I've downloaded Spybot 1.4 and added all updates. After checking for problems and fixing, Spybot indicates that some programs are still in use by memory and asks if I want to rerun it at startup. After restart, however, Spybot doesn't startup. If I run Spybot again immediately after startup, I get the same error. When I run Spybot in Safe Mode, I don't get the error but when I come back into normal mode, the spyware is back. Any help will be greatly, greatly appreciated. Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:29:51 PM, on 5/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\explorer.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\NB\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pfjds.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,baphdta.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138402863458
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.147.8.11/TSWEB/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\l4l60e3seh.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Network Security Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\ntcf32.exe (file missing)

Hello and welcome to the forum. If you still need help and are not receiving it elsewhere, You have markers for the Qoologic trojan along with other nasties. We will remove Qoologic first. I can tell you that this fix will work if you follow the directions.

1) Your HJT on your Desktop appears not to be in a folder. This is not safe as logs and backups for safety can get lost or deleted. I suggest you move it here: C:\HJT\HijackThis.exe. If you must run it from the Desktop, create a folder for those items.


2) I also suggest you edit that email address out of your first post. Bots are roaming the forums looking for valid address to spam.


3) Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
(rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important! )
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.

We will have more to do.

Thanks...pskelley
Safer Networking Forums

Removed email address as user name.

I've followed your instructions and here is the new log:

Logfile of HijackThis v1.99.1
Scan saved at 8:37:46 AM, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pfjds.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,baphdta.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ymvqsl] C:\WINDOWS\System32\avrysn.exe reg_run
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [vjdst] C:\WINDOWS\System32\avrysn.exe reg_run
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138402863458
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.147.8.11/TSWEB/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\enp4l17q1.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Network Security Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\ntcf32.exe (file missing)

My sincere thanks again for all of your help!

Well, that fix for the Qoologic trojan has failed:scratch: We will come back to that a little later, you should look at those directions because when the fix fails it is almost always because the instructions were not follow correctly. You do not mention any issues with the fix? Please communicate with me about anything you question, or anything that does not go as you think it should. These are complex fixes, thanks.

Let's move on the the other junk, you have a Look2me infections, follow these directions exactly please.

1) You are running MSConfig in Selective Startup mode. I must see all logs in Normal Startup unless I request otherwise.

Thanks to Atribune and any others who helped with this fix

2) Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
(hold those logs until the end)
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

More info:

If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it

start>run sc start schedule press enter.

3) Download CWShredder from this link:
http://www.softpedia.com/get/Internet/Popup-Ad-Spyware-Blockers/CWShredder.shtml
Choose "Check For Update" If no updates are available, then click on FIX -> NOT scan Only.
IF an instance of CWS is located have it fixed if requested.
If not click Next then Exit. (let me know if CWS was found)

4) Disable the offending Service
Click Start > Run and type services.msc
Scroll down to Network Security Service and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Delete the offending Service
Open HijackThis and click Config -> Misc Tools -> Delete an NT service.
In the Delete window, type Network Security Service and press OK.
(not sure about this, this is what it should be: (�%AF夶À¨) but how do you type that?)
OK any prompts, close HijackThis, and restart your computer.

5) Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pfjds.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,baphdta.exe
O4 - HKLM\..\Run: [ymvqsl] C:\WINDOWS\System32\avrysn.exe reg_run
O4 - HKCU\..\Run: [vjdst] C:\WINDOWS\System32\avrysn.exe reg_run
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...etaStream3.cab
O20 - Winlogon Notify: App Paths - C:\WINDOWS\system32\enp4l17q1.dll
O23 - Service: Network Security Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\ntcf32.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\System32\baphdta.exe >>> file

C:\WINDOWS\System32\pfjds.exe >>> file

C:\WINDOWS\System32\avrysn.exe >>> file

C:\WINDOWS\ntcf32.exe >>> file

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Empty the recycle bin and post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log. Please post any comments you think will help. We will have more to do.

Thanks...Phil

I'm really sorry if I messed something up in the first set of directions. The only thing I noticed was that while brute force uninstaller was running, a window popped up indicating that "The Web page you requested is not available offline. To view this page, click Connect" with an IE window opened, but no webpage loaded. I click "stay offline" each time.

I will describe exactly what is happening with each step from now on :)

On to the new directions you provided:

1) I changed msconfig to normal startup and restarted. Upon restart, I got an error message stating
"Error loading C:\Program~1\newdot~1\newdot~2.dll" I clicked "OK" and proceeded with step 2.

2) I followed the instructions for Look2Me Destroyer and everything worked as indicated. Upon restart, I got the same error as directly above and several more popups about the webpage requested being unavailable.

Logs are as follows:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/11/2006 10:22:55 AM

Infected! C:\WINDOWS\system32\en08l1du1.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000003.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000062.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000069.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000076.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000101.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000107.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000112.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000122.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000123.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000127.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000899.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000907.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000912.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000917.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000925.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000929.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000938.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000942.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0000984.dll
Infected! C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0000990.dll
Infected! C:\WINDOWS\system32\afferror.dll
Infected! C:\WINDOWS\system32\derpsetu.dll
Infected! C:\WINDOWS\system32\en08l1du1.dll
Infected! C:\WINDOWS\system32\myls31.dll
Infected! C:\WINDOWS\system32\n48o0el3ehq.dll
Infected! C:\WINDOWS\system32\tZembed.dll
Infected! C:\WINDOWS\system32\uttfs.dll
Infected! C:\WINDOWS\system32\wibcheck.dll
Infected! C:\WINDOWS\system32\wxnntbbu.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\en08l1du1.dll
C:\WINDOWS\system32\en08l1du1.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000003.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000003.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000062.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000062.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000069.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000069.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000076.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000076.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000101.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000101.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000107.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000107.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000112.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000112.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000122.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000122.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000123.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000123.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000127.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000127.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000899.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000899.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000907.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000907.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000912.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000912.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000917.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000917.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000925.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000925.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000929.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000929.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000938.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000938.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000942.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP1\A0000942.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0000984.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0000984.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0000990.dll
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0000990.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\afferror.dll
C:\WINDOWS\system32\afferror.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\derpsetu.dll
C:\WINDOWS\system32\derpsetu.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\en08l1du1.dll
C:\WINDOWS\system32\en08l1du1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\myls31.dll
C:\WINDOWS\system32\myls31.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\n48o0el3ehq.dll
C:\WINDOWS\system32\n48o0el3ehq.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\tZembed.dll
C:\WINDOWS\system32\tZembed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\uttfs.dll
C:\WINDOWS\system32\uttfs.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wibcheck.dll
C:\WINDOWS\system32\wibcheck.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\wxnntbbu.dll
C:\WINDOWS\system32\wxnntbbu.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Syncmgr

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{4F050AD7-4F3E-4EA2-B9CF-E57B9A29A415}"
HKCR\Clsid\{4F050AD7-4F3E-4EA2-B9CF-E57B9A29A415}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{328D4836-05B3-4BF7-A6DC-68D063DF6404}"
HKCR\Clsid\{328D4836-05B3-4BF7-A6DC-68D063DF6404}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded





Cont. on next post

Logfile of HijackThis v1.99.1
Scan saved at 10:39:38 AM, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\dwdsregt.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\windows\defender1.exe
C:\WINDOWS\System32\rwinqqaf.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pfjds.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,baphdta.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [{93-33-3B-BC-ZN}] C:\windows\system32\dwdsregt.exe CORN004
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [newname] C:\\newname18.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard18.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [defender] C:\windows\defender1.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\rwinqqaf.exe CORN004
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Zcqjehop] C:\Documents and Settings\User\My Documents\??stem32\dllhost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USPTO Direct Recovery] "C:\Program Files\USPTO\etdirrcv.exe"
O4 - HKCU\..\Run: [uouq] C:\PROGRA~1\COMMON~1\uouq\uouqm.exe
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\STEM~1\ati2evxx.exe" -vt yazr
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\rwinqqaf.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\ppdsregk.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138402863458
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.147.8.11/TSWEB/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Network Security Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\ntcf32.exe (file missing)


This is where things get odd...

3) I downloaded a program from the link provided (on another computer because IE doesn't work on the infected laptop)...for some reason, the first program downloaded was miniremoval_coolwebsearch_smartkiller and when I ran it, it gave me a popup that said no instances of coolwebsearch detected. I thought it was curious that it didn't give me the "check for update" option you described so I downloaded it again from the same site and got the correct program this time...it indicated that nothing was infected...

4) I followed the instructions up to this point but do not see anything titled "network security service". There are some other items like network connections, network dde, network location, security accounts, etc. But nothing titled network security service. Should I continue with the rest of your instructions if I can't complete this step.

Thanks again for everything!!!!

Neil

First I need to say that you had programs turned off with MSConfig, SurfSideKick 3, Adware.ZenoSearch, New.net, and a bunch of other junk. There are three items that we will use the BFU in conjuction with other tools. You have remove the one bad item, Look2me. We are going to remove these items one at a time, and we will not pass the item until you have been successful. Start by reviewing my comments in one through four, then I will start the instructions for Qoologic trojan again.

