HELP HJT log

edifier · 09-18-2006, 11:54 PM

Go to ADD/REMOVE Programs and get rid of the following.

Koolbar.net - Toolbar
PartyPoker (if you don't use)
Sysnet
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
Windows VisFx Components

Reboot and navigate to C/Program Files and remove any of these folders if still present.

Run ATF cleaner (select all)

Next go here http://forums.majorgeeks.com/showthread.php?t=74265 and follow these removal instructions. It must be run from safemode.Once completed, return to (safemode with networking) and run this online scan here http://www.trendmicro.com/spyware-scan/ .Once finished, reboot into normal windows and post a fresh 'HJT' log.

HELP_ME · 09-19-2006, 08:36 PM

alright i got rid of all except for koolbar.net - toolbar because it doesnt let me remove, nothing happens when i try and remove. that is why i still have it there.

edifier · 09-19-2006, 11:46 PM

Just follow the rest of the instructions and if still present, we'll get rid of it manually.

HELP_ME · 09-23-2006, 04:24 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:24:07 AM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Updater.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0. dll (file missing)
O3 - Toolbar: Search - {215303D2-42B9-A7EC-7414-5630B3DD8F1A} - C:\WINDOWS\Cagxrcfg.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [lfsqbiqafb] C:\WINDOWS\System32\wqupxsmg.exe
O4 - HKLM\..\Run: [kjefel] C:\WINDOWS\kjefel.exe
O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe
O4 - HKLM\..\Run: [inhttpw] C:\WINDOWS\System32\inhttpw.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [wshatm] "C:\WINDOWS\system32\wshatm.exe"
O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\system32\wlnotify.exe"
O4 - HKCU\..\Run: [vxblock] "C:\WINDOWS\system32\vxblock.exe"
O4 - HKCU\..\Run: [version] C:\WINDOWS\System32\version.exe
O4 - HKCU\..\Run: [shfolder] "C:\WINDOWS\system32\shfolder.exe"
O4 - HKCU\..\Run: [s3gnb] "C:\WINDOWS\system32\s3gnb.exe"
O4 - HKCU\..\Run: [raschap] "C:\Documents and Settings\Matthew April\raschap.exe"
O4 - HKCU\..\Run: [netcfgx] "C:\WINDOWS\system32\netcfgx.exe"
O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\system32\netapi.exe"
O4 - HKCU\..\Run: [kbduzb] "C:\WINDOWS\system32\kbduzb.exe"
O4 - HKCU\..\Run: [kbdus] "C:\WINDOWS\system32\kbdus.exe"
O4 - HKCU\..\Run: [kbdinbe1] "C:\WINDOWS\system32\kbdinbe1.exe"
O4 - HKCU\..\Run: [kbdhe] "C:\WINDOWS\system32\kbdhe.exe"
O4 - HKCU\..\Run: [jgmd400] "C:\WINDOWS\system32\jgmd400.exe"
O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\system32\ir41_qcx.exe"
O4 - HKCU\..\Run: [infosoft] "C:\WINDOWS\system32\infosoft.exe"
O4 - HKCU\..\Run: [inetclnt] "C:\WINDOWS\system32\inetclnt.exe"
O4 - HKCU\..\Run: [hsfcisp2] "C:\WINDOWS\system32\hsfcisp2.exe"
O4 - HKCU\..\Run: [fkfw] C:\PROGRA~1\COMMON~1\fkfw\fkfwm.exe
O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\system32\eventcls.exe"
O4 - HKCU\..\Run: [dmband] "C:\WINDOWS\system32\dmband.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cscui] "C:\Documents and Settings\Matthew April\cscui.exe"
O4 - HKCU\..\Run: [iprtcnst] "C:\WINDOWS\system32\iprtcnst.exe"
O4 - HKCU\..\Run: [atiicdxx] "C:\WINDOWS\system32\atiicdxx.exe"
O4 - HKCU\..\Run: [rmoc3260] "C:\WINDOWS\system32\rmoc3260.exe"
O4 - HKCU\..\Run: [getuname] "C:\WINDOWS\system32\getuname.exe"
O4 - HKCU\..\Run: [vdmdbg] "C:\WINDOWS\system32\vdmdbg.exe"
O4 - HKCU\..\Run: [resutils] "C:\WINDOWS\system32\resutils.exe"
O4 - HKCU\..\Run: [lftif11n] "C:\WINDOWS\system32\lftif11n.exe"
O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\system32\uniplat.exe"
O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\system32\msr2cenu.exe"
O4 - HKCU\..\Run: [mmcbase] "C:\WINDOWS\system32\mmcbase.exe"
O4 - HKCU\..\Run: [msorc32r] "C:\WINDOWS\system32\msorc32r.exe"
O4 - HKCU\..\Run: [wmiprop] "C:\WINDOWS\system32\wmiprop.exe"
O4 - HKCU\..\Run: [dmscript] "C:\WINDOWS\system32\dmscript.exe"
O4 - HKCU\..\Run: [wmerror] "C:\WINDOWS\system32\wmerror.exe"
O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe"
O4 - HKCU\..\Run: [6to4svc] "C:\WINDOWS\system32\6to4svc.exe"
O4 - HKCU\..\Run: [dpwsock] "C:\WINDOWS\system32\dpwsock.exe"
O4 - HKCU\..\Run: [kbdir] "C:\WINDOWS\system32\kbdir.exe"
O4 - HKCU\..\Run: [pjlmon] "C:\WINDOWS\system32\pjlmon.exe"
O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\system32\dispex.exe"
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/p...n/pestscan.cab
O16 - DPF: {563EC66E-5A1B-51D2-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext02.c...aInstaller.exe
O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\pychdprf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

