Skip to main content
Start a Conversation

Unsolved

This post is more than 5 years old

Colbs

10 Posts

723

August 22nd, 2005 21:00

HJT log, please help

Hi,
I have been trying for over a week to get rid of ads in the form of pop-ups and at the top of webpages.  I have done numerous scans and removed a lot of files and such but the ads are still there (although it has gotten better).  All help will be Greatly appreciated.
 
Here's the log:
 

Logfile of HijackThis v1.99.1

Scan saved at 5:43:49 PM, on 8/22/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\system32\carpserv.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\WINDOWS\etoksdq.EXE

C:\WINDOWS\gshhenc.EXE

C:\Program Files\Winamp\winampa.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\QuickTime\qttask.exe

C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

C:\Program Files\McAfee.com\Agent\mcagent.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\cisvc.exe

C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\brmfadx.exe

C:\WINDOWS\iffgsvc.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe

C:\MSOffice\Office\MSOFFICE.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\Program Files\Paltalk\pnetaware.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\AUserInit.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O3 - Toolbar: High Speed Security Software Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [t7tS39j] mprbase.exe

O4 - HKLM\..\Run: [etoksdq] C:\WINDOWS\etoksdq.EXE

O4 - HKLM\..\Run: [gshhenc] C:\WINDOWS\gshhenc.EXE

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lpdggg.exe reg_run

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group -Spyhunter\SpyHunter\SpyHunter.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

O4 - HKLM\..\Run: [MemScanner] C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe

O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe

O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cw22RVHql] mpgb3032.exe

O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

O4 - HKCU\..\Run: [Aida] C:\Documents and Settings\Colby Decoteau\Application Data\ttuh.exe

O4 - Startup: Event Reminder.lnk = C:\Program Files\Mindscape\PrintMaster\PMREMIND.EXE

O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe

O4 - Global Startup: America Online 8.0 Tray Icon.lnk = C:\Program Files\America Online 8.0\aoltray.exe

O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O4 - Global Startup: hpoddt01.exe.lnk = ?

O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe

O4 - Global Startup: KODAK Software Updater.lnk = C:\Program Files\Kodak\KODAK Software Updater\7288971\6.1.4.37-7288971L\Program\runner.exe

O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE

O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE

O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.hotmail.com

O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.1.0.39/aces/aces-ob-assets.cab

O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.1.0.39/backgammon/backgammon-ob-assets.cab

O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.1.0.39/canasta/canasta-ob-assets.cab

O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com:8000/Java/cfs40320.cab

O16 - DPF: EZ Win Bingo by pogo - http://bingoe.pogo.com/applet-6.1.0.39/bingo/bingoe-ob-assets.cab

O16 - DPF: Interface Chat Voila - http://chat9.x-echo.com/version5/Applet/vchatsign.cab

O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.1.0.39/mahjong/mahjong-ob-assets.cab

O16 - DPF: Pai Gow by pogo - http://game3.pogo.com/applet-6.1.0.39/paigow/paigow-ob-assets.cab

O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.1.0.39/flinger/flinger-ob-assets.cab

O16 - DPF: Pirate's Gold by pogo - http://swashbucks.pogo.com/applet-6.1.0.39/piratesgold/piratesgold-ob-assets.cab

O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.0.39/poppit/poppit-ob-assets.cab

O16 - DPF: Ricochet by pogo - http://game4.pogo.com/applet-6.1.0.39/ricochet/ricochet-ob-assets.cab

O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.com/applet-6.1.0.39/spider/spider-ob-assets.cab

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.1.0.39/squelchies/squelchies-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.1.0.39/peaks/peaks-ob-assets.cab

O16 - DPF: Word Whomp by pogo - http://game5.pogo.com/applet-6.1.0.39/wordwhomp/wordwhomp-ob-assets.cab

O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.1.0.39/whackdown/whackdown-ob-assets.cab

O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.1.0.39/wordjong/wordjong-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.1.0.39/worldclass/worldclass-ob-assets.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124589471662

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.tourismeville.wanadoo.fr/AxisCamControl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.mikethetiger.com/cam/wg_webeye.cab

O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/WebPlayer/MMLRadio.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab

O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://atlas.lsu.edu/acgm/acgm.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\brmfadx.exe

O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\iffgsvc.exe

 

ALgal

1.2K Posts

August 23rd, 2005 16:00

Hello and Welcome Colbs,


If you don't already have it, download, install and run AdAware SE Personal.

-

Next, check for, and download any available updates:

1.  click "Check for updates now".
2.  Click "Connect".
3.  If updates(definitions) are available click "Ok", otherwise, click "Ok".
4.  Click "Finish".

-

Next, configure AdAware to be as effective as possible:

1.  Click the 'gear' in the upper-right hand corner of the AdAware Window.
2.  Click Scanning, and check(tick) the following:

   Scan within archives
   Scan active processes
   Scan registry
   Deep-scan registry
   Scan my IE Favorites for banned URLs
   Scan my Hosts file

3.  Click "Tweak".
4.  Click "Scanning Engine", then check(tick) the following:

   Unload recognized proceses & modules during scan

5.  Click "Cleaning Engine", then check(tick) then following:

   Always try to unload modules before deletion
   During removal, unload Explorer and IE if necessary
   Let Winodws remove files in use at next reboot
   Delete quarantined objects after retoring

6.  Then click "Proceed"

-

Now, let AdAware locate and remove anything it finds, by:

1.  Click "Start".
2.  Check(tick) "perform full system scan".
3.  Click "Next".

-

Exit the program.


If you don't already have it, download, install and run Spybot S & D. Next, update the current definitions by:

-

Next, check for, and download any available updates:

1. Click "Search for Updates".
2. Check(tick) all available updates.
3. Click "Download Updates".
4. Click "Search & Destroy".
5. Click "Check for Problems".

-

When the scan is completed:

1. Check(tick) everything that was found.
2. Click "Fix selected problems".

-

Click "Ok", then exit the program.


Go to Housecall, and then:

1.  Click "Free Online Scan".
2.  Click "Scan now, it's free".

It'll take a few minutes to download (especially with a dialup connection), so be patient. When it's down:

1.  Select all available drives.
2.  Check(tick) "Auto Clean".
3.  Click "Scan".

When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Download and install CCleaner from http://www.ccleaner.com/.  Don't run it yet.


Go to Add/Remove programs and remove(uninstall) the following, if present:

   PalTalk

The above could appear anywhere within the entry. Be careful not to remove any personal or system software.


We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again.

