones]What version of ewido is it you have ? current is 3.5
It shouldnt have problems removing most of those files
You mentioned killbox, what version is it ?
We need to ignore qoologic and let it have time to put back its files,
dont have any programs attempt to delete its files for now.
Killbox is 2.0.0.588
EWIDO is 3.5
dabagboy
2006-02-02, 15:45
Given the problems I've had with running these apps on reboot, I have to say I didn't see any confirmation that KillBox ran? is there a way to confirm? here is the log i found in the !Killbox log directory
Pocket Killbox version 2.0.0.588
Running on Windows XP as dknox(Administrator)
was started @ Tuesday, January 31, 2006, 9:36 AM
Killbox Closed(Exit) @ 9:39:28 AM
__________________________________________________
Pocket Killbox version 2.0.0.588
Running on Windows XP as dknox(Administrator)
was started @ Thursday, February 02, 2006, 9:33 AM
Killbox Closed(Exit) @ 9:37:01 AM
__________________________________________________
Pocket Killbox version 2.0.0.588
Running on Windows XP as dknox(Administrator)
was started @ Thursday, February 02, 2006, 9:37 AM
# 1 [Delete on Reboot]
Path = C:\WINDOWS\myupdates.exe
# 2 [Delete on Reboot]
Path = C:\WINDOWS\NDNuninstall7_22.exe
# 3 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\0s0s0raw.dll
# 4 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\aqiaape.dll
# 5 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\ckjccvf.exe
# 6 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\hpsw.exe
# 7 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\lgkll.dll
# 8 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\paytime.exe
# 9 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\pi1_58.exe
# 10 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\rif_32.dll
# 11 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\rif_32.exe
# 12 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\vqwvv.dat
# 13 [Delete on Reboot]
Path = C:\WINDOWS\SYSTEM32\wgse.exe
# 14 [Delete on Reboot]
Path = C:\WINDOWS\tool2.exe
# 15 [Delete on Reboot]
Path = C:\WINDOWS\toolbar.exe
# 16 [Delete on Reboot]
Path = C:\WINDOWS\TWFzb24gR2lsbA\command.exe
I Rebooted @ 9:40:18 AM
Killbox Closed(Exit) @ 9:40:21 AM
__________________________________________________
LonnyRJones
2006-02-02, 16:20
Hi
Look2me has been taken out so your programs should be able to run on reboot but first >
Manualy delete this folder
C:\WINDOWS\TWFzb24gR2lsbA
Do run findqoologic and post its report
dabagboy
2006-02-02, 16:46
Hi
Look2me has been taken out so your programs should be able to run on reboot but first >
Manualy delete this folder
C:\WINDOWS\TWFzb24gR2lsbA
Do run findqoologic and post its report
I couldn't find
C:\WINDOWS\TWFzb24gR2lsbA
Yes I have checked show hidden files and folders under Folder Options
Here is qoologic report....
Find Qoologic last edited 01/08/2006
Running from
C:\Documents and Settings\mgill\Desktop\Malware removal tools\Find-Qoologic\Find-Qoologic
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»» Search by size and name»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
C:\WINDOWS\SYSTEM32\KYPKKA.EXE
C:\WINDOWS\SYSTEM32\VQWVV.DAT
C:\WINDOWS\SYSTEM32\LGKLL.DLL
C:\WINDOWS\SYSTEM32\AQIAAPE.DLL
C:\WINDOWS\SYSTEM32\CKJCCVF.EXE
C:\WINDOWS\SYSTEM32\VQWVV.DAT
C:\WINDOWS\SYSTEM32\KYPKKA.EXE
C:\WINDOWS\PBNPPC.DAT
»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\IPOI.EXE
.....
.....
SteelWerX Registry Console Tool RC-2
Written by Bobbi Flekman
.....
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu]
@="{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
--
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qgmqqyfg]
@="{5a53a267-2214-458d-921c-8097d78027cf}"
[-HKEY_CLASSES_ROOT\CLSID\{incert csdl here}]
[-HKEY_CLASSES_ROOT\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WebNexus]
.....
