There's no such thing as a stupid question, but they're the easiest to answer.
JoinTour
Login
Search
Virus & Other Malware Removal
Go to first new post We Got System Checked :-(
Go to first new post Black desktop, missing all shortcuts, fi ...
Go to first new post Extremely unresponsive, massive hang-ups ...
Go to first new post Incredibar Removal - Support Pls!
Go to first new post need help regarding malware/spyware
Go to first new post Somethings Amiss....
Go to first new post "svchost application error 0x6fe217 ...
Go to first new post Family Cyber Removal
Go to first new post Cannot access any google sites - youtube ...
Go to first new post Trojan: Win32/Alureon.FK - hijack this l ...
Go to first new post System Check problem
Go to first new post slow computer, downloads over a few mb f ...
Go to first new post Overall Sluggish Performance, Video Hicc ...
Go to first new post Extremely slow computer
Go to first new post RegClean Pro
Tag Cloud
access acer asus bios bsod computer crash dns drive driver drivers error ethernet excel freeze games gaming graphics hard drive hardware hdmi internet java laptop malware memory monitor motherboard network printer problem ram random registry router slow software sound trojan usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless
Search
Search for:
Tech Support Guy Forums > Security & Malware Removal > Virus & Other Malware Removal >
Windows hijacked by dodgy apps (New)

Page 1 of 4 1 234
Reply  
Thread Tools
Phil64's Avatar
Junior Member with 25 posts.
  
Join Date: Jul 2006
Experience: Advanced
08-Jul-2006, 02:11 PM #1
Windows hijacked by dodgy apps
Hi

I have been asked to look at a laptop belonging to a mate's kids that was full of spyware and other dodgy stuff.

I have run Spybot and Adaware, which have got rid of most of what was on there, but I still get pop-ups as soon as I connect to the internet, mainly to do with errorsafe and systemdoctor and can't seem to find any way to get rid of them.

I have run HijackThis and the log file is as below:

Logfile of HijackThis v1.99.1
Scan saved at 17:25:31, on 08/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\dfndrb_3.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PPATCH~1\msconfig.exe
C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrb_3.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdb_3.exe
O4 - HKLM\..\Run: [kxm8fbbd] RUNDLL32.EXE w0057584.dll,n 0018fbbc0000000a0057584
O4 - HKLM\..\RunServices: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] mclgnyeoqj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Pldo] "C:\PROGRA~1\PPATCH~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [Ihdz] C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE
O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\COMMON~1\rmkw\rmkwm.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147983702001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151692057018
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: antivirus - Unknown owner - C:\WINDOWS\antivirusguard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


Any help would be grealy appreciated.

Many thanks in advance
Phil
Register for free to hide this ad!
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,165 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
08-Jul-2006, 02:31 PM #2
Hi and welcome

Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with this yet!

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon and select alcanshorty.bfu
  • Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
Phil64's Avatar
Junior Member with 25 posts.
  
Join Date: Jul 2006
Experience: Advanced
08-Jul-2006, 05:35 PM #3
Many thanks for the information - it appears to have cured the pop-up problem.

However, the computer is now trying to download Winantivirus Pro 2006 when I access the internet (there is also a shortcut to this in the control panel but I can find no trace of it actually being installed on the computer).

Finally, the following 2 programs have attempted to access the internet:

r?ndll
Run a DLL as an App


So far all I have done is block access to the internet using the firewall, but is there any further action I need to take?

Thanks again in advance
Phil
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,165 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
08-Jul-2006, 06:14 PM #4
Please post a new Hijack This log. We have more work to do.
Phil64's Avatar
Junior Member with 25 posts.
  
Join Date: Jul 2006
Experience: Advanced
08-Jul-2006, 06:36 PM #5
Thanks again. Here is the log file:

Logfile of HijackThis v1.99.1
Scan saved at 22:29:27, on 08/07/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PPATCH~1\msconfig.exe
C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [kxm8fbbd] RUNDLL32.EXE w0057584.dll,n 0018fbbc0000000a0057584
O4 - HKLM\..\RunServices: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] mclgnyeoqj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Pldo] "C:\PROGRA~1\PPATCH~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [Ihdz] C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE
O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\COMMON~1\rmkw\rmkwm.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147983702001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151692057018
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: antivirus - Unknown owner - C:\WINDOWS\antivirusguard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


Chers
Phil
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,165 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
08-Jul-2006, 06:37 PM #6
I just realized you have no Service Packs installed.

Before we can provide you any assistance, you need to go here: http://www.microsoft.com/windowsxp/d...1/default.mspx and install "Service Pack 1" This will patch numerous security holes in IE and Windows. Many baddies get on your machine by taking advantage of these vulnerabilities. As your machine stands now it is wide open to attack from all sorts of nasties. You need to get these updates before we proceed or we will be wasting our time.

DO NOT install Service pack 2 yet. If you install SP2 on an infected machine, it will cause serious problems. Just get Service Pack 1 installed then come back here and post a new Hijack This log.
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
blkwlnt64's Avatar
Senior Member with 659 posts.
  