Run HiJackThis and click "Scan", then check(tick) the following, if present:
O4 - HKLM\..\Run: [t7tS39j] mprbase.exe
O4 - HKLM\..\Run: [etoksdq] C:\WINDOWS\etoksdq.EXE
O4 - HKLM\..\Run: [gshhenc] C:\WINDOWS\gshhenc.EXE
O4 - HKLM\..\Run: [Bakra] C:\WINDOWS\System32\IEHost.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
   ...(Unless you've set these with a anti-spyware program like SpyBot's Immunize feature, have HiJackThis fix this.)

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://paris.tourismeville.wanadoo.fr/AxisCamControl.cab
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.mikethetiger.com/cam/wg_webeye.cab
O16 - DPF: {F5820AD3-9B20-423E-B2AA-7AF2B4055746} (CRegistryDownload Class) - http://download.paltalk.com/download/0.x/regdload.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab

O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\brmfadx.exe
O23 - Service: Windows VisFx Components - Unknown owner - C:\WINDOWS\iffgsvc.exe

Now, with all windows closed except HiJackThis, click "Fix checked".
How to see hidden files in Windows.
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

folders...
    C:\Program Files\Paltalk

files...
    C:\WINDOWS\etoksdq.EXE
    C:\WINDOWS\gshhenc.EXE
    C:\WINDOWS\brmfadx.exe
    C:\WINDOWS\iffgsvc.exe
    C:\WINDOWS\System32\IEHost.exe

Search for...
    mprbase.exe
...using "Start | Search...".

-
Note that some of these file(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them from "Safe Mode".

Browse to your C:\Windows\Prefetch folder. Delete all the files in the Prefetch folder, but do not delete the Prefetch folder itself. Empty your Recycle Bin. Run CCleaner


Post back a new log, and let me know how everything goes.

 

Colbs

10 Posts

August 25th, 2005 00:00

Thank you so much for your help!  I think all of the ads are gone.  The banners are gone for sure.  I did see a few familiar pop-ups earlier in the day, but they seem to have vanished.  Maybe a website I had open caused it?  I'm not sure.  Once again, thank you!!!
 
Here's the new log:
 
Logfile of HijackThis v1.99.1
Scan saved at 7:44:04 PM, on 8/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\cisvc.exe
c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\HJT\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\AUserInit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: High Speed Security Software Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MemScanner] C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\lpdggg.exe reg_run
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cw22RVHql] mpgb3032.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.hotmail.com
O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.1.0.39/aces/aces-ob-assets.cab
O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.1.0.39/backgammon/backgammon-ob-assets.cab
O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.1.0.39/canasta/canasta-ob-assets.cab
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com:8000/Java/cfs40320.cab
O16 - DPF: EZ Win Bingo by pogo - http://bingoe.pogo.com/applet-6.1.0.39/bingo/bingoe-ob-assets.cab
O16 - DPF: Interface Chat Voila - http://chat9.x-echo.com/version5/Applet/vchatsign.cab
O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.1.0.39/mahjong/mahjong-ob-assets.cab
O16 - DPF: Pai Gow by pogo - http://game3.pogo.com/applet-6.1.0.39/paigow/paigow-ob-assets.cab
O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.1.0.39/flinger/flinger-ob-assets.cab
O16 - DPF: Pirate's Gold by pogo - http://swashbucks.pogo.com/applet-6.1.0.39/piratesgold/piratesgold-ob-assets.cab
O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.0.39/poppit/poppit-ob-assets.cab
O16 - DPF: Ricochet by pogo - http://game4.pogo.com/applet-6.1.0.39/ricochet/ricochet-ob-assets.cab
O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.com/applet-6.1.0.39/spider/spider-ob-assets.cab
O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.1.0.39/squelchies/squelchies-ob-assets.cab
O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.1.0.39/peaks/peaks-ob-assets.cab
O16 - DPF: Word Whomp by pogo - http://game5.pogo.com/applet-6.1.0.39/wordwhomp/wordwhomp-ob-assets.cab
O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.1.0.39/whackdown/whackdown-ob-assets.cab
O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.1.0.39/wordjong/wordjong-ob-assets.cab
O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.1.0.39/worldclass/worldclass-ob-assets.cab
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124589471662
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/WebPlayer/MMLRadio.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://atlas.lsu.edu/acgm/acgm.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

ALgal

1.2K Posts

August 25th, 2005 13:00

Hello Colbs,

You have a Qoologic infection we need to take care of.

Please print out or copy these instructions\tutorials to Notepad as the internet will be unavailble to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.
__________________________________________________________

Step 1.
==========

Please review how to see hidden files in Windows.
http://www.bleepingcomputer.com/forums/How_to_see_hidden_files_in_Windows-tut62.html/

Download the following tools but do not run programs until asked
- Download WinPFind.zip from http://www.bleepingcomputer.com/files/oldtimer/WinPFind.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it winpfind
- Download Trackqoo.zip from http://www.bleepingcomputer.com/files/mosaic1/Trackqoo.zip. Extract\Unzip it into its own folder in C:\Antispyware. Call it trackqoo

Step 2.
==========
Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu."
Launch ewido, there should be a big "E" icon on your desktop, double-click it.
The program will prompt you to update; click the "OK" button
The program will now go to the main screen
Update ewido:
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed. After the updates are installed, exit ewido.
Do NOT run a scan yet.

Step 3.
==========
- Reboot computer into "Safe Mode" Using the F8 method:
- As soon as the BIOS is loaded begin tapping the F8 key until the Boot Menu appears
- Use the arrow keys to select the Safe Mode menu item. You will be in safe mode until step 7.

Step 4.
==========
Make sure Hidden Files and Folders are showing per previous instructions

Step 5.
==========
Run Ewido:

  • Click [Scanner]
  • Click [Complete System Scan] to begin scanning.
  • Click [OK] when prompted to clean files
  • With the first file it prompts to clean, select the option - "Perform action on all infections" - & choose clean and click [OK].
  • Once finished, click the [Save report] button
  • Save the report to your desktop

Close Ewido

Step 6.
==========
- Browse to C:\Antispyware\winpfind folder
- Double-click on WinPFind.exe file to run it
- Click the Start Scan button to begin the scan (Note: Be patient...wait for it to finish)
- When it is done, it will show the results of the scan...save and close file

Step 7.
==========
- Reboot into "Normal Mode"
- Browse to C:\Antispyware\trackqoo folder
- Double Click on Track qoo.vbs to run it (Note: If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run)
- Wait a few seconds and a notepad page will pop up, "Save" the file as trackqoo.txt in the C:\Antispyware\trackqoo folder

Step 8.
==========
- Post back a new fresh HJT log (from the new location)
- Post Ewido scan results
- Post the WinPFind.txt file (located in the C:\Antispyware\winpfind folder)
- Post the Trackqoo.txt file (located in the C:\Antispyware\trackqoo folder