.....
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winsync"="C:\\WINDOWS\\system32\\kypkka.exe reg_run"
.....
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}]
LonnyRJones
2006-02-02, 17:08
Hi
Use that same killbox method on this list of files
C:\WINDOWS\SYSTEM32\KYPKKA.EXE
C:\WINDOWS\SYSTEM32\VQWVV.DAT
C:\WINDOWS\SYSTEM32\LGKLL.DLL
C:\WINDOWS\SYSTEM32\AQIAAPE.DLL
C:\WINDOWS\SYSTEM32\CKJCCVF.EXE
C:\WINDOWS\SYSTEM32\VQWVV.DAT
C:\WINDOWS\PBNPPC.DAT
C:\DOCUME~1\ALLUSE~1\STARTM~1\PROGRAMS\STARTUP\IPOI.EXE
After the reboot
go start run and paste in
C:\WINDOWS\TWFzb24gR2lsbA
was it there ?
Run Hijackthis and have it fix this item
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\kypkka.exe reg_run
Run SpyBot check for updates then problems and fix anything found Twice, the second time if anything was found post a SpyBot report
To do so rightclick in the results windows and choose save report to clipbourd
Post it please
dabagboy
2006-02-02, 17:52
Amen, it's looking more and more like sometime this week I will be able to return to my "real" work ;)
Let me know what else I should do today, tomorrow next week....
ps: that directory showed up when I posted to Windows explorer and I was able to delete it....
pss: the Spybot log is too large due to forum limits of 20,000 characters....I've tried to 'attach a file' ...still too large.... here is the first part let me know if you want later sections.....
--- Search result list ---
Congratulations!: No immediate threats were found. ()
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2005-12-01 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2005-05-31 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2005-05-31 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-01-27 Includes\Cookies.sbi (*)
2006-01-27 Includes\Dialer.sbi (*)
2006-01-27 Includes\Hijackers.sbi (*)
2006-01-27 Includes\Keyloggers.sbi (*)
2006-01-27 Includes\Malware.sbi (*)
2006-01-27 Includes\PUPS.sbi (*)
2006-01-27 Includes\Revision.sbi (*)
2006-01-27 Includes\Security.sbi (*)
2006-01-27 Includes\Spybots.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-01-27 Includes\Trojans.sbi (*)
--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ DataAccess: Microsoft Data Access Components KB870669
/ DataAccess: Security update for Microsoft Data Access Components
/ DataAccess: Security Update for Microsoft Data Access Components
/ DirectX: DirectX Update 819696
/ DirectX / DX9 / SP1: DirectX 9 Hotfix - KB839643
/ Step By Step Interactive Training / SP2: Security Update for Step By Step Interactive Training (KB898458)
/ Windows Media Player / SP0: Windows Media Player Hotfix [See wm828026 for more information]
/ Windows Media Player: Windows Media Update 817787
/ Windows Media Player: Windows Media Update 828026
/ Windows XP / SP2: Windows XP Service Pack 2
/ Windows XP / SP3: Windows XP Hotfix - KB834707
/ Windows XP / SP3: Windows XP Hotfix - KB867282
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Security Update for Windows XP (KB883939)
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB885884
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB887742
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893066)
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896422)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Security Update for Windows XP (KB896688)
/ Windows XP / SP3: Update for Windows XP (KB896727)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899588)
/ Windows XP / SP3: Security Update for Windows XP (KB899589)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB903235)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB905915)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
LonnyRJones
2006-02-02, 18:10
Thats enough of the report, thanks
Launch Notepad (not wordpad), and copy and paste the contents of the code box below into a new text file.
Save it as file name: "fixme.reg" (not including the quotes). Save as file type: All files (*.*) and save it on your Desktop.