OK, I will go right down the numbers and comment:

1) There was no New.Net showing in your log, probably turned off in MSConfig?


2) I can look ahead and the the Look2me 020 line is gone, good job:bigthumb:


3) That is the correct link, and you should have downloaded this: CWShredder description from here on that page:
http://www.softpedia.com/progDownload/CWShredder-Download-8114.html there are all kinds of screenshots and tutorials showing how to use it. If you did use it right and it said there was NO CWS present, that is what I wanted to know. My scanners showed the 023 item: Network Security Service as being CWS.


4) Please look at the last 023 item in the HJT log:
O23 - Service: Network Security Service (�%AF夶À¨) - Unknown owner - C:\WINDOWS\ntcf32.exe (file missing)

This is the item that needs to be disabled before you can remove it. Please look at Click Start > Run and type services.msc again, then looking at the last item in the log, see if you can find and disable it, then use the earlier instructions and delete the junk with HJT.
It must be done, and you can not be clean until it is.

Once you have completed any instructions in one to four, then start here:

Click on Start > Control Panel > Add Remove programs and uninstall SurfSideKick 3, Adware.ZenoSearch, New.Net and any other program you know does not belong there. If you are unsure about a program, let me know and I will look.

Qoologic Trojan, instructions must be followed exactly or the fix will not work. this is what they look like in your HJT log:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\pfjds.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,baphdta.exe

When you no longer see those two lines in the HJT log, you will know you have removed Qoologic trojan. Here are the instructions in more detail:

Detailed instructions by Mieke...thank you

Ok, let me explain every step again, but very detailed how to unzip properly and move that qoofix.bat in that folder.

* Rightclick on next link and choose save as: Brute Force Uninstaller
A new window will open.
You'll see below in the filename-path: bfu.zip
Now edit that filename path to: C:\bfu.zip
Then click save.
Close the windows now.
Then click My computer.
Then click C:\
You should find bfu.zip there.
Now rightclick bfu.zip
Select 'extract all'
A wizard will open.
Click next.
You'll see it will say in the filepath C:\bfu
Click next and click finish.
If you now look on your C:\, you'll find C:\bfu.zip and C:\bfu
Now rightclick on this link: qoofix.bat
Choose save as.
In the filepath, you'll see qoofix.bat
Now change that to C:\bfu\qoofix.bat and choose save.
This will place the qoofix.bat in the C:\bfu folder.
Then go to the BFU folder and doubleclick qoofix.bat.
This should start the fix.
It will also ask to reboot. After reboot, post a new hijackthislog in your next reply

When this is done and I receive the new HJT log, we will start on the next infection.

I want to say you would do well to stay offline unless absolutely necessary, these infections attract others and you have your share right now.

Thanks.

Ok...I've disconnected my internet connection from the infected laptop and will just use a jump drive to transfer files...

As for Step 4, I can't determine which service I should stop...I've exported the ones listed which are as follows:

Name Description Status Startup Type Log On As
Alerter Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local Service
Aluria Spyware Eliminator Service Removes spyware during reboot that cannot be removed while Windows is running Automatic Local System
Application Management Provides software installation services such as Assign, Publish, and Remove. Manual Local System
ASP.NET State Service Provides support for out-of-process session states for ASP.NET. If this service is stopped, out-of-process requests will not be processed. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Network Service
Ati HotKey Poller Started Automatic Local System
Automatic Updates Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. Started Automatic Local System
Background Intelligent Transfer Service Uses idle network bandwidth to transfer data. Manual Local System
Canon Camera Access Library 8 Started Automatic Local System
ClipBook Enables ClipBook Viewer to store information and share it with remote computers. If the service is stopped, ClipBook Viewer will not be able to share information with remote computers. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
COM+ Event System Supports System Event Notification Service (SENS), which provides automatic distribution of events to subscribing Component Object Model (COM) components. If the service is stopped, SENS will close and will not be able to provide logon and logoff notifications. If this service is disabled, any services that explicitly depend on it will fail to start. Started Manual Local System
COM+ System Application Manages the configuration and tracking of Component Object Model (COM)+-based components. If the service is stopped, most COM+-based components will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Computer Browser Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Cryptographic Services Provides three management services: Catalog Database Service, which confirms the signatures of Windows files; Protected Root Service, which adds and removes Trusted Root Certification Authority certificates from this computer; and Key Service, which helps enroll this computer for certificates. If this service is stopped, these management services will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
DefWatch Started Automatic Local System
DHCP Client Manages network configuration by registering and updating IP addresses and DNS names. Started Automatic Local System
Distributed Link Tracking Client Maintains links between NTFS files within a computer or across computers in a network domain. Started Automatic Local System
Distributed Transaction Coordinator Coordinates transactions that span multiple resource managers, such as databases, message queues, and file systems. If this service is stopped, these transactions will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
DNS Client Resolves and caches Domain Name System (DNS) names for this computer. If this service is stopped, this computer will not be able to resolve DNS names and locate Active Directory domain controllers. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Network Service
Error Reporting Service Allows error reporting for services and applictions running in non-standard environments. Started Automatic Local System
Event Log Enables event log messages issued by Windows-based programs and components to be viewed in Event Viewer. This service cannot be stopped. Started Automatic Local System
Fast User Switching Compatibility Provides management for applications that require assistance in a multiple user environment. Manual Local System
FireBird Database Server Firebird Database Server Disabled Local System
Help and Support Enables Help and Support Center to run on this computer. If this service is stopped, Help and Support Center will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Human Interface Device Access Enables generic input access to Human Interface Devices (HID), which activates and maintains the use of predefined hot buttons on keyboards, remote controls, and other multimedia devices. If this service is stopped, hot buttons controlled by this service will no longer function. If this service is disabled, any services that explicitly depend on it will fail to start. Disabled Local System
IBM PM Service Disabled Local System
IMAPI CD-Burning COM Service Manages CD recording using Image Mastering Applications Programming Interface (IMAPI). If this service is stopped, this computer will be unable to record CDs. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Indexing Service Indexes contents and properties of files on local and remote computers; provides rapid access to files through flexible querying language. Manual Local System
Infrared Monitor Supports infrared devices installed on the computer and detects other devices that are in range. Started Automatic Local System
InstallDriver Table Manager Provides support for the Running Object Table for InstallShield Drivers Manual Local System
InterBase Guardian Ensures that the Firebird Database Server service is running. Disabled Local System
Internet Connection Firewall (ICF) / Internet Connection Sharing (ICS) Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. Automatic Local System
iPodService iPod hardware management services Started Manual Local System
IPSEC Services Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver. Started Automatic Local System
Logical Disk Manager Detects and monitors new hard disk drives and sends disk volume information to Logical Disk Manager Administrative Service for configuration. If this service is stopped, dynamic disk status and configuration information may become out of date. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Logical Disk Manager Administrative Service Configures hard disk drives and volumes. The service only runs for configuration processes and then stops. Manual Local System
Messenger Transmits net send and Alerter service messages between clients and servers. This service is not related to Windows Messenger. If this service is stopped, Alerter messages will not be transmitted. If this service is disabled, any services that explicitly depend on it will fail to start. Disabled Local System
MS Software Shadow Copy Provider Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this service is stopped, software-based volume shadow copies cannot be managed. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Net Logon Supports pass-through authentication of account logon events for computers in a domain. Manual Local System
NetMeeting Remote Desktop Sharing Enables an authorized user to access this computer remotely by using NetMeeting over a corporate intranet. If this service is stopped, remote desktop sharing will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Network Connections Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections. Started Manual Local System
Network DDE Provides network transport and security for Dynamic Data Exchange (DDE) for programs running on the same computer or on different computers. If this service is stopped, DDE transport and security will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Network DDE DSDM Manages Dynamic Data Exchange (DDE) network shares. If this service is stopped, DDE network shares will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
Network Location Awareness (NLA) Collects and stores network configuration and location information, and notifies applications when this information changes. Started Manual Local System
Norton AntiVirus Client Started Automatic Local System
NT LM Security Support Provider Provides security to remote procedure call (RPC) programs that use transports other than named pipes. Manual Local System
Office Source Engine Saves installation files used for updates and repairs and is required for the downloading of Setup updates and Watson error reports. Manual Local System
Performance Logs and Alerts Collects performance data from local or remote computers based on preconfigured schedule parameters, then writes the data to a log or triggers an alert. If this service is stopped, performance information will not be collected. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Network Service
PLSRemote Service Disabled Local System
Plug and Play Enables a computer to recognize and adapt to hardware changes with little or no user input. Stopping or disabling this service will result in system instability. Started Automatic Local System
Portable Media Serial Number Service Retrieves the serial number of any portable media player connected to this computer. If this service is stopped, protected content might not be down loaded to the device. Manual Local System
Print Spooler Loads files to memory for later printing. Started Automatic Local System
Protected Storage Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users. Started Automatic Local System
QCONSVC Disabled Local System
QoS RSVP Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets. Manual Local System
Remote Access Auto Connection Manager Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address. Manual Local System
Remote Access Connection Manager Creates a network connection. Started Manual Local System
Remote Desktop Help Session Manager Manages and controls Remote Assistance. If this service is stopped, Remote Assistance will be unavailable. Before stopping this service, see the Dependencies tab of the Properties dialog box. Manual Local System
Remote Procedure Call (RPC) Provides the endpoint mapper and other miscellaneous RPC services. Started Automatic Local System
Remote Procedure Call (RPC) Locator Manages the RPC name service database. Manual Network Service
Remote Registry Enables remote users to modify registry settings on this computer. If this service is stopped, the registry can be modified only by users on this computer. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local Service
Removable Storage Manual Local System
Routing and Remote Access Offers routing services to businesses in local area and wide area network environments. Disabled Local System
Secondary Logon Enables starting processes under alternate credentials. If this service is stopped, this type of logon access will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Security Accounts Manager Stores security information for local user accounts. Started Automatic Local System
Server Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Shell Hardware Detection Disabled Local System
Smart Card Manages access to smart cards read by this computer. If this service is stopped, this computer will be unable to read smart cards. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local Service
Smart Card Helper Enables support for legacy non-plug and play smart-card readers used by this computer. If this service is stopped, this computer will not support legacy reader. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local Service
SSDP Discovery Service Enables discovery of UPnP devices on your home network. Started Manual Local Service
System Event Notification Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events. Started Automatic Local System
System Restore Service Performs system restore functions. To stop service, turn off System Restore from the System Restore tab in My Computer->Properties Started Automatic Local System
Task Scheduler Enables a user to configure and schedule automated tasks on this computer. If this service is stopped, these tasks will not be run at their scheduled times. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
TCP/IP NetBIOS Helper Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution. Started Automatic Local Service
Telephony Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service. Started Manual Local System
Telnet Enables a remote user to log on to this computer and run programs, and supports various TCP/IP Telnet clients, including UNIX-based and Windows-based computers. If this service is stopped, remote user access to programs might be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Disabled Local System
Terminal Services Allows multiple users to be connected interactively to a machine as well as the display of desktops and applications to remote computers. The underpinning of Remote Desktop (including RD for Administrators), Fast User Switching, Remote Assistance, and Terminal Server. Started Manual Local System
Themes Provides user experience theme management. Started Automatic Local System
Uninterruptible Power Supply Manages an uninterruptible power supply (UPS) connected to the computer. Manual Local Service
Universal Plug and Play Device Host Provides support to host Universal Plug and Play devices. Manual Local Service
Upload Manager Manages synchronous and asynchronous file transfers between clients and servers on the network. If this service is stopped, synchronous and asynchronous file transfers between clients and servers on the network will not occur. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Volume Shadow Copy Manages and implements Volume Shadow Copies used for backup and other purposes. If this service is stopped, shadow copies will be unavailable for backup and the backup may fail. If this service is disabled, any services that explicitly depend on it will fail to start. Manual Local System
WebClient Enables Windows-based programs to create, access, and modify Internet-based files. If this service is stopped, these functions will not be available. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local Service
Windows Audio Manages audio devices for Windows-based programs. If this service is stopped, audio devices and effects will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Windows Image Acquisition (WIA) Provides image acquisition services for scanners and cameras. Started Automatic Local System
Windows Installer Installs, repairs and removes software according to instructions contained in .MSI files. Manual Local System
Windows Management Instrumentation Provides a common interface and object model to access management information about operating system, devices, applications and services. If this service is stopped, most Windows-based software will not function properly. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System
Windows Management Instrumentation Driver Extensions Provides systems management information to and from drivers. Manual Local System
Windows Time Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Started Automatic Local System
Windows User Mode Driver Framework Enables Windows user mode drivers. Started Automatic Local Service
Wireless Zero Configuration Provides automatic configuration for the 802.11 adapters Started Automatic Local System
WMI Performance Adapter Provides performance library information from WMI HiPerf providers. Started Manual Local System
Workstation Creates and maintains client network connections to remote servers. If this service is stopped, these connections will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Started Automatic Local System