 

Colbs

10 Posts

October 1st, 2005 01:00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyknnnmk

{547ead25-b888-4714-9945-73c3b79ee0a3} = C:\WINDOWS\System32\jaknn.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ICQLiteMenu

{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail

{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu

{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing

{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}

= %SystemRoot%\system32\SHELL32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}

= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB}

PCTools Site Guard = C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A4D90779-6CB2-4752-83C2-A2AB4D9A672D}

AuthBHO.cBHO = C:\Program Files\EATEL\Security Software\app\AuthBHO.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B56A7D7D-6927-48C8-A975-17DF180C71AC}

PCTools Browser Monitor = C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}

&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}

Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

{64634180-B0EA-48B6-82B7-9620D33362C1} = High Speed Security Software Popup Blocker : C:\Program Files\EATEL\Security Software\app\AuthBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}

MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2D663D1A-8670-49D9-A1A5-4C56B4E14E84}

ButtonText = Spyware Doctor :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

ButtonText = Messenger :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6224f700-cba3-4071-b251-47cb894244cd}

ButtonText = ICQ Pro : C:\PROGRA~1\ICQ\ICQ.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}

MenuText = Java :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

ButtonText = AIM : C:\Program Files\AIM95\aim.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B863453A-26C3-4e1f-A54D-A2CD196348E9}

ButtonText = ICQ 4.0 : C:\Program Files\ICQLite\ICQLite.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}

ButtonText = Real.com :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{d81ca86b-ef63-42af-bee3-4502d9a03c2d}

ButtonText = MUSICMATCH MX Web Player :

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}

ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}

=

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}

&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}

Favorites Band = %SystemRoot%\System32\shdocvw.dll

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}

History Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser

{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :

{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll

{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

{C7768536-96F8-4001-B1A2-90EE21279187} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

SynTPLpr C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

SynTPEnh C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

DVDSentry C:\WINDOWS\System32\DSentry.exe

DwlClient C:\Program Files\Common Files\Dell\EUSW\Support.exe

ATIModeChange Ati2mdxx.exe

CARPService carpserv.exe

SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

MemScanner C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe

gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

cw22RVHql mpgb3032.exe

Spyware Doctor

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 8.0 Tray Icon.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk

backup C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

location Common Startup

command C:\Program Files\America Online 8.0\aoltray.exe -check

item America Online 8.0 Tray Icon

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 8.0 Tray Icon.lnk

backup C:\WINDOWS\pss\America Online 8.0 Tray Icon.lnkCommon Startup

location Common Startup

command C:\Program Files\America Online 8.0\aoltray.exe -check

item America Online 8.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk

backup C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

location Common Startup

command C:\Program Files\AOL Companion\companion.exe /s

item AOL Companion

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL Companion.lnk

backup C:\WINDOWS\pss\AOL Companion.lnkCommon Startup

location Common Startup

command C:\Program Files\AOL Companion\companion.exe /s

item AOL Companion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h

item Kodak EasyShare software

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk

backup C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\Kodak\KODAKE~1\bin\EASYSH~1.EXE -h

item Kodak EasyShare software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\Kodak\KODAKS~1\7288971\614~1.37-\Program\runner.exe

item KODAK Software Updater

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\KODAK Software Updater.lnk

backup C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup

location Common Startup

command C:\PROGRA~1\Kodak\KODAKS~1\7288971\614~1.37-\Program\runner.exe

item KODAK Software Updater

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Fast Start.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk

backup C:\WINDOWS\pss\Microsoft Office Fast Start.lnkCommon Startup

location Common Startup

command C:\MSOffice\Office\FASTBOOT.EXE

item Microsoft Office Fast Start

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Fast Start.lnk

backup C:\WINDOWS\pss\Microsoft Office Fast Start.lnkCommon Startup

location Common Startup

command C:\MSOffice\Office\FASTBOOT.EXE

item Microsoft Office Fast Start

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Find Fast Indexer.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Find Fast Indexer.lnk

backup C:\WINDOWS\pss\Microsoft Office Find Fast Indexer.lnkCommon Startup

location Common Startup

command C:\MSOffice\Office\FINDFAST.EXE /noui

item Microsoft Office Find Fast Indexer

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Find Fast Indexer.lnk

backup C:\WINDOWS\pss\Microsoft Office Find Fast Indexer.lnkCommon Startup

location Common Startup

command C:\MSOffice\Office\FINDFAST.EXE /noui

item Microsoft Office Find Fast Indexer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office Shortcut Bar.lnk

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.lnk

backup C:\WINDOWS\pss\Microsoft Office Shortcut Bar.lnkCommon Startup

location Common Startup

command C:\MSOffice\Office\MSOFFICE.EXE

item Microsoft Office Shortcut Bar

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office Shortcut Bar.lnk

backup C:\WINDOWS\pss\Microsoft Office Shortcut Bar.lnkCommon Startup

location Common Startup

command C:\MSOffice\Office\MSOFFICE.EXE

item Microsoft Office Shortcut Bar

Colbs

10 Posts

October 1st, 2005 01:00

logs continued...
 
---------------------------------------------------------

ewido security suite - Scan report

---------------------------------------------------------

+ Created on: 11:25:47 PM, 9/29/2005

+ Report-Checksum: 9E87DB01

+ Scan result:

HKLM\SOFTWARE\Classes\bundle.BundleObj\CLSID\\ -> Spyware.ClientMan : Cleaned with backup

HKLM\SOFTWARE\Classes\bundle.BundleObj.1\CLSID\\ -> Spyware.ClientMan : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\\ -> Spyware.AproposMedia : Cleaned with backup

HKLM\SOFTWARE\Classes\CLSID\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37} -> Spyware.VX2 : Cleaned with backup

HKLM\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{6EC11407-5B2E-4E25-8BDF-77445B52AB37}\\ -> Spyware.VX2 : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Internet Explorer\Extensions\{9E248641-0E24-4DDB-9A1F-705087832AD6}\\CLSID -> Spyware.VX2 : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8F9FBEB8-D216-4d6c-8D21-513157E09C0D} -> Spyware.Maxspeed : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1015.dll\\.Owner -> Spyware.Gator : Cleaned with backup

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/HDPlugin1015.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Cleaned with backup