REGEDIT4
[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\qgmqqyfg]
[-HKEY_CLASSES_ROOT\CLSID\{5a53a267-2214-458d-921c-8097d78027cf}]
Now double-click on the fixme.reg file you saved and click on the Yes button when it asks if you would like to merge the information. Once you get a successful message delete fixme.reg.
Run Ewido do a full scan again, have it remove any items found then post its report please.
dabagboy
2006-02-02, 21:43
got the registry change applied....now a strange EWIDO problem, when I start the program it seems to be open in the windows desktop toolbar, but the window doesn't appear?
I restarted windows and EWIDO just sits in the toolbar? I can close but restarting doesn't show it on the desktop? just the toolbar?
LonnyRJones
2006-02-03, 00:26
Thats odd
Try this,, rightclick on its windows taskbar icon, select move then use the
arrow keys on your keybourd, press enter when its where you want it.
If that didnt help uninstall it reboot and install once again will.
dabagboy
2006-02-03, 15:55
RE: hidden EWIDO program .....It was the "move" thing, funny I tried that yesterday but forgot to use the keyboard the mouse failed me.....
anyway here is the log
edited as it was too long to post now in 2 or 3 parts..
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 9:49:22 AM, 2/3/2006
+ Report-Checksum: 4EEC432C
+ Scan result:
C:\!KillBox\0s0s0raw.dll -> Adware.Sud : Cleaned with backup
C:\!KillBox\aqiaape.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\!KillBox\ckjccvf.exe -> Trojan.Pakes : Cleaned with backup
C:\!KillBox\command.exe -> Adware.CommAd : Cleaned with backup
C:\!KillBox\hpsw.exe -> Adware.Suggestor : Cleaned with backup
C:\!KillBox\ipoi.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\!KillBox\kypkka.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\!KillBox\lgkll.dll -> Downloader.Small : Cleaned with backup
C:\!KillBox\myupdates.exe -> Downloader.Adload.l : Cleaned with backup
C:\!KillBox\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\!KillBox\paytime.exe -> Hijacker.StartPage.adi : Cleaned with backup
C:\!KillBox\pi1_58.exe -> Downloader.Small.bue : Cleaned with backup
C:\!KillBox\rif_32.dll -> Logger.Agent.gk : Cleaned with backup
C:\!KillBox\rif_32.exe -> Logger.Agent.gk : Cleaned with backup
C:\!KillBox\tool2.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup
C:\!KillBox\toolbar.exe -> Downloader.Adload.j : Cleaned with backup
C:\!KillBox\vqwvv.dat -> Downloader.Qoologic.at : Cleaned with backup
C:\!KillBox\wgse.exe -> Trojan.Runner.h : Cleaned with backup
C:\Documents and Settings\mgill\Application Data\Mercora\MercoraClient\Data\MyPictures.dat -> Spyware.Grokster : Cleaned with backup
:mozilla.16:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.17:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.18:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.19:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.20:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.21:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.22:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.28:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.29:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.30:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.31:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.32:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.33:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.36:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.37:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.38:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.39:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.40:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.41:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.56:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.57:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.60:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.61:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.62:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.63:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.64:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.66:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.68:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.70:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
dabagboy
2006-02-03, 15:55
Part II
:mozilla.71:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.85:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.104:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.105:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.247realmedia : Cleaned with backup
:mozilla.112:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.113:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adbrite : Cleaned with backup
:mozilla.114:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.115:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.116:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.117:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
:mozilla.122:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.123:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.124:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Euroclick : Cleaned with backup
:mozilla.129:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.130:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.131:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.132:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.133:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.134:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.142:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.143:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.144:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.145:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.146:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.147:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.148:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.149:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adtech : Cleaned with backup
:mozilla.157:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.158:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.159:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.160:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.165:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.166:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.167:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.168:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.169:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.199:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.208:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.215:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.216:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.217:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.218:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.219:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.220:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.221:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.222:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.235:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.236:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.239:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.240:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.263:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.264:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.265:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.266:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.267:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.268:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.269:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.278:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.279:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.280:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.281:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.282:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.283:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.284:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.285:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.286:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
:mozilla.298:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Estat : Cleaned with backup
:mozilla.316:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Findwhat : Cleaned with backup
:mozilla.438:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.494:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
:mozilla.495:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Overture : Cleaned with backup
dabagboy
2006-02-03, 15:56
Part III