Any ideas? Thanks again for all of your help!!!!

O23 - Service: Network Security Service
(�%AF夶À¨) - Unknown owner -
C:\WINDOWS\ntcf32.exe (file missing)

Nope, I could not say which it is from here? CastleCops when searched for Network Security Service here: http://castlecops.com/O23.html
Returns these two possible items. I have never seen a situation where the item was running in services and not listed in services.
Network Security Service X random CoolWebSearch res:// variant
Network Security Service (NSS) X random CoolWebSearch res:// variant

May I ask a question? How did this computer get this messed up? Try to get rid of the Qoologic trojan, and if you can't figure out how to delete that service, maybe we can kill the file associated with it later?
C:\WINDOWS\ntcf32.exe

Just so you know, there are no "ground" rules for doing this repair. I have a few tools to work with, the rest is from the gut.

Thanks...

You can try this:

Click Start > Run, type cmd into the Open editbox and click the Ok button.
Copy/paste the line below into the Command Prompt window and press the Enter key: sc delete Network Security Service
Close the Command Prompt window

Let me know what answer you get when you try this...Thanks

I have no idea how this computer got so messed up...I did a google search and clicked on the first results page and my norton popped up and said a trojon was detected and then about 15 web windows opened before the computer locked up...upon restart, I knew I had some problems...it's a laptop that I haven't been using as often (no excuse, but that's why I don't have SP2 on it)...I tried the cmd command with no luck...I'll work on the Qoologic Trojan instructions and report back...Thanks!

Alright...looks like I'm making some progress...maybe??? :)

Logfile of HijackThis v1.99.1
Scan saved at 3:08:59 PM, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\windows\system32\dsreg.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\windows\defender1.exe
C:\WINDOWS\System32\mwinnag.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [{93-33-3B-BC-ZN}] C:\windows\system32\dsreg.exe CORN004
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [defender] C:\windows\defender1.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\mwinnag.exe CORN004
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Zcqjehop] C:\Documents and Settings\User\My Documents\??stem32\dllhost.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USPTO Direct Recovery] "C:\Program Files\USPTO\etdirrcv.exe"
O4 - HKCU\..\Run: [uouq] C:\PROGRA~1\COMMON~1\uouq\uouqm.exe
O4 - HKCU\..\Run: [Uahe] "C:\PROGRA~1\STEM~1\ati2evxx.exe" -vt yazr
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwinnag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTSInstallers/MetaStream3.cab
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138402863458
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.147.8.11/TSWEB/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Any suggestions from here? Thanks again-

Neil

Sorry- forgot to say that the log was created after I followed the Qoologic Trojan instructions you gave me...

Sorry- forgot to say that the log was created after I followed the Qoologic Trojan instructions you gave me...Anytime you complete a proceedure, always restart the computer to make sure it takes effect...

Logfile of HijackThis v1.99.1 Scan saved at 3:08:59 PM, on 5/11/2006

I do not see Surfsidekick either? We may run the tool just to be sure. I want to make a run through with ewido and HJT to see where we are. I am not 100% about this one:
C:\windows\system32\dsreg.exe but I believe it is bad, if you know it or want to check it first, use these free online scans:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/flash/index_en.html

I don't think I will remove anything valid, but should you see something you know is not bad, please ignore the instructions and make me aware.

1) First I want to remove this: O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
Look again in Add Remove programs for New.Net, if there uninstall it. Next, look at these instructions: http://www.newdotnet.com/removal.html << those instruction are supposed to remove it. We will check again in C:\Program Files\ later.

2) ewido scan:
Please download Ewido Security Suite (http://www.ewido.net/en/download/) it is a trial version of the program.
Install ewido security suite
Launch ewido, there should be an icon on your desktop double-click it.
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Then click on Start Update
The update will start and a progress bar will show the updates being installed.
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates (http://www.ewido.net/en/download/updates/)

Once the updates are installed do the following:
Click on scanner
Click on Complete System Scan and the scan will begin.
NOTE: During some scans with ewido it is finding cases of false positives.**
You will need to step through the process of cleaning files one-by-one.
If ewido detects a file you KNOW to be legitimate, select none as the action.
DO NOT select "Perform action on all infections"
If you are unsure of any entry found select none for now.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
**(Ewido for example has been flagging parts of AVG Anti-Virus, pcAnywhere and the game "Risk")

(when you fix with HJT it is VIP that nothing else is running at the time. Once you FIX the process is stopped so you can delete the item, do not reboot before you have deleted the files and folders)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [{93-33-3B-BC-ZN}] C:\windows\system32\dsreg.exe CORN004
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [defender] C:\windows\defender1.exe
O4 - HKLM\..\Run: C:\WINDOWS\System32\mwinnag.exe CORN004
O4 - HKCU\..\Run: [uouq] C:\PROGRA~1\COMMON~1\uouq\uouqm.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\mwinnag.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - https://components.viewpoint.com/MTS...etaStream3.cab

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Make sure hidden files and folders is still enabled.

RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\WINDOWS\ntcf32.exe <<< file [B]may be gone

C:\windows\defender1.exe <<< file

C:\windows\system32\dsreg.exe <<< file

C:\WINDOWS\system32\dwdsregt.exe <<< file

C:\WINDOWS\System32\mwinnag.exe <<< file

C:\PROGRAM FILES~1\NEWDOT~1\ <<< delete the folder if there

C:\PROGRAM FILES~1\COMMON FILES~1\uouq\ <<< delete the folder

C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.

Restart the computer and post the ewido scan results and a new HJT log, please include your comments.

Thanks...Phil

Neil, I am not sure about this on, look at the link, is it valid. If you have no idea what it is, then remove the line with HJT and go straight to the folder in MY Documents and delete it. I will highlite that folder in red.
O4 - HKCU\..\Run: [Zcqjehop] C:\Documents and Settings\User\My Documents\??stem32\dllhost.exehttp://castlecops.com/startuplist-1326.html

First, access to C:\windows\system32\dsreg.exe was denied because the file is write-protected or in use...not sure if there is another way to get rid of it?

1) Followed the procedure outlined on the new.net link you provided and believe I got it off the system.

2) ran ewido and saved log (results below)...

3) deleted the items that I could but the following were not present:
O4 - HKLM\..\Run: [{93-33-3B-BC-ZN}] C:\windows\system32\dsreg.exe CORN004
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [defender] C:\windows\defender1.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\System32\mwinnag.exe CORN004

Also couldn't delete:

C:\windows\defender1.exe <<< file
C:\windows\system32\dsreg.exe <<< file
C:\WINDOWS\system32\dwdsregt.exe <<< file
C:\WINDOWS\System32\mwinnag.exe <<< file
C:\PROGRAM FILES~1\NEWDOT~1\ <<< delete the folder if there

Also ran CCleaner...restarted and still got blue screen background but not more internet access errors...we must be doing something right!

Here are the logs...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:56:32 PM, 5/11/2006
+ Report-Checksum: B2C5286A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{063D279E-A38A-A210-36D9-149D77FEE32B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0BC0C15E-A3A4-2929-0D83-D74D6EAC8BCE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0C3C97D9-21C6-B33B-3429-B59624FD263F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0E21F25B-0D5F-DB07-A23E-096542875F23} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0F0643E6-66C9-84AC-D29E-41B9B31BF9E6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{10F4FEF3-124A-04CB-EABB-4BBE0F286420} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1232CBB6-BC91-7F26-4FD6-0DCBB322B11B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{13A2116E-7814-F785-6CAA-DE907E738C95} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{15E5E5EB-E087-EF0F-B31A-9BD0E10CEB7B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{182318D0-C69A-F785-8040-72D18DFA96ED} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1BB4CE90-C234-B915-6794-BF69BF52374F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1C5FE92B-D6A5-2B56-D796-580344D5766A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1EC1181B-9D9C-9EF2-34F9-C5969FAF249A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1F77B61D-BE6B-566C-C734-47786D31C70C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1F7B837E-CC0C-8A77-DD3C-43144BEFEB4B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2064E201-B91E-DC74-D511-E69F03709EF1} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2285B198-6B1E-F3E9-EDB0-C1211C68788F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{24FC655B-81EC-FEB9-56AA-B6D3DD9EFE0F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{27902602-F509-C3BD-CE8C-D07D8236CB6F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2843DBFB-EF1A-9CD0-8BD8-6C594E3D26F7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2FBFD3DB-44BC-5682-6544-30AA6B08CA27} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{35389AF8-6A8A-5D1C-5906-E5ADD61260FF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{366E0B65-177E-A5CE-CE8A-915119A012E0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{36E15370-5FD0-D1EC-3368-C6A73C8F506F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3804F78A-088D-A205-618F-0B63DFE0A978} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3A6D4A75-035C-3482-B127-1A32586AA762} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3B905E87-A740-AA37-B797-EC359ECDC866} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3BAC722D-3B91-92A8-0FE9-3C20566A242D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3C710F32-B7B9-3D1C-F77C-C00E8B0709CE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{41DF9B90-2AEA-7FE8-65F2-AC393F1D4CDE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{45801EA8-DEC5-6EE5-3993-E3BBE16B429D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{463DCF53-DDAA-350C-CE7E-F4E459940897} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{46F6B9DE-ADD7-1BA7-6004-DD50BAA263AD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{49B2AC5F-DF52-2AA0-9B7C-1E928535C509} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4BEAA19D-FD26-85FF-512E-68F2589DCBD9} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4C655FF5-ADE9-993B-D264-4A953711C70F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4CC6CC42-FF1A-21FF-44C8-057155DB2D9E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4D7905A0-AC93-1A00-5A20-4D4A78C7147C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55ADBD91-CDE2-EACB-AB9C-740E22B33F39} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55B9BF74-5683-BABA-EBB1-63E94A1461AE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55DEE593-7909-3450-F015-41F3C20541E8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5677AB6A-2934-E737-F233-AF849B02D48F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5846232C-DAB1-2538-1DC5-1F5122BAEDA5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{58D62BAA-D313-4513-41F0-A0F711964CDA} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5A3D985D-E7F0-92FD-318F-8930CFEB6D7E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5DB4FA6D-8DF7-FEDD-6004-A7710DCAC5DE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5DFA69DD-9627-184B-9E20-AF90B8476199} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5E72CEE7-CBA9-6EA8-6BD5-672ABB5AF46C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5F07395A-D985-8E7F-592F-1318F18930CF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{62AD18D3-C547-2D83-CC5E-FB41D08A4A94} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{661D27AD-F83F-7A95-B9E0-2A6BF8DF71DD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{66260056-2148-6DE9-3455-29A729B353AC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6982F8EB-30D8-8961-789D-1F285B499CAE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6F61BA9A-5EA1-7903-5454-DCA081431490} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{72D633DF-F78E-4CB0-8219-60FA41D1EFE7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{750D819B-C42A-52D5-544D-4FC6AC8B42B6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{75F5430C-E345-B100-0404-9A0E1421E0A7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7630AB6D-5BE6-C0AF-EE74-55DA8F18C91C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{766D2566-60FD-10F1-92DB-18BB4F8AF267} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{768510DB-4B3E-B9C1-962A-3FE96793A206} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{789B3E43-9906-36FD-7592-A738BC588C2E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7A962851-6247-10A7-D229-F24119B7ADA4} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7A97DD77-2070-7617-3461-0E4D0FF7624D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{83F201E9-1F75-B6CA-F4E3-1CC6772CE64F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{844C92A6-0C06-92FC-EAF4-4284757212F7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8BFBA35A-44BF-8A46-263F-78430DC93768} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8D5677A8-8EC4-A206-E11B-F72C0B1F7287} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{907B55AA-EFD4-7FFC-2B65-F6817EFA2EE5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96785FEA-27CE-FD6E-78D5-597084514605} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96EA022B-F1A2-2067-EB8F-A2D6BD908848} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9D6F8B9B-A1BF-04D6-7AEB-05E88E0F0FC8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A19B27CF-5741-F8BA-D784-95739AD24FF8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A423E337-BECF-0E13-7DFB-41C986ABFC8C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A47B3009-DB35-BE2B-D263-A0DEE154022D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A722E47E-6445-3DBE-C16A-507FF75F2F76} -> Adware.CoolWebSearch : Cleaned with backup