edifier · 09-23-2006, 05:12 PM

Okay. Still a mess. Lets try a few specialty tools.

Download VundoFix.exe- http://www.atribune.org/ccount/click.php?id=4 to your desktop.

Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the
Scan for Vundo button." when VundoFix appears at reboot.

A log called vundofix.txt will be created in your C:\ directory. Please post that log.

HELP_ME · 09-23-2006, 05:47 PM

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.4

Java version is 1.5.0.6

Scan started at 12:34:49 PM 9/23/2006

Listing files found while scanning....

No infected files were found.

Beginning removal...

edifier · 09-23-2006, 06:12 PM

Next One.

Download SmitFraudFix from this link http://siri.urz.free.fr/Fix/SmitfraudFix.zip Then extract the contents to your desktop.

Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd"
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Post that log.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Do not run any other options as they will damage your desktop if run on an uninfected computer.

HELP_ME · 09-23-2006, 06:22 PM

you already had me fix this... it was one of the fixes under SmitRem and nothing was detected so.... do you still want me to do it?

edifier · 09-23-2006, 06:54 PM

Sorry for that. Very busy this morning and this thread has spanned quite a few days. I want you to do the following dianogstic scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html
Click Accept
When the updates are finished downloading, click Next, Scan Settings
Under Scan using the following antivirus database:, select extended
Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK
Click My Computer and wait for the scan to finish
Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop. Post a copy of it here.

HELP_ME · 09-23-2006, 09:31 PM

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, September 23, 2006 4:27:48 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/09/2006
Kaspersky Anti-Virus database records: 225954
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 123778
Number of viruses found: 43
Number of infected objects: 137 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:09:31