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nack.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@a.tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@adopt.specificclick[1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ads.addynamix[2].txt -> Spyware.Cookie.Addynamix : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ads.pointroll[1].txt -> Spyware.Cookie.Pointroll : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@as-eu.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@banner.goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@bfast[2].txt -> Spyware.Cookie.Bfast : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@bluestreak[1].txt -> Spyware.Cookie.Bluestreak : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@bss.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@citi.bridgetrack[2].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@counter.hitslink[1].txt -> Spyware.Cookie.Hitslink : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@coxhsi.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@data.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@edge.ru4[2].txt -> Spyware.Cookie.Ru4 : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-acdsystems.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-bestbuy.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-betterphoto.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-cafepress.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-cbs.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-classifiedventures.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-console.hitbox[1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-dig.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-knightridder.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-logantod.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg-nestleusainc.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@ehg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@estat[1].txt -> Spyware.Cookie.Estat : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@internetfuel[2].txt -> Spyware.Cookie.Internetfuel : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@linksynergy[1].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@mediaplex[2].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@mt.valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@offers.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@phg.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@polo.112.2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@qksrv[1].txt -> Spyware.Cookie.Qksrv : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@sel.as-us.falkag[1].txt -> Spyware.Cookie.Falkag : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@server.iad.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@spylog[2].txt -> Spyware.Cookie.Spylog : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@statcounter[2].txt -> Spyware.Cookie.Statcounter : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@statse.webtrendslive[2].txt -> Spyware.Cookie.Webtrendslive : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@targetnet[1].txt -> Spyware.Cookie.Targetnet : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@twci.coremetrics[1].txt -> Spyware.Cookie.Coremetrics : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@valuead[1].txt -> Spyware.Cookie.Valuead : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@valueclick[2].txt -> Spyware.Cookie.Valueclick : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@www.burstbeacon[2].txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@www.burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@www.goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@www.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@www.smartadserver[2].txt -> Spyware.Cookie.Smartadserver : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Local Settings\Temp\Cookies\colby decoteau@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Local Settings\Temp\Cookies\colby decoteau@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Local Settings\Temp\Cookies\colby decoteau@linksynergy[2].txt -> Spyware.Cookie.Linksynergy : Cleaned with backup

C:\Documents and Settings\Colby Decoteau\Local Settings\Temp\Cookies\colby decoteau@sales.liveperson[2].txt -> Spyware.Cookie.Liveperson : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3876EEF4-7186-44D9-9685-3B207B.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\83B32C8F-B6F3-41A0-9D4F-40EB0B.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A66159B7-9472-4CB0-A85A-44A1D2.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\CCEC91B9-BA76-43FB-87F7-02E3B3.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F14BEDC5-7E3F-4376-838C-DDEB91.asq -> TrojanDownloader.Qoologic.ac : Cleaned with backup

Colbs

10 Posts

October 1st, 2005 01:00

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0038018.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0038019.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0038020.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0038021.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040291.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040293.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040294.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040295.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040311.exe -> TrojanDownloader.IstBar : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040324.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040326.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040327.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040370.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040371.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040372.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040391.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040392.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040393.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040394.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040403.exe -> Adware.SaveNow : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040427.exe -> Adware.BetterInternet : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040428.dll -> Spyware.EliteBar : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP333\A0040429.dll -> Spyware.EliteBar : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040530.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040531.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040538.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040539.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040540.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040542.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040561.dll -> Spyware.SafeSurfing : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040589.exe -> Adware.SaveNow : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP334\A0040654.dll -> Spyware.Wheaterbug : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0040747.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0040748.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0040811.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0040812.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0040818.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0040819.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP335\A0040820.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040879.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040880.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040881.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040893.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040894.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040895.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040899.exe -> TrojanDownloader.VB.hw : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040900.exe -> Spyware.Hijacker.Generic : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0040901.exe -> TrojanDropper.Agent.tb : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0043441.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0043442.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0043443.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0043444.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0043455.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0043456.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0043457.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP336\A0043458.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0043483.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0043484.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0043485.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0043486.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0044483.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0044484.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0044485.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0045483.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0045484.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0045485.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0045486.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0045500.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0045501.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP337\A0045502.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0045535.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0045536.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0045537.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0045572.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0045573.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0045574.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP338\A0045575.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP339\A0045594.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP339\A0045595.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP339\A0045596.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP339\A0045597.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP339\A0045607.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP339\A0045608.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP339\A0045609.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP339\A0045610.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045627.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045628.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045629.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045630.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045648.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045649.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045650.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045651.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045667.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045668.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

Colbs

10 Posts

October 1st, 2005 01:00

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047255.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047256.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047257.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047287.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047288.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047289.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047318.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047319.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047320.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047321.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047333.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047334.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047335.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047336.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047354.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047355.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047356.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047357.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047375.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047376.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047377.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047378.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047394.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047395.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047396.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047397.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047411.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047412.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047413.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047414.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047443.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047444.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047445.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047447.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047455.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047456.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047457.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP349\A0047458.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047486.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047487.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047488.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047489.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047521.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047522.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047523.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047524.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047541.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047542.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047543.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047544.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047594.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047595.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047596.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047605.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047606.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047607.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP350\A0047608.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047700.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047701.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047702.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047703.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047720.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047721.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047722.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047723.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047744.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047745.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047746.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047747.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047764.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047765.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047766.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047767.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047781.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047782.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047783.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047784.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047839.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047840.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047841.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047856.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047857.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047858.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047859.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047884.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047885.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047886.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP351\A0047887.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047931.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047932.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047933.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047964.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047965.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047966.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047987.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047988.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047989.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0047990.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048003.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048004.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048005.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048031.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048032.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048033.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048034.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048063.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048064.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048065.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048066.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048080.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048081.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048082.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048083.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048095.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048096.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP352\A0048097.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

Colbs

10 Posts

October 1st, 2005 01:00

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0048159.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0048160.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0048161.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0048196.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0048197.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0048198.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0048199.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049196.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049197.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049198.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049199.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049211.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049212.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049213.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049214.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049234.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049235.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049236.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049237.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049251.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049252.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049253.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049271.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049272.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049273.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049274.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049287.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049288.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049289.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP353\A0049290.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\WINDOWS\Downloaded Program Files\ClientAX.dll -> Spyware.180Solutions : Cleaned with backup

C:\WINDOWS\Downloaded Program Files\UWFX5LP_0001_0803NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup

C:\WINDOWS\offun.exe -> TrojanDownloader.VB.hw : Cleaned with backup

C:\WINDOWS\pss\nack.exeCommon Startup -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\WINDOWS\SYSTEM32\baqnnnd.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\WINDOWS\SYSTEM32\DRIVERS\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup

C:\WINDOWS\SYSTEM32\jaknn.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\WINDOWS\SYSTEM32\lpdggg.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\WINDOWS\SYSTEM32\puyaa.dat -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\WINDOWS\SYSTEM32\ssdjjjf.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\WINDOWS\SYSTEM32\vgactl.cpl -> TrojanDownloader.Qoologic.ad : Cleaned with backup

C:\WINDOWS\SYSTEM32\wuauclt.dll -> TrojanDownloader.Small : Cleaned with backup

::Report End

 

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600

Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

PECompact2 8/23/2005 9:42:46 PM 15656561 C:\WINDOWS\LPT$VPN.795

qoologic 8/23/2005 9:42:46 PM 15656561 C:\WINDOWS\LPT$VPN.795

SAHAgent 8/23/2005 9:42:46 PM 15656561 C:\WINDOWS\LPT$VPN.795

UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll

UPX! 8/23/2005 9:42:48 PM 170053 C:\WINDOWS\tsc.exe

PECompact2 8/23/2005 9:42:46 PM 15656561 C:\WINDOWS\VPTNFILE.795

qoologic 8/23/2005 9:42:46 PM 15656561 C:\WINDOWS\VPTNFILE.795

SAHAgent 8/23/2005 9:42:46 PM 15656561 C:\WINDOWS\VPTNFILE.795

UPX! 8/23/2005 9:42:48 PM 1044560 C:\WINDOWS\vsapi32.dll

aspack 8/23/2005 9:42:48 PM 1044560 C:\WINDOWS\vsapi32.dll

Checking %System% folder...

PEC2 8/29/2002 5:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC

Umonitor 3/27/2000 10:28:36 PM 331776 C:\WINDOWS\SYSTEM32\ipebase12.dll

PTech 8/3/2005 10:33:42 AM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL

PECompact2 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe

aspack 9/8/2005 10:08:28 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe

UPX! 8/22/2001 7:00:00 PM 86030 C:\WINDOWS\SYSTEM32\msdjgk.dll

aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll

qoologic 11/30/2004 10:11:12 PM 7409533 C:\WINDOWS\SYSTEM32\pav.sig

aspack 11/30/2004 10:11:12 PM 7409533 C:\WINDOWS\SYSTEM32\pav.sig

SAHAgent 11/30/2004 10:11:12 PM 7409533 C:\WINDOWS\SYSTEM32\pav.sig

winsync 11/30/2004 10:11:12 PM 7409533 C:\WINDOWS\SYSTEM32\pav.sig

Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll

winsync 8/29/2002 5:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

aspack 12/10/2004 10:30:48 AM R 707176 C:\WINDOWS\SYSTEM32\drivers\css-dvp.sys

PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...

9/29/2005 3:43:02 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT

9/28/2005 4:39:40 PM H 54156 C:\WINDOWS\QTFont.qfn

8/21/2005 10:19:32 AM H 0 C:\WINDOWS\INF\oem27.inf

8/21/2005 12:27:26 PM RHS 286777 C:\WINDOWS\PCHealth\HelpCtr\PackageStore\package_66.cab

8/22/2005 5:06:40 PM H 24335 C:\WINDOWS\SYSTEM32\ffastlog.txt

9/29/2005 3:42:48 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG

9/29/2005 3:43:28 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG

9/29/2005 3:43:06 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG

9/29/2005 11:25:02 PM H 221184 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG

9/29/2005 3:43:34 PM H 954368 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG

9/27/2005 8:58:32 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG

8/18/2005 4:41:28 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\6fc79634-9d5e-4cdc-b6c5-acf96d28ebfe

8/18/2005 4:41:28 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred

9/21/2005 10:09:10 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\3f769de9-3b71-4b04-bd0a-6a4359daab75

9/21/2005 10:09:10 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred

9/29/2005 3:39:26 PM H 6 C:\WINDOWS\Tasks\SA.DAT

8/25/2005 8:37:56 PM HS 589824 C:\WINDOWS\Temp\akgzvta1.TMP

Checking for CPL files...

Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl

11/12/1999 12:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl

3/20/1996 19456 C:\WINDOWS\SYSTEM32\FINDFAST.CPL

Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl

Sun Microsystems 9/28/2004 9:26:02 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl

Microsoft Corporation 8/29/2002 5:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL

Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl

Microsoft Corporation 8/29/2002 5:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL

Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl

Apple Computer, Inc. 4/8/2004 4:12:46 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl

SigmaTel Inc. 11/11/2002 5:57:32 PM 77824 C:\WINDOWS\SYSTEM32\STAC97.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl

Microsoft Corporation 8/29/2002 5:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL

Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl

Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl

Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...

9/16/2005 10:52:00 PM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk

9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

8/10/2004 6:12:20 PM 863 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

8/10/2004 6:12:04 PM 188 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...

9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\Colby Decoteau\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...

9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\Colby Decoteau\Application Data\DESKTOP.INI

8/11/2003 1:02:40 PM 0 C:\Documents and Settings\Colby Decoteau\Application Data\dm.ini

6/25/2003 4:19:50 PM 12358 C:\Documents and Settings\Colby Decoteau\Application Data\PFP100JCM.{PB

6/25/2003 4:19:50 PM 61678 C:\Documents and Settings\Colby Decoteau\Application Data\PFP100JPR.{PB

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

ESB{B1E46CE2-0B01-493F-BB27-D87254A2C3BA} =

iebar =

acc=ventura5 =

acc= =

SV1 =

Colbs

10 Posts

October 1st, 2005 01:00

Hi ALgal,
 
I'm sorry it has taken me so long to do this but with school starting, the hurricanes, and all the craziness that resulted from that my computer problems got pushed aside.  I followed all the steps in your previous post yesterday, but I did have some run-ins with pop-ups today.  I might need to run some of the scans from your first post again since it's been so long...if you think I should.  Well, here are the logs you asked for and thanks again for your help!
 
