View Full Version : cmdservice removal
stef_moey
2006-06-09, 00:16
I've had this virus for awhile now and I can't seem to remove it. Please help! here's the log:
Logfile of HijackThis v1.99.1
Scan saved at 6:15:14 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\ms070770-146525.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\spywarebot\SpywareBot.exe
C:\Program Files\spywarebot\SpywareBot.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\btmlp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lotpana.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GWRc] C:\WINDOWS\uiwcwe.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [ms070770-146525] C:\WINDOWS\ms070770-146525.exe
O4 - HKLM\..\Run: [w00126ec.dll] RUNDLL32.EXE w00126ec.dll,I2 0009a4d4000126ec
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\spywarebot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [spywarebot] "C:\Program Files\spywarebot\spywarebot.exe" -boot
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\kt8sl7l71.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
thanks!
pskelley
2006-06-09, 16:07
Hello and welcome to the forum. If you still need help and are not receiving it elsewhere, I will see what I can do. You need to know that you are badly infected and it will be in your best interest, since these infections attract others, to stay off line as much as possible until you are clean. It is also important that you follow the directions exactly if you wish the tools I will use to work. If you wish to proceed, we will start with the Look2me infection.
Thanks to Atribune and any others who helped with this fix
Please download Look2Me-Destroyer.exe (http://www.atribune.org/ccount/click.php?id=7) to your desktop.
Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.
If you receive a message from your firewall about this program accessing the internet please allow it.
If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
More info:
If for some reason Look2Me-Destroyer doesn't reopen check that task scheduler is running.
If it isnt you can use sc.exe to start it
start>run sc start schedule press enter.
Post C:\Look2Me-Destroyer.txt and a new HiJackThis log along with any comments you think will help.
Thanks...pskelley
Safer Networking Forums
stef_moey
2006-06-16, 21:43
sorry for the delay.. my computer wouldn't go online. I ran look2me-destroyer and here's my log..
Logfile of HijackThis v1.99.1
Scan saved at 3:39:33 PM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\SYSC00.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\sys02465250770-1.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\VCClient\VCMain.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\btmlp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lotpana.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GWRc] C:\WINDOWS\uiwcwe.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [w00126ec.dll] RUNDLL32.EXE w00126ec.dll,I2 0009a4d4000126ec
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\spywarebot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [sys02465250770-1] C:\WINDOWS\sys02465250770-1.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
thanks again!
pskelley
2006-06-16, 22:09
Post C:\Look2Me-Destroyer.txt and a new HiJackThis log along with any comments you think will help.Please follow the directions...post the C:\Look2Me-Destroyer.txt as requested.
I told you in the beginning that you had a badly infected computer, please follow the directions carefully or these tools will not work. This junk will also not get better with age, apply yourself to getting this fixes done if you want my help, we have a long ways to go, thanks.
Thanks to Metallica and any others who helped with this fix.
1. Please download Ewido Anti-Malware (http://www.ewido.net/en/download/)
Install ewido anti-malware
Launch ewido, there should be an icon on your desktop, double-click it.
The program will now open to the main screen.
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update.
Then click on Start Update.
The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display ("Update successful")
Exit Ewido, do not run the scan yet!
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates (http://download.ewido.net/ewido-signatures-full-current.exe)
2. Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.
4. Once in Safe Mode, Open Ewido:
Click on scanner
Click on Complete System Scan and the scan will begin.
You will be prompted to clean the first infection.
Select "Perform action on all infections", then proceed.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report
Click Save report.
Save the report .txt file to your desktop or a location where you can find it easily.
Close ewido anti-malware.
5. Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Reboot into normal windows and post the contents of Ewido text report that you saved and a new HiJackThis log.
Thanks...Phil
stef_moey
2006-06-17, 02:23
sorry I'm inexperienced in this.. here's the look2medestroyer text first.