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DAT A Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MA P Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\SSS1.exe/AlxRes.dll Infected: not-a-virus:AdWare.Win32.AlexaBar.a skipped
C:\WINDOWS\system32\SSS1.exe InstallCreator: infected - 1 skipped
C:\WINDOWS\system32\SSS1.exe UPX: infected - 1 skipped
C:\WINDOWS\system32\desktrf.exe/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.b skipped
C:\WINDOWS\system32\desktrf.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\lvvkammr.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\system32\8jqs4hc1.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.lo g Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{AD3F46 45-B27F-42A8-A057-D1B9DBF561F4}.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Megasearch.zip/MegasearchBarSetup.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Megasearch.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\S16FWXMN\minisetup2[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ep skipped
C:\Documents and Settings\Tim April\Local Settings\Temporary Internet Files\Content.IE5\S16FWXMN\minisetup2[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Matthew April\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Matthew April\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Matthew April\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew April\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Matthew April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Matthew April\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Matthew April\Local Settings\Temp\~DF2BD5.tmp Object is locked skipped
C:\Documents and Settings\Matthew April\My Documents\Downloads\Half-LIfe_PLUS_CS1.5_PLus\Half-Life.zip/Half-Life/hltv.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped
C:\Documents and Settings\Matthew April\My Documents\Downloads\Half-LIfe_PLUS_CS1.5_PLus\Half-Life.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Matthew April\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[1].exe.bac_a00168/data0002 Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[1].exe.bac_a00168 NSIS: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[1].exe.bac_a00168 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[2].exe.bac_a00168/data0002 Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[2].exe.bac_a00168 NSIS: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\Tspd[2].exe.bac_a00168 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0016135.exe.bac_a0 0168 Infected: Trojan-Dropper.Win32.Agent.tb skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a0 0168/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a0 0168/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a0 0168/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a0 0168/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a0 0168/data0008 Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a0 0168/data0009 Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a0 0168 NSIS: infected - 6 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017414.exe.bac_a0 0168 CryptFF.b: infected - 6 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017448.dll.bac_a0 0168 Infected: not-a-virus:AdWare.Win32.Beginto.b skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a0 0168/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a0 0168/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a0 0168/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a0 0168/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a0 0168/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a0 0168 CAB: infected - 5 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0014018.exe.bac_a0 0168 CryptFF.b: infected - 5 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017451.dll.bac_a0 0168 Infected: not-a-virus:AdWare.Win32.Sahat.g skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a0 0168/data0003/data0001 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a0 0168/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.g skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a0 0168/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a0 0168/data0004 Infected: not-a-virus:AdWare.Win32.HelpExpress skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a0 0168/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.b skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a0 0168 NSIS: infected - 5 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017415.exe.bac_a0 0168 CryptFF.b: infected - 5 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\cmmanupd[1].exe.bac_a00168/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.m skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\cmmanupd[1].exe.bac_a00168 NSIS: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\cmmanupd[1].exe.bac_a00168 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017533.exe.bac_a0 0168/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.m skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017533.exe.bac_a0 0168 NSIS: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017533.exe.bac_a0 0168 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017447.exe.bac_a0 0168/data0002 Infected: not-a-virus:AdWare.Win32.Beginto.a skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017447.exe.bac_a0 0168/data0003 Infected: not-a-virus:AdWare.Win32.Beginto.a skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017447.exe.bac_a0 0168 NSIS: infected - 2 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017447.exe.bac_a0 0168 CryptFF.b: infected - 2 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017455.exe.bac_a0 0168/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.c skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017455.exe.bac_a0 0168 NSIS: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017455.exe.bac_a0 0168 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017450.dll.bac_a0 0168 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168/stream/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.n skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168/stream/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.f skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168/stream Infected: not-a-virus:AdWare.Win32.CASClient.f skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168 NSIS: infected - 3 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\setup[1].exe.bac_a00168 CryptFF.b: infected - 3 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017468.exe.bac_a0 0168 Infected: not-a-virus:AdWare.Win32.CASClient.f skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017411.dll.bac_a0 0168 Infected: Trojan-Dropper.Win32.Small.abe skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017419.dll.bac_a0 0168 Infected: not-a-virus:AdWare.Win32.HotSearchBar.b skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017413.exe.bac_a0 0168/data0001 Infected: Trojan-Downloader.NSIS.Agent.a skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017413.exe.bac_a0 0168 NSIS: infected - 1 skipped