Note:  I had to put an extra "s" in bss because of "prohibited content"
C:\Documents and Settings\Colby Decoteau\Cookies\colby decoteau@bss.serving-sys[2].txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
 

Logfile of HijackThis v1.99.1

Scan saved at 8:51:42 PM, on 9/30/2005

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\WINDOWS\System32\DSentry.exe

C:\Program Files\Common Files\Dell\EUSW\Support.exe

C:\WINDOWS\system32\carpserv.exe

C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe

C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe

C:\WINDOWS\System32\Ati2evxx.exe

C:\WINDOWS\system32\cisvc.exe

c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe

C:\Program Files\Common Files\Command Software\dvpapi.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\WINDOWS\system32\drivers\KodakCCS.exe

C:\WINDOWS\System32\ScsiAccess.EXE

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\wanmpsvc.exe

C:\WINDOWS\System32\wbem\wmiapsrv.exe

C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\AIM95\aim.exe

C:\WINDOWS\system32\cidaemon.exe

C:\WINDOWS\system32\cidaemon.exe

C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;http://localhost;

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\AUserInit.exe

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll

O2 - BHO: AuthBHO.cBHO - {A4D90779-6CB2-4752-83C2-A2AB4D9A672D} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O3 - Toolbar: High Speed Security Software Popup Blocker - {64634180-B0EA-48B6-82B7-9620D33362C1} - C:\Program Files\EATEL\Security Software\app\AuthBHO.dll

O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe

O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe

O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe

O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe

O4 - HKLM\..\Run: [CARPService] carpserv.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe

O4 - HKLM\..\Run: [MemScanner] C:\Program Files\Enigma Software Group\SpyHunter\MemScanner.exe

O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [cw22RVHql] mpgb3032.exe

O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll

O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll

O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe

O9 - Extra button: (no name) - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

O9 - Extra 'Tools' menuitem: Java - {9E248641-0E24-4DDB-9A1F-705087832AD6} - (no file)

O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe

O9 - Extra button: ICQ 4.0 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll

O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O15 - Trusted Zone: www.hotmail.com

O16 - DPF: Aces Up! by pogo - http://game3.pogo.com/applet-6.1.0.39/aces/aces-ob-assets.cab

O16 - DPF: Backgammon by pogo - http://gammon.pogo.com/applet-6.1.0.39/backgammon/backgammon-ob-assets.cab

O16 - DPF: Canasta by pogo - http://canasta.pogo.com/applet-6.1.0.39/canasta/canasta-ob-assets.cab

O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://irc.everywherechat.com:8000/Java/cfs40320.cab

O16 - DPF: EZ Win Bingo by pogo - http://bingoe.pogo.com/applet-6.1.0.39/bingo/bingoe-ob-assets.cab

O16 - DPF: Interface Chat Voila - http://chat9.x-echo.com/version5/Applet/vchatsign.cab

O16 - DPF: Mah Jong Garden by pogo - http://game4.pogo.com/applet-6.1.0.39/mahjong/mahjong-ob-assets.cab

O16 - DPF: Pai Gow by pogo - http://game3.pogo.com/applet-6.1.0.39/paigow/paigow-ob-assets.cab

O16 - DPF: Phlinx by pogo - http://game4.pogo.com/applet-6.1.0.39/flinger/flinger-ob-assets.cab

O16 - DPF: Pirate's Gold by pogo - http://swashbucks.pogo.com/applet-6.1.0.39/piratesgold/piratesgold-ob-assets.cab

O16 - DPF: Poppit TM by pogo - http://game5.pogo.com/applet-6.1.0.39/poppit/poppit-ob-assets.cab

O16 - DPF: Ricochet by pogo - http://game4.pogo.com/applet-6.1.0.39/ricochet/ricochet-ob-assets.cab

O16 - DPF: Spider Solitaire by pogo - http://game4.pogo.com/applet-6.1.0.39/spider/spider-ob-assets.cab

O16 - DPF: Squelchies by pogo - http://squelchies.pogo.com/applet-6.1.0.39/squelchies/squelchies-ob-assets.cab

O16 - DPF: Tri-Peaks by pogo - http://game4.pogo.com/applet-6.1.0.39/peaks/peaks-ob-assets.cab

O16 - DPF: Word Whomp by pogo - http://game5.pogo.com/applet-6.1.0.39/wordwhomp/wordwhomp-ob-assets.cab

O16 - DPF: Word Whomp Whackdown by pogo - http://whackdown.pogo.com/applet-6.1.0.39/whackdown/whackdown-ob-assets.cab

O16 - DPF: WordJong by pogo - http://wordjong.pogo.com/applet-6.1.0.39/wordjong/wordjong-ob-assets.cab

O16 - DPF: World Class Solitaire by pogo - http://game4.pogo.com/applet-6.1.0.39/worldclass/worldclass-ob-assets.cab

O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab

O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab

O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/pestscan/pestscan.cab

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124589471662

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab

O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab

O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {D81CA86B-EF63-42AF-BEE3-4502D9A03C2D} (MMRadioHostX Class) - http://wwws.musicmatch.com/graphics/WebPlayer/MMLRadio.cab

O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://playweb01.pogo.com/game/deluxe/insaniquarium/popcaploader_v6.cab

O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab

O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab

O16 - DPF: {F5D98C43-DB16-11CF-8ECA-0000C0FD59C7} (ActiveCGM Control) - http://atlas.lsu.edu/acgm/acgm.cab

O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab

O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

O23 - Service: Curtains for Windows System Service (CurtainsSysSvc) - Authentium, Inc. - c:\program files\eatel\security software\app\CurtainsSysSvcNt.exe

O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe

O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Colbs

10 Posts

October 1st, 2005 01:00

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045669.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045670.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045685.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045686.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045687.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045688.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045698.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045699.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045700.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045701.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045722.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045723.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045724.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045725.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045745.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045746.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045747.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045748.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045761.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045762.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045763.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045764.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045787.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045788.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045789.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP340\A0045790.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP341\A0045821.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP341\A0045822.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP341\A0045823.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP341\A0045824.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP341\A0045837.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP341\A0045838.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP341\A0045839.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP341\A0045840.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0045878.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0045879.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0045880.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0045881.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0046876.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0046877.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP342\A0046878.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046889.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046890.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046891.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046910.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046911.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046912.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046913.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046941.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046942.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP343\A0046943.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0046970.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0046971.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0046972.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0046973.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0046985.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0046986.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0046987.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0046988.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0047003.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0047004.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0047005.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0047006.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0047029.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0047030.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0047031.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP344\A0047032.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP345\A0047059.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP345\A0047060.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP345\A0047061.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP345\A0047062.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP345\A0047077.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP345\A0047078.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP345\A0047079.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP345\A0047080.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP346\A0047114.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP346\A0047115.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP346\A0047116.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP346\A0047117.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP346\A0047131.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP346\A0047132.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP346\A0047133.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP346\A0047134.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047152.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047153.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047154.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047155.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047184.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047185.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047186.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047187.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047202.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047203.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047204.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP347\A0047205.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047237.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047238.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047239.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047240.dll -> TrojanDownloader.Qoologic.ac : Cleaned with backup

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP348\A0047254.exe -> TrojanDownloader.Qoologic.ac : Cleaned with backup