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 6/16/2006 3:32:11 PM
Infected! C:\WINDOWS\system32\mv84l9lq1.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP200\A0019190.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP200\A0019202.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP204\A0019249.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP208\A0020249.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP212\A0020321.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP212\A0020339.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP223\A0021382.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP229\A0022417.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP234\A0022520.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022542.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022553.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022718.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022729.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022780.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022787.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022788.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022790.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022793.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022794.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022795.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022796.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022797.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022798.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022800.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022801.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022803.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022805.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022806.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022807.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022809.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022810.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022811.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022901.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP242\A0027838.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP243\A0027860.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP244\A0027911.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP244\A0027924.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP251\A0031147.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP251\A0031230.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP254\A0031946.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP255\A0032957.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP256\A0032997.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033108.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033159.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033160.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033192.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033193.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP270\A0033292.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP270\A0033312.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033336.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033349.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033362.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033376.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033407.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033408.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP273\A0033432.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP273\A0033433.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP274\A0033480.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP276\A0033502.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033557.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033569.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033581.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033583.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033587.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033600.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033619.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033620.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033645.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033646.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033659.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033660.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP281\A0033796.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP282\A0033820.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP284\A0033849.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP284\A0033895.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP285\A0033954.dll
Infected! C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP285\A0033970.dll
stef_moey
2006-06-17, 02:24
Infected! C:\WINDOWS\system32\btc42.dll
Infected! C:\WINDOWS\system32\cKpesnpn.dll
Infected! C:\WINDOWS\system32\cnl3dv2.dll
Infected! C:\WINDOWS\system32\dfime.dll
Infected! C:\WINDOWS\system32\dilayx.dll
Infected! C:\WINDOWS\system32\dMdim700.dll
Infected! C:\WINDOWS\system32\dn8801lue.dll
Infected! C:\WINDOWS\system32\dnn0015me.dll
Infected! C:\WINDOWS\system32\dnr4019qe.dll
Infected! C:\WINDOWS\system32\eient.dll
Infected! C:\WINDOWS\system32\en6ml1j11.dll
Infected! C:\WINDOWS\system32\hr0005dme.dll
Infected! C:\WINDOWS\system32\i624lgfq162e.dll
Infected! C:\WINDOWS\system32\iHssdo.dll
Infected! C:\WINDOWS\system32\IKIresizeW7.dll
Infected! C:\WINDOWS\system32\imrtprio.dll
Infected! C:\WINDOWS\system32\ir00l5dm1.dll
Infected! C:\WINDOWS\system32\irr6l59s1.dll
Infected! C:\WINDOWS\system32\kddbe.dll
Infected! C:\WINDOWS\system32\kgdsp.dll
Infected! C:\WINDOWS\system32\ktpml7711.dll
Infected! C:\WINDOWS\system32\kvduk.dll
Infected! C:\WINDOWS\system32\l8n40i5qe8.dll
Infected! C:\WINDOWS\system32\l8r0li9m18.dll
Infected! C:\WINDOWS\system32\lvj8091ue.dll
Infected! C:\WINDOWS\system32\m6460ghse6460.dll
Infected! C:\WINDOWS\system32\mdl_qic.dll
Infected! C:\WINDOWS\system32\mdxml2.dll
Infected! C:\WINDOWS\system32\MlPMSNSv.dll
Infected! C:\WINDOWS\system32\mrjet40.dll
Infected! C:\WINDOWS\system32\mv84l9lq1.dll
Infected! C:\WINDOWS\system32\nzmsevt.dll
Infected! C:\WINDOWS\system32\p0n80a5ued.dll
Infected! C:\WINDOWS\system32\p28qlcl51fq.dll
Infected! C:\WINDOWS\system32\p6p6lg7s16.dll
Infected! C:\WINDOWS\system32\rbmotepg.dll
Infected! C:\WINDOWS\system32\smi.dll
Infected! C:\WINDOWS\system32\SqSBase.dll
Infected! C:\WINDOWS\system32\wdock32.dll
Infected! C:\WINDOWS\system32\wsadmoe.dll
Attempting to delete infected files...
Attempting to delete: C:\WINDOWS\system32\mv84l9lq1.dll
C:\WINDOWS\system32\mv84l9lq1.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP200\A0019190.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP200\A0019190.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP200\A0019202.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP200\A0019202.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP204\A0019249.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP204\A0019249.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP208\A0020249.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP208\A0020249.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP212\A0020321.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP212\A0020321.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP212\A0020339.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP212\A0020339.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP223\A0021382.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP223\A0021382.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP229\A0022417.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP229\A0022417.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP234\A0022520.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP234\A0022520.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022542.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022542.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022553.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022553.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022718.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022718.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022729.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP235\A0022729.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022780.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022780.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022787.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022787.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022788.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022788.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022790.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022790.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022793.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022793.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022794.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022794.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022795.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022795.dll Deleted successfully
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022796.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022796.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022797.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022797.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022798.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022798.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022800.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022800.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022801.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022801.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022803.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022803.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022805.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022805.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022806.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022806.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022807.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022807.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022809.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022809.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022810.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022810.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022811.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022811.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022901.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP239\A0022901.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP242\A0027838.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP242\A0027838.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP243\A0027860.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP243\A0027860.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP244\A0027911.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP244\A0027911.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP244\A0027924.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP244\A0027924.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP251\A0031147.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP251\A0031147.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP251\A0031230.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP251\A0031230.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP254\A0031946.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP254\A0031946.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP255\A0032957.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP255\A0032957.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP256\A0032997.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP256\A0032997.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033108.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033108.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033159.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033159.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033160.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033160.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033192.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033192.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033193.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP257\A0033193.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP270\A0033292.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP270\A0033292.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP270\A0033312.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP270\A0033312.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033336.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033336.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033349.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033349.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033362.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033362.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033376.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033376.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033407.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033407.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033408.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP271\A0033408.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP273\A0033432.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP273\A0033432.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP273\A0033433.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP273\A0033433.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP274\A0033480.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP274\A0033480.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP276\A0033502.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP276\A0033502.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033557.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033557.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033569.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033569.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033581.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033581.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033583.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033583.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033587.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033587.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033600.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033600.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033619.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033619.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033620.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033620.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033645.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033645.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033646.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033646.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033659.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033659.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033660.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP278\A0033660.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP281\A0033796.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP281\A0033796.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP282\A0033820.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP282\A0033820.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP284\A0033849.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP284\A0033849.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP284\A0033895.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP284\A0033895.dll Deleted successfully!