:mozilla.633:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.634:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.635:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.636:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.637:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.638:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.639:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.648:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.649:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.650:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.651:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.652:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.653:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.654:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.655:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.656:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.657:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.663:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.664:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.665:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.705:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.712:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.713:C:\Documents and Settings\mgill\Application Data\Mozilla\Firefox\Profiles\uxezj0cq.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\mgill\Cookies\dknox@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mgill\Cookies\dknox@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\mgill\Cookies\dknox@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup
C:\Documents and Settings\mgill\Cookies\dknox@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\mgill\Cookies\dknox@questionmarket[2].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\mgill\Cookies\dknox@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mgill\Cookies\dknox@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/CBMMDLG.DLL -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/d20mlcd11f0.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/dgprop.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/drvenum.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/enj2l11o1.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/f40oled31h0.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/hr4s05h7e.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/i8loli3318.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/ILSPOLCY.DLL -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/mdftedit.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/n6l8lg3u16.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/p0n8la5u1d.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/rmmps.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/UARV80A.DLL -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\backup.zip/dlls/uilmon.dll -> Spyware.Look2Me : Error during cleaning
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\CBMMDLG.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\d20mlcd11f0.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\dgprop.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\drvenum.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\enj2l11o1.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\f40oled31h0.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\hr4s05h7e.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\i8loli3318.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\ILSPOLCY.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\mdftedit.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\n6l8lg3u16.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\p0n8la5u1d.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\rmmps.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\UARV80A.DLL -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Desktop\Malware removal tools\l2mfix\dlls\uilmon.dll -> Spyware.Look2Me : Cleaned with backup
C:\Documents and Settings\mgill\Local Settings\Temp\Cookies\dknox@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\mgill\Local Settings\Temp\Cookies\dknox@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\mgill\Local Settings\Temp\Cookies\dknox@ads.addynamix[1].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\mgill\Local Settings\Temp\Cookies\dknox@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup
C:\Documents and Settings\mgill\Local Settings\Temp\Cookies\dknox@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
C:\Documents and Settings\mgill\Local Settings\Temp\Cookies\dknox@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc101.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc104.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc105.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc113.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc114.txt -> Spyware.Cookie.Coremetrics : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc12.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc15.txt -> Spyware.Cookie.Bfast : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc156.txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc16.txt -> Spyware.Cookie.Bluestreak : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc2.txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc23.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc24.txt -> Spyware.Cookie.Centrport : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc31.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc34.txt -> Spyware.Cookie.Dbbsrv : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc37.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc38.txt -> Spyware.Cookie.Ru4 : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc4.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc40.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc41.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc42.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc43.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc47.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc50.txt -> Spyware.Cookie.Gator : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc57.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc68.txt -> Spyware.Cookie.Linksynergy : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc71.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc8.txt -> Spyware.Cookie.X10 : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc82.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc86.txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc89.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
C:\RECYCLER\S-1-5-21-682003330-507921405-725345543-500\Dc9.txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058742.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058743.dll -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058756.exe -> Dropper.VB.kk : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058761.dll -> Adware.E2Give : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058768.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058769.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058770.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058781.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058796.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058797.exe -> Downloader.Small.buy : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058798.exe -> Spyware.Look2Me : Cleaned with backup
C:\System Volume
dabagboy
2006-02-03, 15:57
Part IV
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058799.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058800.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058801.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058802.exe -> Trojan.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058803.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058804.dll -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058805.cpl -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058808.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058813.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058815.exe -> Logger.Agent.gk : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058816.dll -> Logger.Agent.gk : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058817.exe -> Logger.VB.eh : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058823.exe -> Spyware.AdURL : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058824.dll -> Adware.E2Give : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058825.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058826.exe -> Spyware.Zestyfind : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058829.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058834.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058839.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058844.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058849.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058854.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058856.dll -> Adware.E2Give : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058859.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058864.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058869.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058874.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058877.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0058899.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059925.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059925.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059928.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059929.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059930.exe -> Downloader.Small.cam : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059931.exe -> Downloader.Small.bmx : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059932.