C:\Documents and Settings\Matthew April\.housecall6.6\Quarantine\A0017413.exe.bac_a0 0168 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp/InpB/TvmBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.c skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp/InpB/TvmCore.dll Infected: not-a-virus:AdWare.Win32.TotalVelocity.aa skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp/InpB/Tvm.exe Infected: not-a-virus:AdWare.Win32.TotalVelocity.aa skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp/InpB Infected: not-a-virus:AdWare.Win32.TotalVelocity.aa skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\U20D.tmp CAB: infected - 4 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\WIN218.tmp Infected: not-a-virus:AdWare.Win32.HotSearchBar.b skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV176.tmp/data0003 Infected: Trojan-Downloader.Win32.Apropo.r skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV176.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV177.tmp/data0003 Infected: Trojan-Downloader.Win32.Apropo.r skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV177.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV178.tmp/data0003 Infected: Trojan-Downloader.Win32.Apropo.r skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV178.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV5.tmp/data0003 Infected: Trojan-Downloader.Win32.Agent.oa skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV5.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV6.tmp/data0003 Infected: not-a-virus:AdWare.Win32.Sahat.al skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV6.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV7.tmp/data0003 Infected: Trojan-Downloader.Win32.Agent.oa skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV7.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV8.tmp/data0003 Infected: not-a-virus:AdWare.Win32.Sahat.al skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV8.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV9.tmp/data0003 Infected: Trojan-Downloader.Win32.Agent.oa skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV9.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV45.tmp/data0003 Infected: Trojan-Downloader.Win32.Agent.oa skipped
C:\Documents and Settings\Deborah Revtak\Local Settings\Temp\INV45.tmp NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\cpdef2.exe/data0003 Infected: Trojan-Downloader.Win32.Apropo.r skipped
C:\Documents and Settings\Deborah Revtak\cpdef2.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\ridemgInst.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.oa skipped
C:\Documents and Settings\Deborah Revtak\ridemgInst.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Deborah Revtak\sahInst.exe/data0003 Infected: not-a-virus:AdWare.Win32.Sahat.al skipped
C:\Documents and Settings\Deborah Revtak\sahInst.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Tiffany April\Desktop\cpdef2.exe/data0003 Infected: Trojan-Downloader.Win32.Apropo.r skipped
C:\Documents and Settings\Tiffany April\Desktop\cpdef2.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Tiffany April\cpdef3.exe/data0003 Infected: Trojan-Downloader.Win32.Apropo.ab skipped
C:\Documents and Settings\Tiffany April\cpdef3.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Tiffany April\ridemgInst.exe/data0003 Infected: Trojan-Downloader.Win32.Agent.oa skipped
C:\Documents and Settings\Tiffany April\ridemgInst.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Tiffany April\sahInst.exe/data0003 Infected: not-a-virus:AdWare.Win32.Sahat.al skipped
C:\Documents and Settings\Tiffany April\sahInst.exe NSIS: infected - 1 skipped
C:\Program Files\a-squared Free\Quarantine\4af56e3cce8a9dafdced624efd46a550.a 2q/WINDOWS/inst/3p_2.exe/WISE0001.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Program Files\a-squared Free\Quarantine\4af56e3cce8a9dafdced624efd46a550.a 2q/WINDOWS/inst/3p_2.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Program Files\a-squared Free\Quarantine\4af56e3cce8a9dafdced624efd46a550.a 2q/WINDOWS/inst/3p_2.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Program Files\a-squared Free\Quarantine\4af56e3cce8a9dafdced624efd46a550.a 2q ZIP: infected - 3 skipped
C:\Program Files\a-squared Free\Quarantine\f8fdc8b497924ff43800ef040335728b.a 2q/WINDOWS/system32/MegasearchBarSetup.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.n skipped
C:\Program Files\a-squared Free\Quarantine\f8fdc8b497924ff43800ef040335728b.a 2q ZIP: infected - 1 skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP74\A0015903.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP74\A0015905.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP74\A0015918.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.35684 skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP77\A0016124.exe Object is locked skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP77\A0016128.exe Object is locked skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP77\A0016133.dll Object is locked skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP77\A0016139.exe Infected: Trojan-Downloader.Win32.Agent.tf skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017275.exe/PgSDK.DLL Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.d skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017275.exe ViseMan: infected - 1 skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017275.exe ViseMan: infected - 1 skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017302.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.h skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017302.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017309.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.a skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017309.exe/data0003 Infected: not-a-virus:AdWare.Win32.CASClient.e skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP78\A0017309.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017412.dll Infected: Trojan-Dropper.Win32.Small.abe skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017418.dll Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017452.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.f skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017474.dll Infected: not-a-virus:AdWare.Win32.F1Organizer.n skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP79\A0017604.exe Infected: not-a-virus:Server-Proxy.Win32.Hltv skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018939.exe/data0002 Infected: not-a-virus:AdWare.Win32.HotSearchBar.b skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018939.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0008 Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe/data0009 Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP81\A0018940.exe NSIS: infected - 6 skipped
C:\System Volume Information\_restore{1A5B95FE-FC58-4002-B17D-1974C994BAAD}\RP82\change.log Object is locked skipped