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP285\A0033954.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP285\A0033954.dll Deleted successfully!
stef_moey
2006-06-17, 02:25
Attempting to delete: C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP285\A0033970.dll
C:\System Volume Information\_restore{DDE3EB95-4B24-44D8-AD38-1F974B96C2F0}\RP285\A0033970.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\btc42.dll
C:\WINDOWS\system32\btc42.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\cKpesnpn.dll
C:\WINDOWS\system32\cKpesnpn.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\cnl3dv2.dll
C:\WINDOWS\system32\cnl3dv2.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dfime.dll
C:\WINDOWS\system32\dfime.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dilayx.dll
C:\WINDOWS\system32\dilayx.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dMdim700.dll
C:\WINDOWS\system32\dMdim700.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dn8801lue.dll
C:\WINDOWS\system32\dn8801lue.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dnn0015me.dll
C:\WINDOWS\system32\dnn0015me.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\dnr4019qe.dll
C:\WINDOWS\system32\dnr4019qe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\eient.dll
C:\WINDOWS\system32\eient.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\en6ml1j11.dll
C:\WINDOWS\system32\en6ml1j11.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\hr0005dme.dll
C:\WINDOWS\system32\hr0005dme.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\i624lgfq162e.dll
C:\WINDOWS\system32\i624lgfq162e.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\iHssdo.dll
C:\WINDOWS\system32\iHssdo.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\IKIresizeW7.dll
C:\WINDOWS\system32\IKIresizeW7.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\imrtprio.dll
C:\WINDOWS\system32\imrtprio.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ir00l5dm1.dll
C:\WINDOWS\system32\ir00l5dm1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\irr6l59s1.dll
C:\WINDOWS\system32\irr6l59s1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kddbe.dll
C:\WINDOWS\system32\kddbe.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kgdsp.dll
C:\WINDOWS\system32\kgdsp.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\ktpml7711.dll
C:\WINDOWS\system32\ktpml7711.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\kvduk.dll
C:\WINDOWS\system32\kvduk.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\l8n40i5qe8.dll
C:\WINDOWS\system32\l8n40i5qe8.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\l8r0li9m18.dll
C:\WINDOWS\system32\l8r0li9m18.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\lvj8091ue.dll
C:\WINDOWS\system32\lvj8091ue.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\m6460ghse6460.dll
C:\WINDOWS\system32\m6460ghse6460.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mdl_qic.dll
C:\WINDOWS\system32\mdl_qic.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mdxml2.dll
C:\WINDOWS\system32\mdxml2.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\MlPMSNSv.dll
C:\WINDOWS\system32\MlPMSNSv.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mrjet40.dll
C:\WINDOWS\system32\mrjet40.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\mv84l9lq1.dll
C:\WINDOWS\system32\mv84l9lq1.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\nzmsevt.dll
C:\WINDOWS\system32\nzmsevt.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\p0n80a5ued.dll
C:\WINDOWS\system32\p0n80a5ued.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\p28qlcl51fq.dll
C:\WINDOWS\system32\p28qlcl51fq.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\p6p6lg7s16.dll
C:\WINDOWS\system32\p6p6lg7s16.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\rbmotepg.dll
C:\WINDOWS\system32\rbmotepg.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\smi.dll
C:\WINDOWS\system32\smi.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\SqSBase.dll
C:\WINDOWS\system32\SqSBase.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\wdock32.dll
C:\WINDOWS\system32\wdock32.dll Deleted successfully!