Colbs

10 Posts

October 1st, 2005 01:00

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^nack.exe

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nack.exe

backup C:\WINDOWS\pss\nack.exeCommon Startup

location Common Startup

command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nack.exe

item nack

path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nack.exe

backup C:\WINDOWS\pss\nack.exeCommon Startup

location Common Startup

command C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nack.exe

item nack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colby Decoteau^Start Menu^Programs^Startup^Event Reminder.lnk

path C:\Documents and Settings\Colby Decoteau\Start Menu\Programs\Startup\Event Reminder.lnk

backup C:\WINDOWS\pss\Event Reminder.lnkStartup

location Startup

command C:\PROGRA~1\MINDSC~1\PRINTM~1\PMREMIND.EXE /Q

item Event Reminder

path C:\Documents and Settings\Colby Decoteau\Start Menu\Programs\Startup\Event Reminder.lnk

backup C:\WINDOWS\pss\Event Reminder.lnkStartup

location Startup

command C:\PROGRA~1\MINDSC~1\PRINTM~1\PMREMIND.EXE /Q

item Event Reminder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colby Decoteau^Start Menu^Programs^Startup^PalNetaware.lnk

path C:\Documents and Settings\Colby Decoteau\Start Menu\Programs\Startup\PalNetaware.lnk

backup C:\WINDOWS\pss\PalNetaware.lnkStartup

location Startup

command C:\PROGRA~1\Paltalk\PNETAW~1.EXE

item PalNetaware

path C:\Documents and Settings\Colby Decoteau\Start Menu\Programs\Startup\PalNetaware.lnk

backup C:\WINDOWS\pss\PalNetaware.lnkStartup

location Startup

command C:\PROGRA~1\Paltalk\PNETAW~1.EXE

item PalNetaware

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AdaptecDirectCD

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item DirectCD

hkey HKLM

command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item DirectCD

hkey HKLM

command "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aida

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ttuh

hkey HKCU

command C:\Documents and Settings\Colby Decoteau\Application Data\ttuh.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ttuh

hkey HKCU

command C:\Documents and Settings\Colby Decoteau\Application Data\ttuh.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Bakra

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item IEHost

hkey HKLM

command C:\WINDOWS\System32\IEHost.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item IEHost

hkey HKLM

command C:\WINDOWS\System32\IEHost.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\iTunesHelper

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item iTunesHelper

hkey HKLM

command "C:\Program Files\iTunes\iTunesHelper.exe"

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item iTunesHelper

hkey HKLM

command "C:\Program Files\iTunes\iTunesHelper.exe"

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCAgentExe

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item mcagent

hkey HKLM

command C:\Program Files\McAfee.com\Agent\mcagent.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item mcagent

hkey HKLM

command C:\Program Files\McAfee.com\Agent\mcagent.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MCUpdateExe

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item McUpdate

hkey HKLM

command C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item McUpdate

hkey HKLM

command C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item mmtask

hkey HKLM

command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item mmtask

hkey HKLM

command C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item qttask

hkey HKLM

command "C:\Program Files\QuickTime\qttask.exe" -atboottime

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item qttask

hkey HKLM

command "C:\Program Files\QuickTime\qttask.exe" -atboottime

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SpyHunter

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item SpyHunter

hkey HKLM

command C:\Program Files\Enigma Software Group -Spyhunter\SpyHunter\SpyHunter.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item SpyHunter

hkey HKLM

command C:\Program Files\Enigma Software Group -Spyhunter\SpyHunter\SpyHunter.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TkBellExe

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item realsched

hkey HKLM

command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item realsched

hkey HKLM

command "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WinampAgent

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item winampa

hkey HKLM

command C:\Program Files\Winamp\winampa.exe

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item winampa

hkey HKLM

command C:\Program Files\Winamp\winampa.exe

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsync

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item lpdggg

hkey HKLM

command C:\WINDOWS\system32\lpdggg.exe reg_run

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item lpdggg

hkey HKLM

command C:\WINDOWS\system32\lpdggg.exe reg_run

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Yahoo! Pager

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ypager

hkey HKCU

command C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

inimapping 0

key SOFTWARE\Microsoft\Windows\CurrentVersion\Run

item ypager

hkey HKCU

command C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet

inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state

system.ini 0

win.ini 0

bootini 2

services 0

startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum

{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL

{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =

{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

dontdisplaylastusername 0

legalnoticecaption

legalnoticetext

shutdownwithoutlogon 1

undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

NoDriveTypeAutoRun 145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

xeqxxrookh.exe C:\WINDOWS\system\xeqxxrookh.exe

uaplekogbm.exe C:\WINDOWS\system\uaplekogbm.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system

disableregistrytools 0

disabletaskmgr 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]

PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll

CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll

WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll

SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]

UserInit = C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\AUserInit.exe

Shell = Explorer.exe

System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain

= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet

= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll

= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy

= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn

= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv

= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon

= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path

Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.

Scan completed on 9/29/2005 11:48:33 PM

 

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"

"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"

"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"

"DwlClient"="C:\\Program Files\\Common Files\\Dell\\EUSW\\Support.exe"

@=""

"ATIModeChange"="Ati2mdxx.exe"

"CARPService"="carpserv.exe"

"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_06\\bin\\jusched.exe"

"MemScanner"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\MemScanner.exe"

"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""

"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

-----------------

HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers

Subkey --- fyknnnmk

{547ead25-b888-4714-9945-73c3b79ee0a3}

C:\WINDOWS\System32\jaknn.dll

Subkey --- ICQLiteMenu

{73B24247-042E-4EF5-ADC2-42F62E6FD654}

C:\Program Files\ICQLite\ICQLiteShell.dll

Subkey --- Offline Files

{750fdf0e-2a26-11d1-a3ea-080036587f03}

C:\WINDOWS\System32\cscui.dll

Subkey --- Open With

{09799AFB-AD67-11d1-ABCD-00C04FC30936}

C:\WINDOWS\system32\SHELL32.dll

Subkey --- Open With EncryptionMenu

{A470F8CF-A1E8-4f65-8335-227475AA5C46}

C:\WINDOWS\system32\SHELL32.dll

Subkey --- WinRAR

{B41DB860-8EE4-11D2-9906-E49FADC173CA}

C:\Program Files\WinRAR\rarext.dll

Subkey --- Yahoo! Mail

{5464D816-CF16-4784-B9F3-75C0DB52B499}

C:\PROGRA~1\Yahoo!\Common\ymmapi.dll

Subkey --- {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}

Start Menu Pin

C:\WINDOWS\system32\SHELL32.dll

=====================

HKEY_CLASSES_ROOT\Folder\shellex\ColumnHandlers

Subkey --- {0D2E74C4-3C34-11d2-A27E-00C04FC30871}

C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F01-7B1C-11d1-838f-0000F80461CF}