Scan process completed.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
HJT log	34erd	Computer Security	5	08-10-2006 01:04 PM
HJT log	34erd	Computer Security	11	06-16-2006 05:12 AM
HJT Log what is it?	zeneena	Computer Security	10	12-07-2005 11:11 PM
HJT log file	phantom	Computer Security	9	12-05-2005 03:33 AM
Post #1 HJT Log (too long for one post)	354	Computer Security	8	08-15-2005 11:02 PM

09-18-2006, 11:54 PM	#11 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	Go to ADD/REMOVE Programs and get rid of the following. Koolbar.net - Toolbar PartyPoker (if you don't use) Sysnet Viewpoint Manager (Remove Only) Viewpoint Media Player (Remove Only) Windows VisFx Components Reboot and navigate to C/Program Files and remove any of these folders if still present. Run ATF cleaner (select all) Next go here http://forums.majorgeeks.com/showthread.php?t=74265 and follow these removal instructions. It must be run from safemode.Once completed, return to (safemode with networking) and run this online scan here http://www.trendmicro.com/spyware-scan/ .Once finished, reboot into normal windows and post a fresh 'HJT' log.

09-19-2006, 08:36 PM	#12 (permalink)
HELP_ME Gold Member Join Date: Aug 2006 Location: ottawa, canada Posts: 391	alright i got rid of all except for koolbar.net - toolbar because it doesnt let me remove, nothing happens when i try and remove. that is why i still have it there.

09-19-2006, 11:46 PM	#13 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	Just follow the rest of the instructions and if still present, we'll get rid of it manually.