cont.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:56:32 PM, 5/11/2006
+ Report-Checksum: B2C5286A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{063D279E-A38A-A210-36D9-149D77FEE32B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0BC0C15E-A3A4-2929-0D83-D74D6EAC8BCE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0C3C97D9-21C6-B33B-3429-B59624FD263F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0E21F25B-0D5F-DB07-A23E-096542875F23} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0F0643E6-66C9-84AC-D29E-41B9B31BF9E6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{10F4FEF3-124A-04CB-EABB-4BBE0F286420} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1232CBB6-BC91-7F26-4FD6-0DCBB322B11B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{13A2116E-7814-F785-6CAA-DE907E738C95} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{15E5E5EB-E087-EF0F-B31A-9BD0E10CEB7B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{182318D0-C69A-F785-8040-72D18DFA96ED} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1BB4CE90-C234-B915-6794-BF69BF52374F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1C5FE92B-D6A5-2B56-D796-580344D5766A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1EC1181B-9D9C-9EF2-34F9-C5969FAF249A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1F77B61D-BE6B-566C-C734-47786D31C70C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1F7B837E-CC0C-8A77-DD3C-43144BEFEB4B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2064E201-B91E-DC74-D511-E69F03709EF1} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2285B198-6B1E-F3E9-EDB0-C1211C68788F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{24FC655B-81EC-FEB9-56AA-B6D3DD9EFE0F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{27902602-F509-C3BD-CE8C-D07D8236CB6F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2843DBFB-EF1A-9CD0-8BD8-6C594E3D26F7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2FBFD3DB-44BC-5682-6544-30AA6B08CA27} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{35389AF8-6A8A-5D1C-5906-E5ADD61260FF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{366E0B65-177E-A5CE-CE8A-915119A012E0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{36E15370-5FD0-D1EC-3368-C6A73C8F506F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3804F78A-088D-A205-618F-0B63DFE0A978} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3A6D4A75-035C-3482-B127-1A32586AA762} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3B905E87-A740-AA37-B797-EC359ECDC866} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3BAC722D-3B91-92A8-0FE9-3C20566A242D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3C710F32-B7B9-3D1C-F77C-C00E8B0709CE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{41DF9B90-2AEA-7FE8-65F2-AC393F1D4CDE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{45801EA8-DEC5-6EE5-3993-E3BBE16B429D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{463DCF53-DDAA-350C-CE7E-F4E459940897} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{46F6B9DE-ADD7-1BA7-6004-DD50BAA263AD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{49B2AC5F-DF52-2AA0-9B7C-1E928535C509} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4BEAA19D-FD26-85FF-512E-68F2589DCBD9} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4C655FF5-ADE9-993B-D264-4A953711C70F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4CC6CC42-FF1A-21FF-44C8-057155DB2D9E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4D7905A0-AC93-1A00-5A20-4D4A78C7147C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55ADBD91-CDE2-EACB-AB9C-740E22B33F39} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55B9BF74-5683-BABA-EBB1-63E94A1461AE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55DEE593-7909-3450-F015-41F3C20541E8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5677AB6A-2934-E737-F233-AF849B02D48F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5846232C-DAB1-2538-1DC5-1F5122BAEDA5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{58D62BAA-D313-4513-41F0-A0F711964CDA} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5A3D985D-E7F0-92FD-318F-8930CFEB6D7E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5DB4FA6D-8DF7-FEDD-6004-A7710DCAC5DE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5DFA69DD-9627-184B-9E20-AF90B8476199} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5E72CEE7-CBA9-6EA8-6BD5-672ABB5AF46C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5F07395A-D985-8E7F-592F-1318F18930CF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{62AD18D3-C547-2D83-CC5E-FB41D08A4A94} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{661D27AD-F83F-7A95-B9E0-2A6BF8DF71DD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{66260056-2148-6DE9-3455-29A729B353AC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6982F8EB-30D8-8961-789D-1F285B499CAE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6F61BA9A-5EA1-7903-5454-DCA081431490} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{72D633DF-F78E-4CB0-8219-60FA41D1EFE7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{750D819B-C42A-52D5-544D-4FC6AC8B42B6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{75F5430C-E345-B100-0404-9A0E1421E0A7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7630AB6D-5BE6-C0AF-EE74-55DA8F18C91C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{766D2566-60FD-10F1-92DB-18BB4F8AF267} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{768510DB-4B3E-B9C1-962A-3FE96793A206} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{789B3E43-9906-36FD-7592-A738BC588C2E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7A962851-6247-10A7-D229-F24119B7ADA4} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7A97DD77-2070-7617-3461-0E4D0FF7624D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{83F201E9-1F75-B6CA-F4E3-1CC6772CE64F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{844C92A6-0C06-92FC-EAF4-4284757212F7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8BFBA35A-44BF-8A46-263F-78430DC93768} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8D5677A8-8EC4-A206-E11B-F72C0B1F7287} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{907B55AA-EFD4-7FFC-2B65-F6817EFA2EE5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96785FEA-27CE-FD6E-78D5-597084514605} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96EA022B-F1A2-2067-EB8F-A2D6BD908848} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9D6F8B9B-A1BF-04D6-7AEB-05E88E0F0FC8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A19B27CF-5741-F8BA-D784-95739AD24FF8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A423E337-BECF-0E13-7DFB-41C986ABFC8C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A47B3009-DB35-BE2B-D263-A0DEE154022D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A722E47E-6445-3DBE-C16A-507FF75F2F76} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A7645119-F00A-1BA7-F81E-7869B84230E7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A99405BA-AF4A-BF04-C214-4D79E397CC0E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AEAD1223-41F1-C0B4-93A5-A2341D629403} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AF5FDECD-1ED9-A1EC-D3B8-8211759346FD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B028772F-F7AE-A0D0-C7F2-9284558A6817} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B276EC6C-89A5-FD6F-9149-86F8F80C0D92} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B33992AC-35C1-9AB0-9283-26C5A016D77A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B4A50848-307B-3898-1084-E41C9683A0F3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B4F8C4E0-F516-5DEF-B102-AAF1ADBCBB04} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B834AC8E-CE65-3392-D7DF-86057DA73721} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BAC97FD6-988F-B852-8955-5E97D09318F5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BD56529E-6F6C-5962-2404-C183F261B848} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BEB8A8DE-743E-9BF5-DBA7-230CFF21DEDA} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BFB065A2-4F3C-61BB-4A5B-FA6D452D3EAC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C115092F-2E39-2B1E-C8F3-EA0064E09088} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C500B6E9-8A37-3168-2346-44B58FB04FA8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C735DFCD-3D4B-8418-3259-FEFF19B5A02F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D02FD285-78D4-2369-CA17-092C21D1BC0E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D23166CF-6072-71EA-2EDB-6FE0AE95942D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D58CC2B4-EB82-B5B9-733C-C5EBB3479058} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D8044D91-A88E-8AF1-9321-849D547AAE8C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D9AA0B45-D4FD-7AED-3EAA-679FA1487A31} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D9E403FE-9154-878A-7820-16B2AF6C9AEE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DE079EE1-4832-0FCF-D271-63C4F44779FB} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DF8DC720-C801-B797-0314-C957735C5F60} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E1C3C5B8-DB64-9214-3152-74004E9FCB93} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E2D81C8A-0989-432C-6EE3-B33955DCC400} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E38DE852-B004-EC2F-4CA9-D02D77E391C6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E4D02D4D-F4CA-5C75-BF5E-2EB5899148E7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E7CE8BF6-99C9-789F-291B-FDF539AB5062} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E8D62ACA-CF32-E7DB-57E6-D6B08BECF4C9} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EFF80E42-AC7D-BE18-E98A-B6EDE16CC5AB} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F2572CB5-8987-A970-4E3C-3C7679029FDC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F3A0E4F7-5A26-16D7-F285-82AF755C81E0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F6BCAEA7-7910-C92B-BD7B-CADE109FB093} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F9C21EE5-0B52-5C0D-94D1-BCB6EAA4CD99} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FD064786-0540-EDEF-EB58-211A5DA521D0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FD93A6CA-5B7B-199D-F228-FCAC0ADAFD02} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FEFEC367-0557-50DA-92D8-EFF9A710070B} -> Adware.CoolWebSearch : Cleaned with backup
[1000] C:\windows\system32\dsreg.exe -> Adware.ZenoSearch : Cleaned with backup

cont.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 5:56:32 PM, 5/11/2006
+ Report-Checksum: B2C5286A