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059935.dll -> Adware.E2Give : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059937.dll -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059938.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059944.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059945.exe -> Downloader.Harnig.bb : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP844\A0059946.exe -> Dropper.Small.qn : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059950.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059952.dll -> Spyware.CommAd : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059953.exe -> Logger.VB.eh : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059954.dll -> Adware.E2Give : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059962.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059972.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059981.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059982.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059983.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059990.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0059997.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060009.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060016.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060017.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060018.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060028.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060029.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060030.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060031.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060042.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060046.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060051.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060052.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060053.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060054.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060055.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060071.dll -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060072.dll -> Spyware.UCmore : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060077.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060078.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060079.exe -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060082.dll -> Adware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060083.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060088.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060089.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060090.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060092.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060093.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP845\A0060096.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060102.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060119.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060135.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060141.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060146.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060148.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060149.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060150.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060151.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060169.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060174.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060175.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060176.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060177.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060179.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060180.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060181.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060182.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060183.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060184.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060185.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060186.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060187.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060188.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060189.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060190.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060191.DLL -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060192.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060338.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060339.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060341.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060342.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060358.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060359.exe
dabagboy
2006-02-03, 15:59
Part V
-> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060361.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060362.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060386.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060394.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060395.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060414.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060415.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060417.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0060418.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060428.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060429.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060431.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060432.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060436.exe -> Downloader.Adload.l : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060437.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060438.dll -> Adware.Sud : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060439.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060440.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060441.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060442.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060443.exe -> Hijacker.StartPage.adi : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060444.exe -> Downloader.Small.bue : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060445.dll -> Logger.Agent.gk : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060446.exe -> Logger.Agent.gk : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060447.exe -> Trojan.Runner.h : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060448.exe -> Not-A-Virus.Hoax.Win32.Renos.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060449.exe -> Downloader.Adload.j : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060450.exe -> Adware.CommAd : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060455.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060475.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060476.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060477.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060479.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060480.dll -> Downloader.Small : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060481.dll -> Downloader.Qoologic.az : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060482.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP847\A0060483.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\WINDOWS\Temp\Cookies\dknox@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\dknox@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\dknox@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\dknox@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
::Report End
LonnyRJones
2006-02-03, 17:46
Good
Use a program like system security suite to clear temps about every couple weeks
System Security Suite.
http://www.igorshpak.net/
Extract it from the zip file and run setup.exe
after the install you can delete setup.exe and the downloaded zip file
Start the program Check all the boxes under the 'Items to Clear' (except perhaps cookies) tab and click
'Clear Selected Items'. You will be prompted to reboot, do so.
Prevention:
Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
How did that go ?
Replace it about once monthly to keep it updated
To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279
Purge System Restore
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
Let us know if there are any problems
dabagboy
2006-02-03, 21:12
Does that mean I'm done?
LonnyRJones
2006-02-04, 01:00
Yes, Good work.
We will leave the thread open for a few days just in case you need to post again.
dabagboy
2006-02-07, 17:44
Now something has tackled our Windows 2000 server, same domain as client PC last week which is again "infected."
Biggest problem right now is Windows Installer will not run/comlete/start. I just hangs, same in safe mode, cannot be started manually.
What now?
LonnyRJones
2006-02-08, 00:50
If the same pc is having problems post a fresh hijackthis log, if its another pc start a new topic and mention it is a differant pc please.
As the problem appears to be resolved this topic will be archived.
If you need it re-opened please send me a pm and provide a link to the topic.
Glad we could help, thank you Lonny.