09-23-2006, 04:24 PM	#14 (permalink)
HELP_ME Gold Member Join Date: Aug 2006 Location: ottawa, canada Posts: 391	Logfile of HijackThis v1.99.1 Scan saved at 11:24:07 AM, on 9/23/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe C:\Program Files\ewido anti-spyware 4.0\guard.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Updater.exe C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe C:\Program Files\ewido anti-spyware 4.0\ewido.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe C:\Documents and Settings\Matthew April\My Documents\My Received Files\anti-spy\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ca/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank R3 - Default URLSearchHook is missing F2 - REG:system.ini: Shell=Explorer.exe O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_6_2_0. dll (file missing) O3 - Toolbar: Search - {215303D2-42B9-A7EC-7414-5630B3DD8F1A} - C:\WINDOWS\Cagxrcfg.dll (file missing) O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKLM\..\Run: [lfsqbiqafb] C:\WINDOWS\System32\wqupxsmg.exe O4 - HKLM\..\Run: [kjefel] C:\WINDOWS\kjefel.exe O4 - HKLM\..\Run: [iRiver Updater] \Updater.exe O4 - HKLM\..\Run: [inhttpw] C:\WINDOWS\System32\inhttpw.exe O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe" O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKCU\..\Run: [wshatm] "C:\WINDOWS\system32\wshatm.exe" O4 - HKCU\..\Run: [wlnotify] "C:\WINDOWS\system32\wlnotify.exe" O4 - HKCU\..\Run: [vxblock] "C:\WINDOWS\system32\vxblock.exe" O4 - HKCU\..\Run: [version] C:\WINDOWS\System32\version.exe O4 - HKCU\..\Run: [shfolder] "C:\WINDOWS\system32\shfolder.exe" O4 - HKCU\..\Run: [s3gnb] "C:\WINDOWS\system32\s3gnb.exe" O4 - HKCU\..\Run: [raschap] "C:\Documents and Settings\Matthew April\raschap.exe" O4 - HKCU\..\Run: [netcfgx] "C:\WINDOWS\system32\netcfgx.exe" O4 - HKCU\..\Run: [netapi] "C:\WINDOWS\system32\netapi.exe" O4 - HKCU\..\Run: [kbduzb] "C:\WINDOWS\system32\kbduzb.exe" O4 - HKCU\..\Run: [kbdus] "C:\WINDOWS\system32\kbdus.exe" O4 - HKCU\..\Run: [kbdinbe1] "C:\WINDOWS\system32\kbdinbe1.exe" O4 - HKCU\..\Run: [kbdhe] "C:\WINDOWS\system32\kbdhe.exe" O4 - HKCU\..\Run: [jgmd400] "C:\WINDOWS\system32\jgmd400.exe" O4 - HKCU\..\Run: [ir41_qcx] "C:\WINDOWS\system32\ir41_qcx.exe" O4 - HKCU\..\Run: [infosoft] "C:\WINDOWS\system32\infosoft.exe" O4 - HKCU\..\Run: [inetclnt] "C:\WINDOWS\system32\inetclnt.exe" O4 - HKCU\..\Run: [hsfcisp2] "C:\WINDOWS\system32\hsfcisp2.exe" O4 - HKCU\..\Run: [fkfw] C:\PROGRA~1\COMMON~1\fkfw\fkfwm.exe O4 - HKCU\..\Run: [eventcls] "C:\WINDOWS\system32\eventcls.exe" O4 - HKCU\..\Run: [dmband] "C:\WINDOWS\system32\dmband.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [cscui] "C:\Documents and Settings\Matthew April\cscui.exe" O4 - HKCU\..\Run: [iprtcnst] "C:\WINDOWS\system32\iprtcnst.exe" O4 - HKCU\..\Run: [atiicdxx] "C:\WINDOWS\system32\atiicdxx.exe" O4 - HKCU\..\Run: [rmoc3260] "C:\WINDOWS\system32\rmoc3260.exe" O4 - HKCU\..\Run: [getuname] "C:\WINDOWS\system32\getuname.exe" O4 - HKCU\..\Run: [vdmdbg] "C:\WINDOWS\system32\vdmdbg.exe" O4 - HKCU\..\Run: [resutils] "C:\WINDOWS\system32\resutils.exe" O4 - HKCU\..\Run: [lftif11n] "C:\WINDOWS\system32\lftif11n.exe" O4 - HKCU\..\Run: [uniplat] "C:\WINDOWS\system32\uniplat.exe" O4 - HKCU\..\Run: [msr2cenu] "C:\WINDOWS\system32\msr2cenu.exe" O4 - HKCU\..\Run: [mmcbase] "C:\WINDOWS\system32\mmcbase.exe" O4 - HKCU\..\Run: [msorc32r] "C:\WINDOWS\system32\msorc32r.exe" O4 - HKCU\..\Run: [wmiprop] "C:\WINDOWS\system32\wmiprop.exe" O4 - HKCU\..\Run: [dmscript] "C:\WINDOWS\system32\dmscript.exe" O4 - HKCU\..\Run: [wmerror] "C:\WINDOWS\system32\wmerror.exe" O4 - HKCU\..\Run: [qasf] "C:\WINDOWS\system32\qasf.exe" O4 - HKCU\..\Run: [6to4svc] "C:\WINDOWS\system32\6to4svc.exe" O4 - HKCU\..\Run: [dpwsock] "C:\WINDOWS\system32\dpwsock.exe" O4 - HKCU\..\Run: [kbdir] "C:\WINDOWS\system32\kbdir.exe" O4 - HKCU\..\Run: [pjlmon] "C:\WINDOWS\system32\pjlmon.exe" O4 - HKCU\..\Run: [dispex] "C:\WINDOWS\system32\dispex.exe" O4 - Global Startup: Smart Wizard Wireless Settings.lnk = C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Rogers Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll (file missing) O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing) O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www3.ca.com/securityadvisor/p...n/pestscan.cab O16 - DPF: {563EC66E-5A1B-51D2-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext02.c...aInstaller.exe O16 - DPF: {88D758A3-D33B-45FD-91E3-67749B4057FA} - http://dm.screensavers.com/dm/instal...sinstaller.cab O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing) O18 - Filter: text/html - (no CLSID) - (no file) O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O20 - Winlogon Notify: SMDEn - C:\WINDOWS\system32\pychdprf.dll (file missing) O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