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{063D279E-A38A-A210-36D9-149D77FEE32B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0BC0C15E-A3A4-2929-0D83-D74D6EAC8BCE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0C3C97D9-21C6-B33B-3429-B59624FD263F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0E21F25B-0D5F-DB07-A23E-096542875F23} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0F0643E6-66C9-84AC-D29E-41B9B31BF9E6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{10F4FEF3-124A-04CB-EABB-4BBE0F286420} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1232CBB6-BC91-7F26-4FD6-0DCBB322B11B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{13A2116E-7814-F785-6CAA-DE907E738C95} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{15E5E5EB-E087-EF0F-B31A-9BD0E10CEB7B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{182318D0-C69A-F785-8040-72D18DFA96ED} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1BB4CE90-C234-B915-6794-BF69BF52374F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1C5FE92B-D6A5-2B56-D796-580344D5766A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1EC1181B-9D9C-9EF2-34F9-C5969FAF249A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1F77B61D-BE6B-566C-C734-47786D31C70C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{1F7B837E-CC0C-8A77-DD3C-43144BEFEB4B} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2064E201-B91E-DC74-D511-E69F03709EF1} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2285B198-6B1E-F3E9-EDB0-C1211C68788F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{24FC655B-81EC-FEB9-56AA-B6D3DD9EFE0F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{27902602-F509-C3BD-CE8C-D07D8236CB6F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2843DBFB-EF1A-9CD0-8BD8-6C594E3D26F7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2FBFD3DB-44BC-5682-6544-30AA6B08CA27} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{35389AF8-6A8A-5D1C-5906-E5ADD61260FF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{366E0B65-177E-A5CE-CE8A-915119A012E0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{36E15370-5FD0-D1EC-3368-C6A73C8F506F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3804F78A-088D-A205-618F-0B63DFE0A978} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3A6D4A75-035C-3482-B127-1A32586AA762} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3B905E87-A740-AA37-B797-EC359ECDC866} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3BAC722D-3B91-92A8-0FE9-3C20566A242D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{3C710F32-B7B9-3D1C-F77C-C00E8B0709CE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{41DF9B90-2AEA-7FE8-65F2-AC393F1D4CDE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{45801EA8-DEC5-6EE5-3993-E3BBE16B429D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{463DCF53-DDAA-350C-CE7E-F4E459940897} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{46F6B9DE-ADD7-1BA7-6004-DD50BAA263AD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{49B2AC5F-DF52-2AA0-9B7C-1E928535C509} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4BEAA19D-FD26-85FF-512E-68F2589DCBD9} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4C655FF5-ADE9-993B-D264-4A953711C70F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4CC6CC42-FF1A-21FF-44C8-057155DB2D9E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{4D7905A0-AC93-1A00-5A20-4D4A78C7147C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55ADBD91-CDE2-EACB-AB9C-740E22B33F39} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55B9BF74-5683-BABA-EBB1-63E94A1461AE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{55DEE593-7909-3450-F015-41F3C20541E8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5677AB6A-2934-E737-F233-AF849B02D48F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5846232C-DAB1-2538-1DC5-1F5122BAEDA5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{58D62BAA-D313-4513-41F0-A0F711964CDA} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5A3D985D-E7F0-92FD-318F-8930CFEB6D7E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5DB4FA6D-8DF7-FEDD-6004-A7710DCAC5DE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5DFA69DD-9627-184B-9E20-AF90B8476199} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5E72CEE7-CBA9-6EA8-6BD5-672ABB5AF46C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{5F07395A-D985-8E7F-592F-1318F18930CF} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{62AD18D3-C547-2D83-CC5E-FB41D08A4A94} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{661D27AD-F83F-7A95-B9E0-2A6BF8DF71DD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{66260056-2148-6DE9-3455-29A729B353AC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6982F8EB-30D8-8961-789D-1F285B499CAE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{6F61BA9A-5EA1-7903-5454-DCA081431490} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{72D633DF-F78E-4CB0-8219-60FA41D1EFE7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{750D819B-C42A-52D5-544D-4FC6AC8B42B6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{75F5430C-E345-B100-0404-9A0E1421E0A7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7630AB6D-5BE6-C0AF-EE74-55DA8F18C91C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{766D2566-60FD-10F1-92DB-18BB4F8AF267} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{768510DB-4B3E-B9C1-962A-3FE96793A206} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{789B3E43-9906-36FD-7592-A738BC588C2E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7A962851-6247-10A7-D229-F24119B7ADA4} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7A97DD77-2070-7617-3461-0E4D0FF7624D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{83F201E9-1F75-B6CA-F4E3-1CC6772CE64F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{844C92A6-0C06-92FC-EAF4-4284757212F7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8BFBA35A-44BF-8A46-263F-78430DC93768} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{8D5677A8-8EC4-A206-E11B-F72C0B1F7287} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{907B55AA-EFD4-7FFC-2B65-F6817EFA2EE5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96785FEA-27CE-FD6E-78D5-597084514605} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{96EA022B-F1A2-2067-EB8F-A2D6BD908848} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9D6F8B9B-A1BF-04D6-7AEB-05E88E0F0FC8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A19B27CF-5741-F8BA-D784-95739AD24FF8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A423E337-BECF-0E13-7DFB-41C986ABFC8C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A47B3009-DB35-BE2B-D263-A0DEE154022D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A722E47E-6445-3DBE-C16A-507FF75F2F76} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A7645119-F00A-1BA7-F81E-7869B84230E7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{A99405BA-AF4A-BF04-C214-4D79E397CC0E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AEAD1223-41F1-C0B4-93A5-A2341D629403} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{AF5FDECD-1ED9-A1EC-D3B8-8211759346FD} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B028772F-F7AE-A0D0-C7F2-9284558A6817} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B276EC6C-89A5-FD6F-9149-86F8F80C0D92} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B33992AC-35C1-9AB0-9283-26C5A016D77A} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B4A50848-307B-3898-1084-E41C9683A0F3} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B4F8C4E0-F516-5DEF-B102-AAF1ADBCBB04} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B834AC8E-CE65-3392-D7DF-86057DA73721} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BAC97FD6-988F-B852-8955-5E97D09318F5} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BD56529E-6F6C-5962-2404-C183F261B848} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BEB8A8DE-743E-9BF5-DBA7-230CFF21DEDA} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BFB065A2-4F3C-61BB-4A5B-FA6D452D3EAC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C115092F-2E39-2B1E-C8F3-EA0064E09088} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C500B6E9-8A37-3168-2346-44B58FB04FA8} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{C735DFCD-3D4B-8418-3259-FEFF19B5A02F} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D02FD285-78D4-2369-CA17-092C21D1BC0E} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D23166CF-6072-71EA-2EDB-6FE0AE95942D} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D58CC2B4-EB82-B5B9-733C-C5EBB3479058} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D8044D91-A88E-8AF1-9321-849D547AAE8C} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D9AA0B45-D4FD-7AED-3EAA-679FA1487A31} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D9E403FE-9154-878A-7820-16B2AF6C9AEE} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DE079EE1-4832-0FCF-D271-63C4F44779FB} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{DF8DC720-C801-B797-0314-C957735C5F60} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E1C3C5B8-DB64-9214-3152-74004E9FCB93} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E2D81C8A-0989-432C-6EE3-B33955DCC400} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E38DE852-B004-EC2F-4CA9-D02D77E391C6} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E4D02D4D-F4CA-5C75-BF5E-2EB5899148E7} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E7CE8BF6-99C9-789F-291B-FDF539AB5062} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{E8D62ACA-CF32-E7DB-57E6-D6B08BECF4C9} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EFF80E42-AC7D-BE18-E98A-B6EDE16CC5AB} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F2572CB5-8987-A970-4E3C-3C7679029FDC} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F3A0E4F7-5A26-16D7-F285-82AF755C81E0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F6BCAEA7-7910-C92B-BD7B-CADE109FB093} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{F9C21EE5-0B52-5C0D-94D1-BCB6EAA4CD99} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FD064786-0540-EDEF-EB58-211A5DA521D0} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FD93A6CA-5B7B-199D-F228-FCAC0ADAFD02} -> Adware.CoolWebSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{FEFEC367-0557-50DA-92D8-EFF9A710070B} -> Adware.CoolWebSearch : Cleaned with backup
[1000] C:\windows\system32\dsreg.exe -> Adware.ZenoSearch : Cleaned with backup
[1148] C:\windows\defender1.exe -> Hijacker.VB.ly : Cleaned with backup
[1152] C:\WINDOWS\System32\mwinnag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\defender1.exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
:mozilla.15:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.26:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.37:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.38:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.39:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.41:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup
:mozilla.42:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.43:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.44:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.45:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup
:mozilla.52:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup
:mozilla.91:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup
:mozilla.94:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.95:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.97:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.101:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.102:C:\Documents and Settings\User\Application Data\Mozilla\Firefox\Profiles\g6owx81e.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup


cont.

sorry...I've apparently been posting the same section the past two threads...here's the last part...let me know if you need more of the ewido