Attempting to delete: C:\WINDOWS\system32\wsadmoe.dll
C:\WINDOWS\system32\wsadmoe.dll Deleted successfully!
stef_moey
2006-06-17, 02:26
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SMDEn
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{55513160-76FD-4940-A55A-D84D0004EA42}"
HKCR\Clsid\{55513160-76FD-4940-A55A-D84D0004EA42}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{49081F76-F10F-4F1F-ACFC-183CD91464DC}"
HKCR\Clsid\{49081F76-F10F-4F1F-ACFC-183CD91464DC}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9C6E09A9-828C-4F97-B667-3BE2EEB8BABD}"
HKCR\Clsid\{9C6E09A9-828C-4F97-B667-3BE2EEB8BABD}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{8168FE48-ADC2-492F-BC0D-97141211D668}"
HKCR\Clsid\{8168FE48-ADC2-492F-BC0D-97141211D668}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{9B664B9D-7426-4651-9135-1C7E01EA06F1}"
HKCR\Clsid\{9B664B9D-7426-4651-9135-1C7E01EA06F1}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C8FC13B6-F217-4B5B-B3CB-2B5ECBF0C727}"
HKCR\Clsid\{C8FC13B6-F217-4B5B-B3CB-2B5ECBF0C727}
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FFEFD2D3-D756-43D8-911E-0F5489A90CBB}"
HKCR\Clsid\{FFEFD2D3-D756-43D8-911E-0F5489A90CBB}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
stef_moey
2006-06-17, 02:27
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 8:03:33 PM, 6/16/2006
+ Report-Checksum: 11B748A9
+ Scan result:
[788] C:\WINDOWS\system32\qrvhgpl.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ads.realcastmedia[2].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@as-eu.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@data1.perf.overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@h.starware[2].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@paypopup[2].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@try.starware[1].txt -> TrackingCookie.Starware : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@ysbweb[1].txt -> TrackingCookie.Ysbweb : Cleaned with backup
C:\Documents and Settings\HP_Owner\Cookies\hp_owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\C3E55.tmp/dgfgql.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@login.tracking101[2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@www.myaffiliateprogram[1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\Cookies\hp_owner@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\explorer.exe -> Downloader.Tiny.ax : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\temp.fr164D -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\temp.fr44CA -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\temp.fr5986 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\temp.fr96A9 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temp\temp.frEBC7 -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\HP_Owner\Local Settings\Temporary Internet Files\Content.IE5\9JN9SE91\AppWrap[1].exe -> Adware.AdURL : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Common Files\svchostsys\svchostsys.exe -> Downloader.Small : Cleaned with backup
C:\Program Files\Common Files\svchostsys\svchostupdate.exe -> Downloader.Small : Cleaned with backup
C:\RECYCLER\S-1-5-21-2885293874-521097054-239279701-1009\Dc66\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\surv3.exe -> Downloader.VB.vv : Cleaned with backup
C:\WINDOWS\sys02465250770-1.exe -> Downloader.VB.tw : Cleaned with backup
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : Cleaned with backup
C:\WINDOWS\system32\guard.tmp_tobedeleted -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\phkkb.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@advertising[2].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@edge.ru4[1].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@linksynergy[2].txt -> TrackingCookie.Linksynergy : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@targetnet[1].txt -> TrackingCookie.Targetnet : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Temp\Cookies\hp_owner@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 8:11:18 PM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\btmlp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lotpana.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [GWRc] C:\WINDOWS\uiwcwe.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [w00126ec.dll] RUNDLL32.EXE w00126ec.dll,I2 0009a4d4000126ec
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\spywarebot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
pskelley
2006-06-17, 03:00
sorry I'm inexperienced in this.. here's the look2medestroyer text firstThat's why I tried to make sure you understood this was a bad infection. You are making progress, keep following the directions. We have the Qoologic trojan yet to be removed, but first, let's clean a little.
1) Your Java program >>> C:\Program Files\Java\j2re1.4.2_03 is out of date and that will get you infected fast, and may be the reason you are. Use the information in this link to get that updated:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
2) Start > Control Panel > Add remove programs and uninstall spywarebot, VCClient, svchostsys if there and any program you know does not belong there. If you are not sure let me know and I will look.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(the first five lines are HP redirects that are not making you browser run better. If you do not use them, then check and delete them...this is optional)
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ion&pf=desktop
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\btmlp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,lotpana.exe
O4 - HKLM\..\Run: [GWRc] C:\WINDOWS\uiwcwe.exe
O4 - HKLM\..\Run: [wahm] C:\windows\eee2.exe
O4 - HKLM\..\Run: [loadadv64] C:\WINDOWS\system32\loadadv64
O4 - HKLM\..\Run: [w00126ec.dll] RUNDLL32.EXE w00126ec.dll,I2 0009a4d4000126ec
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\spywarebot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Enable hidden files&folders..reverse the process when finished.