C:\WINDOWS\system32\SHELL32.dll

Subkey --- {24F14F02-7B1C-11d1-838f-0000F80461CF}

C:\WINDOWS\system32\SHELL32.dll

Subkey --- {66742402-F9B9-11D1-A202-0000F81FEDEE}

C:\WINDOWS\system32\SHELL32.dll

==============================

C:\Documents and Settings\All Users\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk

DESKTOP.INI

hp psc 2000 Series.lnk

==============================

C:\Documents and Settings\Colby Decoteau\Start Menu\Programs\Startup

Adobe Gamma Loader.lnk

DESKTOP.INI

hp psc 2000 Series.lnk

DESKTOP.INI

==============================

C:\WINDOWS\SYSTEM32 cpl files

access.cpl Microsoft Corporation

appwiz.cpl Microsoft Corporation

bdeadmin.cpl Inprise Corporation

bthprops.cpl Microsoft Corporation

desk.cpl Microsoft Corporation

FINDFAST.CPL Microsoft Corporation

firewall.cpl Microsoft Corporation

hdwwiz.cpl Microsoft Corporation

inetcpl.cpl Microsoft Corporation

intl.cpl Microsoft Corporation

irprops.cpl Microsoft Corporation

joy.cpl Microsoft Corporation

jpicpl32.cpl Sun Microsystems

MAIN.CPL Microsoft Corporation

mmsys.cpl Microsoft Corporation

NCPA.CPL Microsoft Corporation

netsetup.cpl Microsoft Corporation

nusrmgr.cpl Microsoft Corporation

odbccp32.cpl Microsoft Corporation

powercfg.cpl Microsoft Corporation

QuickTime.cpl Apple Computer, Inc.

STAC97.cpl SigmaTel Inc.

sysdm.cpl Microsoft Corporation

TELEPHON.CPL Microsoft Corporation

timedate.cpl Microsoft Corporation

wscui.cpl Microsoft Corporation

wuaucpl.cpl Microsoft Corporation

  

Goodness, I hope that all turned out okay...

ALgal

1.2K Posts

October 2nd, 2005 17:00

Hello Colbs,

You did find with posting the logs. 

How to see hidden files in Windows.

- Make sure Hidden Files and Folders are showing.
Please go here: Jotti Virus Scan from http://virusscan.jotti.org/

Click the "browse" button and locate this file:
C:\WINDOWS\System32\AUserInit.exe
Click "Open", then click the "Submit" button. Copy the results and paste them here.

=========
Download Pocket Killbox from http://www.bleepingcomputer.com/files/killbox.php and unzip it; save it to your Desktop. DO NOT RUN IT YET.
==========
- Reboot computer into "Safe Mode" Using the F8 method...

- Once in "Safe Mode"

We need to disable your Microsoft AntiSpyware Real-time Protection as it may interfere with the fixes that we need to make.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

After all of the fixes are complete it is very important that you enable Real-time Protection again
==========
Please go to:
start-->run

and type this in:
regedit

Then click on the FILE menu and select export Save the file as backup. Save the file somewhere you will remember and not delete.
IMPORTANT: make sure to set the export range to ALL
==========
Then, go to start-->run

and type this in:
notepad

to launch Notepad (not wordpad), and copy/paste the BOLD text below (including the REGEDIT 4) into a new text file.

REGEDIT4

[-HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\fyknnnmk]

[-HKEY_CLASSES_ROOT\CLSID\{547ead25-b888-4714-9945-73c3b79ee0a}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{547ead25-b888-4714-9945-73c3b79ee0a}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"cw22RVHql"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^nack.exe]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^Colby Decoteau^Start Menu^Programs^Startup^PalNetaware.lnk]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Aida]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Bakra]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\winsync]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"xeqxxrookh.exe"=-
"uaplekogbm.exe"=-

- Save it as file name: fixqoo.reg  Save as file type: All files (*.*) and save it on your Desktop.
==========
Close all Windows and programs
=====
Run HiJackThis and click "Scan", then check(tick) the following, if present:
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\AUserInit.exe
O4 - HKCU\..\Run: [cw22RVHql] mpgb3032.exe
Now, with all windows closed except HiJackThis, click "Fix checked".
=========
Locate and delete the following item(s), if present. Make sure your able to view system and hidden files/ folders:

 Search for...
    mpgb3032.exe
...using "Start | Search...".
-
Note that some of these file(s) may or may not be present.

==========
Double-click on KillBox.exe to launch the program.
- Highlight the files in bold RED below and press the Ctrl key and the C key at the same time to copy them to the clipboard
C:\WINDOWS\Temp\akgzvta1.TMP
C:\WINDOWS\System32\jaknn.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nack.exe
C:\WINDOWS\pss\nack.exe
C:\Documents and Settings\Colby Decoteau\Application Data\ttuh.exe
C:\WINDOWS\System32\IEHost.exe
C:\WINDOWS\system32\lpdggg.exe
C:\WINDOWS\system\xeqxxrookh.exe
C:\WINDOWS\system\uaplekogbm.exe

In Killbox click on the File menu and then the Paste from Clipboard item
- In the Full Path of File to Delete field drop down the arrow and make sure that all of the files are listed
- Click the option to Delete on Reboot
- If not greyed out click the checkbox for Unregister .dll Before Deleting
- click End Explorer Shell while Killing File"
- Now click on the red button with a white 'X' in the middle to delete the files
- Click Yes when it says all files will be deleted on the next reboot
- Click Yes when it asks if you want to reboot now
(Note: If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just reboot manually)
==========
- Locate the fixqoo.reg file on your desktop and right-click on it
- Choose Merge from the popup menu and answer Yes or Ok to any further prompts
==========
We now need to cleanup all the Temp, Temporary Internet Files, Recycle Bin, etc... for all Profile/accounts on this PC
- go to  Start =>Run =>enter  cleanmgr
Check Temporary Interrnet files, Recycle bin, Temporary Files
- After complete close program
==========
Reboot into Safe Mode
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.
==========
Doubleclick WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient!
Once the Scan is Complete, go to the WinPFind folder
Locate WinPFind.txt
Place those results in the next post!
==========
Reboot back to Normal Mode!
==========
Double Click on "Track qoo.vbs"

Note - If your Antivirus has Script Blocking, you will get a Pop Up Windows asking you what to do. Allow this Entire Script to Run, its harmless!

Wait a few seconds and a notepad page will pop up, Copy & Paste those results and place them in the next post along with the results of WinPFind!
and a new hijackthis log.

 

Message Edited by ALgal on 10-02-2005 01:58 PM

Was this post helpful?

View All

0 events found

No Events found!

Top