C:\WINDOWS\1024 x 768 IBM Americas Map.bmp:igcdi -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\1280 x 1024 IBM Americas Map.bmp:qacrh -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\1280 x 1024 IBM Americas Map.bmp:vgejz -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp:nbacr -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp:tzdyg -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\1400 x 1050 IBM Americas Map.bmp:zadnd -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\800 x 600 IBM Americas Map.bmp:ulhjh -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\addqx32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\addqz32.dll:rmpoj -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\addqz32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\agrsmdel.exe:zwjaa -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\AGRSMMSG.exe:pomvh -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ahigok.dat -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\aibmrun.exe:oacun -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\aibmrun.exe:qoixz -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\atlai.dll:chjwp -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\atlai.dll:ifzde -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\atlai.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\atlkp32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\bootstat.dat:wkjtv -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\cdgxlu.dat:fdatc -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\cdgxlu.dat:ugaew -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\cdgxlu.dat -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Coffee Bean.bmp:akfqz -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\comsetup.log:ozrej -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\d3sq.dll:qocnl -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\d3sq.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\dahotfix.log:jueio -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\defender1.exe -> Hijacker.VB.ly : Cleaned with backup
C:\WINDOWS\DtcInstall.log:qtyml -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\FaxSetup.log:rzhwa -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\FeatherTexture.bmp:gtfhe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\FileNamesinQueue.ini:kfrfi -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\FileNamesinQueue.ini:nqoya -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\FileNamesinQueue.ini:oidbk -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\hh.exe:bsjos -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\iepz32.exe:hoqvo -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\iepz32.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\intuprof.ini:mqjuc -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\INTURS.DAT:foxcx -> Downloader.WinShow.u : Cleaned with backup
C:\WINDOWS\iple32.dll -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\jautoexp.dat:yjzir -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\javanf.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB823182.log:chstm -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB823559.log:txbcr -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB824105.log:roaci -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB824141.log:jtbvz -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB826939.log:pczdk -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\KB826939.log:uovpo -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB826939.log:xfimn -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB828035.log:hlzes -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB828741.log:qwcjf -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB839643.log:nmjxb -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB839643.log:tvotu -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB839643.log:vutei -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB840374.log:cqmtu -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\KB840374.log:dgepd -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\KB840374.log:sptwt -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\maxlink.ini:grjfk -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\maxlink.ini:zqyiw -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\mfcrn32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\mfcyz32.exe:vgvtm -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\mfcyz32.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\msdfmap.ini:ljpda -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\msmqinst.log:taybf -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\msmqinst.log:vbxyu -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\msmqinst.log:wullq -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\mspt32.dll:bjtdc -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\mspt32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\muninst.exe:rxgfo -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\muninst.exe:wckvb -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\netfxocm.log:tnnzx -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\NSREX.INI:jqlul -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\NSREX.INI:kignu -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ntyh.exe:zmybt -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\ntyh.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\n_gciffb.dat:yhipx -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\n_gciffb.dat -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_hmmyli.dat -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\n_zgtbsh.dat:mneaj -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\n_zgtbsh.dat:rnutd -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\n_zgtbsh.dat -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ocgen.log:luwoj -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ocmsn.log:muoui -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ocmsn.log:ofjfp -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\ocmsn.log:zgymh -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\ODBC.INI:kqsbd -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\ODBC.INI:svpxr -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\orun32.ini:hhcwf -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\PalmDevC.dll:wwuqn -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Prairie Wind.bmp:yokfd -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Q323183.log:bgiei -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q323255.log:odlam -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\q328345.log:repke -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\Q328979.log:sxtui -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q328979.log:urnrp -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q329048.log:lifzs -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q329170.log:wxemo -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Q329390.log:xshnk -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\Q329441.log:arnou -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q329441.log:cgscb -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q329441.log:mstrk -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q329441.log:rzdvt -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q329581.log:iuymw -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q329581.log:patyt -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Q329581.log:stytp -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Q329581.log:zlkyo -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q329692.log:qezue -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\q330512.log:hzlnc -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q331953.log:ftktb -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Q810577.log:ygaep -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q810577.log:yyuyo -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q810577.log:ziuhk -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q810833.log:trcqv -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q811493.log:bidqw -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q811630.log:lbkwz -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q811630.log:muxic -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Q817287.log:urtmq -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q817606.log:llieu -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Q819696.log:mmbwf -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\Q819696.log:rspab -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\QUICKEN.INI:okrks -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\qwimp.ini:tnaqy -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\regedit.exe:dhnbw -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\regedit.exe:ptokh -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\regopt.log:jiftg -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\SchedLgU.Txt:hcgkh -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\sessmgr.setup.log:jdtns -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\sessmgr.setup.log:tsyxg -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\setuperr.log:qapdk -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\SM1BG.EXE.bak:fvvyu -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\SM1BG.EXE.bak:jlsfg -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\SM1BG.EXE.bak:lbjmi -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\smscfg.ini:przca -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Sti_Trace.log:lynnd -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\sysbw32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysjy.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\sysnj.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\system32\addgp32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\addjj32.dll -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\addnf32.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\system32\apica32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\apigl32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\appfq.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\appne.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\appoj.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\appyi.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\atlgn32.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\system32\atljh32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\atlwl32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\crvr.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\system32\d3kg.dll -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\dsreg.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\dwdsregt.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\guard.tmp_tobedeleted -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ipdh.exe -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\system32\javajq32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mfclx32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mswa32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\mwinnag.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\netel.dll -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\netuv.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\ntlq32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\PLSRemote.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : Cleaned with backup
C:\WINDOWS\system32\ppdsregk.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\rwinqqaf.exe -> Adware.ZenoSearch : Cleaned with backup
C:\WINDOWS\system32\sdksq32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\sdkyq32.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\system32\syshl32.dll -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\system32\winzt.dll -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\tabletoc.log:xynxs -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\twain.dll:zmdcf -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\twain_32.dll:emday -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\unwise.ini:aegax -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\unwise32.exe:djegt -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\unwise32.exe:msydo -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\vb.ini:kumbs -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\vbaddin.ini:rutqx -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup
C:\WINDOWS\vmmreg32.dll:dvhav -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\vpc32.INI:eujym -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\vpc32.INI:rtgfo -> Downloader.Agent.al : Cleaned with backup
C:\WINDOWS\wiaservc.log:czrfg -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\Windows Update.log:ndklt -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\winhelp.exe:jzxwc -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\WININIT.INI:zfesl -> Downloader.WinShow.ak : Cleaned with backup
C:\WINDOWS\winnt.bmp:homct -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\winnt.bmp:rbhwa -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\winyg.dll -> Downloader.Agent.bq : Cleaned with backup
C:\WINDOWS\WIPO_up.ini:tyqne -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\wmsetup.log:bveyf -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\wmsetup.log:ksojd -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\WMSysPrx.prx:uzzfr -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\xpsp1hfm.log:fhvmu -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\Zapotec.bmp:orgyi -> Downloader.Agent.ap : Cleaned with backup
C:\WINDOWS\_default.pif:pnjxo -> Downloader.Agent.ap : Cleaned with backup
C:\ZICORN004.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

Logfile of HijackThis v1.99.1
Scan saved at 6:22:48 PM, on 5/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USPTO Direct Recovery] "C:\Program Files\USPTO\etdirrcv.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138402863458
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.147.8.11/TSWEB/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

I will skip your comments and return to them after we discuss the logs and see what is left to do.

ewido anti-malware - Scan report Created on: 5:56:32 PM, 5/11/2006You can see all of the CoolWebSearch junk that CWShredder was supposed to remove. Something happened in the way that was run and I am hoping ewido got it all. We will run in again in safe mode to be sure, but it is so obvious you had a bad CWS infection also.
Right at this point it looks like ewido was able to remove what it found. I have links to show you how to control those cookies if you wish. I also have no objections to you editing your name out of the ewido report.

Logfile of HijackThis v1.99.1 Scan saved at 6:22:48 PM, on 5/11/2006 This log appears to be clean of malware:bigthumb: how is this computer running now?
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

ewido is going to slow you a little, as will Prefetch until it repopulates. You can turn ewido off now or enjoy the benefits of the realtime protection for the trial period but it does use some resources. This is your call, and you can disable it in services when you wish, then keep and update the scanner if you wish, that is free. My canned:
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.

Do this now to make sure none of that junk got in your System Restore files.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam

Now to your comments, for all programs that are running, good or bad, you are going to be prohitbited from changing or deleting by Windows if it is running. Normally just starting in safe mode when the program is not running will do it, sometimes you have to do it as an administrator, and yes we have tools like Killbox and Avenger that can do most anything. Seems to be a moot point as there appears to be no malware in the log.
Understand that HJT is a process manager, and when you remove an item from the HJT log the running process is stopped so you can delete an item. Some are harder than others, but in this case you have done the job.

This is what I would like you to do besides review the information I posted and purge the System Restore files.

1) Restart the computer in safe mode: http://www.bleepingcomputer.com/tutorials/tutorial61.html
Once you are in safe mode. open ewido and do a complete system scan removing anything located unless you know it is not bad. Save the scan report to post.
Empty your recycle bin and restart the computer to normal mode.

2) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

3) Post the ewido scan report (edit out personal names first) the Add Remove program list, and this time I need your comments. How is the computer running, what more do we need to do? Any error messages "word for word". Keep in mind this was one sick computer and we were none to gentle as we ripped some of the nasties out. Now is the time to look at your maintenance routines, scan disk, defragg, etc.

Thanks...Phil

Good morning Phil!

Sorry I couldn't finish this up last night...came in this morning though and found that ewido caught some more junk...the computer seems to be running fine with the exception of right after it starts up, before the icons appear on the desktop, the screen goes completely blue, and once the icons come back, they are surrounded by the blue highlighting...

Here are the logs as you requested...