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
RIGHT Click on Start then click on Explore. Locate and delete these items if they are there...do not miss any!!
C:\windows\eee2.exe <<< file
C:\WINDOWS\uiwcwe.exe <<< file
C:\WINDOWS\system32\btmlp.exe <<< file
C:\WINDOWS\system32\loadadv64 <<< file
C:\WINDOWS\system32\lotpana.exe <<< file
C:\Program Files\spywarebot\ <<< folder
C:\Program Files\Common Files\VCClient\ <<< folder
C:\Program Files\Common Files\svchostsys\ <<< folder
C:\Windows\Prefetch\ >>> delete the contents (NOT THE FOLDER)
Prefetch info: http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html
Download CCleaner from this link: http://www.ccleaner.com/ Review the instructions http://www.ccleaner.com/help/tour1.asp
Run CCleaner, Windows & Applications when you run the registry cleaner (Issues) you will be prompted to backup before you can remove stuff, make sure you do.
Restart the computer and post a new HJT log along with any comments you think will help. We will have more to do.
Thanks...Phil
stef_moey
2006-06-19, 01:37
okay I updated my java program but spywarebot, vcclient, svchostsys weren't showing up in the add/remove programs. I also couldn't locate eee2.exe, spywarebot folder, uiwcwe.exe, or vcclient. I found btmlp.exe but it wouldn't let me delete it because it was already in use. I didn't find the svchostsys folder but I did find svchostsys.bat in C:\programfiles\commonfiles\simtest.
thanks, stef.
pskelley
2006-06-19, 01:52
I am sorry, but that is not going to get your computer clean. You need to make sure you can see all hidden files and folder:
How to make files and folders visible:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
then you need to start your computer in safe mode:
Using the F8 Method:
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.
Do whatever tasks you require and when you are done reboot to boot back into normal mode.
Using the System Configuration Tool Method here:
http://www.bleepingcomputer.com/tutorials/tutorial61.html
Then you need to find and delete all of the files/folders in the instructions.
Then: Restart the computer and post a new HJT log along with any comments you think will help. We will have more to do.
We still have a Qoologic trojan to remove.
Thanks
stef_moey
2006-06-19, 02:38
I removed btmlp.exe through safemode but I still can't find the other files. they may have been picked up by ewido now that I think about it. here's my hjt log.
Logfile of HijackThis v1.99.1
Scan saved at 7:59:53 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\btmlp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lotpana.exe
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
thanks
pskelley
2006-06-19, 02:53
OK and thanks, the only thing I see in the log is the Qoologic trojan.
We are going to use the Brute Force Uninstaller again, but this time we will use a tool designed to remove Qoologic. The trojan looks like this in the HJT log:
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\btmlp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,lotpana.exe
If you follow the directions correctly and carefully, those lines will be gone in the next HJT log.
Download Brute Force Uninstaller to your C:\
http://www.merijn.org/files/bfu.zip
Unzip it to a folder of its own (C:\BFU). So BFU should be on your root. In most cases this is C:\
Download qoofix.bat: http://downloads.subratam.org/Lon/qooFix.bat
(rightclick on this link and choose save as)
Place qoofix.bat in your C:\BFU - folder. (Important!)
Doubleclick qooFix.bat, Close all browsers and explorer folders.
Choose option 1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
After the PC has restarted please post another hijackthis log.
Thanks
stef_moey
2006-06-19, 03:15
okay here's my new hjt log..
Logfile of HijackThis v1.99.1
Scan saved at 9:13:06 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\hphmon06.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mid: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
pskelley
2006-06-19, 03:27
OK looking good:bigthumb: this item: O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE read about it here: http://castlecops.com/startuplist-180.html This is optional, your call.
If you want to get rid of it, search for the file: ALCXMNTR.EXE (normally in C:\Windows\ and delete that file. Make sure you delete the right file. You may have to delete it in safe mode?
Besides that your HJT log is clean. Good job of sticking to it until you got it done:bigthumb: This information is important.
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://boards.cexx.org/viewtopic.php?t=957
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
ewido is a great program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
tashi will be along to close you in a few days, safe surfing.
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldie
stef_moey
2006-06-19, 20:37
thank you very much. my computer is running much better now. I appreciate all the time and help!!
thanks again,
stef