09-23-2006, 05:12 PM	#15 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	Okay. Still a mess. Lets try a few specialty tools. Download VundoFix.exe- http://www.atribune.org/ccount/click.php?id=4 to your desktop. Double-click VundoFix.exe to run it. * When VundoFix re-opens, click the Scan for Vundo button. * Once it's done scanning, click the Remove Vundo button. * You will receive a prompt asking if you want to remove the files, click YES * Once you click yes, your desktop will go blank as it starts removing Vundo. * When completed, it will prompt that it will reboot your computer, click OK. Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot. A log called vundofix.txt will be created in your C:\ directory. Please post that log.

09-23-2006, 05:47 PM	#16 (permalink)
HELP_ME Gold Member Join Date: Aug 2006 Location: ottawa, canada Posts: 391	VundoFix V6.1.6 Checking Java version... Java version is 1.5.0.4 Java version is 1.5.0.6 Scan started at 12:34:49 PM 9/23/2006 Listing files found while scanning.... No infected files were found. Beginning removal...

09-23-2006, 06:12 PM	#17 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	Next One. Download SmitFraudFix from this link http://siri.urz.free.fr/Fix/SmitfraudFix.zip Then extract the contents to your desktop. Open the "SmitfraudFix" folder and double-click "smitfraudfix.cmd" Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present). Post that log. Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user. Do not run any other options as they will damage your desktop if run on an uninfected computer.

09-23-2006, 06:22 PM	#18 (permalink)
HELP_ME Gold Member Join Date: Aug 2006 Location: ottawa, canada Posts: 391	you already had me fix this... it was one of the fixes under SmitRem and nothing was detected so.... do you still want me to do it?

09-23-2006, 06:54 PM	#19 (permalink)
edifier Platinum Member Join Date: Jan 2006 Posts: 567	Sorry for that. Very busy this morning and this thread has spanned quite a few days. I want you to do the following dianogstic scan from Kaspersky http://kaspersky.com/kos/english/kavwebscan.html Click Accept When the updates are finished downloading, click Next, Scan Settings Under Scan using the following antivirus database:, select extended Make sure the Scan Archives and Scan Mail Bases options are selected as well. Click OK Click My Computer and wait for the scan to finish Click Save Report As. Under Save as type:, select Text file. Save this log to your Desktop. Post a copy of it here.