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:52:03 AM, 5/12/2006
+ Report-Checksum: 723C4B8E

+ Scan result:

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001275.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001276.exe -> Hijacker.VB.ly : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001277.exe -> Downloader.VB.abj : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001278.EXE -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001279.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001280.dll:rmpoj -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001280.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001281.exe:zwjaa -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001282.exe:pomvh -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001283.exe:oacun -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001283.exe:qoixz -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001284.dll:chjwp -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001284.dll:ifzde -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001284.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001285.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001286.dll:qocnl -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001286.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001287.ini:kfrfi -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001287.ini:nqoya -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001287.ini:oidbk -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001288.exe:bsjos -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001289.exe:hoqvo -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001289.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001290.ini:mqjuc -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001291.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001292.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001293.ini:grjfk -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001293.ini:zqyiw -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001294.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001295.exe:vgvtm -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001295.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001296.ini:ljpda -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001297.dll:bjtdc -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001297.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001298.exe:rxgfo -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001298.exe:wckvb -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001299.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001300.INI:jqlul -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001300.INI:kignu -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001301.exe:zmybt -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001301.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001302.INI:kqsbd -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001302.INI:svpxr -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001303.ini:hhcwf -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001304.dll:wwuqn -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001305.INI:okrks -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001306.ini:tnaqy -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001307.exe:dhnbw -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001307.exe:ptokh -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001308.ini:przca -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001309.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001310.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001311.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001312.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001313.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001314.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001315.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001316.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001317.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001318.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001319.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001320.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001321.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001322.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001323.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001324.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001325.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001326.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001327.exe -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001328.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001329.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001330.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001331.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001332.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001333.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001334.exe -> Not-A-Virus.RemoteAdmin.Win32.PLSRemot : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001335.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001336.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001337.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001338.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001339.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001340.dll -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001341.dll:zmdcf -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001342.dll:emday -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001343.ini:aegax -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001344.exe:djegt -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001344.exe:msydo -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001345.ini:kumbs -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001346.ini:rutqx -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001347.exe -> Dropper.Agent.aie : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001348.dll:dvhav -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001349.INI:eujym -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001349.INI:rtgfo -> Downloader.Agent.al : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001350.exe:jzxwc -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001351.INI:zfesl -> Downloader.WinShow.ak : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001352.dll -> Downloader.Agent.bq : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001353.ini:tyqne -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001354.prx:uzzfr -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001355.pif:pnjxo -> Downloader.Agent.ap : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001356.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001388.exe -> Hijacker.VB.ly : Cleaned with backup
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP2\A0001389.exe -> Adware.ZenoSearch : Cleaned with backup


::Report End

cont.

Access IBM
Access IBM Message Center
Access IBM Tools
Ad-Aware SE Personal
Adobe Acrobat 6.0 Standard
Adobe Photoshop 7.0
Agere Systems AC'97 Modem
alm
ATI Control Panel
ATI Display Driver
ATI HydraVision
BroadJump Client Foundation
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window DSLR 5 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon IXY 320, PowerShot S230, IXUS v3 WIA Driver
Canon MovieEdit Task for ZoomBrowser EX
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon ZoomBrowser EX (E)
CCleaner (remove only)
Concordance
DWG TrueView
ePAVE
ewido anti-malware
FairUse Wizard 2
Fiery Remote Scan 5.1.2.6
FirstClass® Client
Google Earth
HijackThis 1.99.1
Hotfix for Windows XP (KB909394)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.0 - Scanners
IBM Access Connections
IBM Access Support
IBM Access Support - Local Content Pack
IBM DLA
IBM Rapid Restore PC Setup
IBM RecordNow
IBM RecordNow Update Manager
IBM Themes
IBM ThinkPad Battery MaxiMiser and Power Management Features
IBM ThinkPad Configuration
IBM ThinkPad EasyEject Utility
IBM ThinkPad Keyboard Customizer Utility
IBM ThinkPad Power Management Driver
IBM ThinkPad Presentation Director
IBM ThinkPad UltraNav Driver
IBM ThinkPad UltraNav Wizard
IBM TrackPoint Accessibility Features
IBM Update Connector
Informatik Docview 10.0
Intel(R) PRO Network Adapters and Drivers
interneTIFF 6.2-PRO (IE Browser-SITE)
InterVideo WinDVD
IPMaster
iTunes
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_04
Kyocera Mita Scanner Driver
LawDesk
LawDesk 5.1
LexisNexis Download and Print for Internet Explorer
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash Player 8
Microsoft .NET Framework 1.1
Microsoft ActiveSync 4.0
Microsoft AntiSpyware
Microsoft Data Access Components KB870669
Microsoft Office Professional Edition 2003
Motorola Handset USB Driver
Mozilla Firefox (1.0.7)
MSN Music Assistant
Napster
Norton AntiVirus Corporate Edition
Opticon
Outlook Express Q837009
PaperPort 8.0
PASAT
PC Master
PC-Doctor for Windows
PCT-SAFE Online Filing
PdaNet for Windows Mobile 1.14
Picsel File Viewer
QuickTime
Roxio Burn Engine
SnagIt 6
Spybot - Search & Destroy 1.4
Support.com Software
ThinkPad FullScreen Magnifier
ThinkPad Software Installer
TPNala Wallpaper
Treo 700w User Guide
tunebite 3.0.0.5
USPTO Direct 6.0
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.0 (KB884016)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 Hotfix - KB894476
Windows Media Player Hotfix [See Q828026 for more information]
Windows XP Hotfix - KB823182
Windows XP Hotfix - KB824105
Windows XP Hotfix - KB824141
Windows XP Hotfix - KB825119
Windows XP Hotfix - KB826939
Windows XP Hotfix - KB828035
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB837001
Windows XP Hotfix - KB839643
Windows XP Hotfix - KB840374
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP2) Q819696
WinZip
XPort
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo! Toolbar

and I notice that tpnala wallpaper seems odd...

cont...

and just for good measure...

Logfile of HijackThis v1.99.1
Scan saved at 9:04:30 AM, on 5/12/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\VERITAS Software\Update Manager\sgtray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.cnn.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [StorageGuard] "c:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\Scansoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\Scansoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [USPTO Direct Recovery] "C:\Program Files\USPTO\etdirrcv.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Startup: PdaNet Desktop.lnk = C:\Program Files\PdaNet for Windows Mobile\PdaNetPC.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com
O16 - DPF: {26BFFB87-5B07-4611-82BB-AF3947013FDD} (DAPCtl Class) - http://www.lexis.com/dl/IEDAP.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/bonnie/us/win/QuickTimeInstaller.exe
O16 - DPF: {638AF6A2-81A1-4655-9FFA-9FC09CDE22CF} (CScanner Object) - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1138402863458
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - http://www-307.ibm.com/pc/support/IbmEgath.cab
O16 - DPF: {9059F30F-4EB1-4BD2-9FDC-36F43A218F4A} (Microsoft RDP Client Control (redist)) - http://66.147.8.11/TSWEB/msrdp.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.napster.com/client/isetup.cab
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9C134253-E8A3-4759-9F98-302B7981922E} (MaxViewer Class) - http://support.scansoft.com/pp/files/np_max.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - http://tools.ebayimg.com/eps/activex/EPSControl_v1-0-3-0.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Good morning and it looks like you ran ewido before you cleaned out the system restore? If you had done that first, those items would not have been there.
If you have not done this, please do it now, I would hate to have to use System Restore as all of that junk would get back on the computer. Here are manual instructions:
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Uninstall list: There are several items I do not know, but nothing jumps out as malware. I encourage you to take the time to uninstall programs you do not know (check first to make sure they are not needed for the computer to run) or no longer use.

Viewpoint Manager (Remove Only)
Viewpoint Media Player
I suggest you remove this item, see this information:
http://www.clickz.com/news/article.php/3561546
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint

This: Java 2 Runtime Environment, SE v1.4.2_04Please review this information and clean out the old Java as suggested:
http://forums.spybot.info/showthread.php?t=2559

Logfile of HijackThis v1.99.1 Scan saved at 9:04:30 AM, on 5/12/2006
(if you do not use these as your startpage, you may remove them with HJT)
O14 - IERESET.INF: START_PAGE_URL=http://www.cnn.com
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.cnn.com

While I have supplied you with links to freeware programs with great reputations, I suggest you read this information:
http://castlecops.com/r277-Spyware_Eliminator.html This product:
O23 - Service: Aluria Spyware Eliminator Service (ASEService) - Unknown owner - C:\PROGRA~1\ALURIA~1\ASE\ASEServ.exe (file missing)
has a very poor rating with spyware removers and folks in general. I would not have it on any of my computer...your call.

There are a few items booting at startup that you may not need and could start in All Programs when needed. Look at the O4 - HKLM\..\Run: Items, if you do not know what it is, Google the executable.
Example: O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe <<< Google >>> http://www.liutilities.com/products/wintaskspro/processlibrary/cfd/ since that leaves questions I would ask the ISP...hey can I turn that off to save resources and start it if you need it?

the computer seems to be running fine with the exception of right after it starts up, before the icons appear on the desktop, the screen goes completely blue, and once the icons come back, they are surrounded by the blue highlighting...Something in your settings has been changed by one of the malware programs, try these to see what happens:
_________________________________________________________________
http://www.msfn.org/board/lofiversion/index.php/t21581.html
Restore desktop themes
_________________________________________________________________
1. Click Start, and then click Control Panel.
2. Double-click Display, click the Desktop tab, and then click Customize Desktop.
3. Select Restore Defaults
_________________________________________________________________

It could be possible, after reboot that the system is using the windows classic theme again.
To restore this and set it back to XP-theme, rightclick on your desktop > properties > tab Appearances and choose Windows XP style again under windows and buttons.
Click apply and OK.

Let me have a final report when you can...Thanks

THANK YOU!!! I truly appreciate all of your kind assistance with this....I believe that I working back to normal and I definitely have you to thank.

Thanks again!

Kindest Regards,

Neil

Im Glad we could help
Since the problems are solved Im going to close the topic now, this keeps others with similar problems from posting there logs/question here, they should start a new topic.
If you should need to post another log for the same PC let Me, pskelley or Tashi know.