Join Date: Mar 2005
Experience: Advanced
08-Jul-2006, 08:00 PM #7
Hi Cheeseball81, What is O4 entry about Microsoft Antivirus ? There is no such thing to my knowledge so he has no av installed.
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,165 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
08-Jul-2006, 09:09 PM #8
That's a virus
Phil64's Avatar
Junior Member with 25 posts.
  
Join Date: Jul 2006
Experience: Advanced
08-Jul-2006, 09:14 PM #9
Hello again

I was kind of hoping to avoid installing updates until after everything else was sorted out as updating Windows is a pain at the best of times. Anyway, I've now updated to SP1 and done yet another log file:


Logfile of HijackThis v1.99.1
Scan saved at 00:57:12, on 09/07/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\blueyonder\PCguard\fws.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\sllights.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\PPATCH~1\msconfig.exe
C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE
C:\Program Files\TClock\TClock.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\blueyonder\PCguard\Rps.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.blueyonder.co.uk/blueyonder/index.jsp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [Repair Registry Pro] C:\Program Files\Repair Registry Pro\RepairRegistryPro.exe -s
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\Run: [PCguardadvisor.exe] "C:\Program Files\blueyonder\PCguard advisor\PCguardadvisor.exe"
O4 - HKLM\..\Run: [kxm8fbbd] RUNDLL32.EXE w0057584.dll,n 0018fbbc0000000a0057584
O4 - HKLM\..\RunServices: [Microsoft Windows AntiVirus] yrxhijfwscx.exe
O4 - HKLM\..\RunServices: [Windows Recylinder Check] mclgnyeoqj.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Pldo] "C:\PROGRA~1\PPATCH~1\msconfig.exe" -vt yazr
O4 - HKCU\..\Run: [Ihdz] C:\DOCUME~1\khatri\APPLIC~1\SSTEM~1\RNDLL~1.EXE
O4 - HKCU\..\Run: [rmkw] C:\PROGRA~1\COMMON~1\rmkw\rmkwm.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O8 - Extra context menu item: &MyToolBar Search - res://C:\Program Files\ToolBar888\MyToolBar.dll/MENUSEARCH.HTM
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://bt.yahoo.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1147983702001
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1151692057018
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: antivirus - Unknown owner - C:\WINDOWS\antivirusguard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\blueyonder\PCguard\fws.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe


Hello also to blkwlnt64 - antivirus is incorporated within an application called "PCGuard" which is an integrated security suite provided by the computer owner's ISP. I personally haven't used it before, but it seems straight-forward enough.

Thanks again
Phil
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,165 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
08-Jul-2006, 09:15 PM #10
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
Phil64's Avatar
Junior Member with 25 posts.
  
Join Date: Jul 2006
Experience: Advanced
08-Jul-2006, 09:27 PM #11
That's now done and here is the report:


SmitFraudFix v2.68b

Scan done at 1:24:32.85, 09/07/2006
Run from C:\Documents and Settings\khatri\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\khatri\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\khatri\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\WindowsUpdate\\kyfevyka.html"
"SubscribedURL"=""
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="C:\\Program Files\\Messenger\\hocy.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End



Cheers
Phil
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,165 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
08-Jul-2006, 09:32 PM #12
Download the trial version of Ewido Anti-spyware from HERE and save that file to your desktop. When the trial period expires, it becomes freeware with reduced functions but still worth keeping.

  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
  • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine"
  • Under "Reports"
  • Select "Automatically generate report after every scan"
  • Un-Select "Only if threats were found"

Close Ewido Anti-Spyware, DO NOT run a scan yet. We will do that later in Safe Mode.

  • Reboot your computer into Safe Mode now. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
    IMPORTANT: Do not open any other windows or programs while Ewido is scanning as it may interfere with the scanning process:
  • Launch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process. Be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode.


Run ActiveScan online virus scan: here

When the scan is finished, save the results from the scan!


Come back here and post a new Hijack This log along with the logs from the Ewido and Panda scans.
__________________
Microsoft MVP - Consumer Security
If we've helped you, please donate to TSG!
Phil64's Avatar
Junior Member with 25 posts.
  
Join Date: Jul 2006
Experience: Advanced
08-Jul-2006, 10:27 PM #13
Still running through the Ewido scan at the moment and 70 objects found so far.

As the time over here is now 0230, I need to hit my bed, so I will run the Panda scan later today and then post everything.

Many thabks for your help so far.

Speak to you later
Phil
Cheeseball81's Avatar
Moderator & Malware Removal Specialist with 80,165 posts.
  
Join Date: Mar 2004
Location: Long Island, NY
Experience: Advanced
08-Jul-2006, 10:39 PM #14
No problem
Phil64's Avatar
Junior Member with 25 posts.
  
Join Date: Jul 2006
Experience: Advanced
09-Jul-2006, 11:15 AM #15
OK my friend, that is all done and here is the Ewido log file (I will post each separately, so as not to exceed the allowed character count):


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:03:40 09/07/2006

+ Scan result:



C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP89\A0108210.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118738.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118739.dll -> Adware.Comet : Cleaned with backup (quarantined).
C:\WINDOWS\system32\kxm8fbbd.dll -> Adware.IEHelper : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0110578.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0110677.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112574.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0113571.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0114570.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0115573.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0116573.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0117572.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0117582.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0117611.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0117618.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0117626.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0117633.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0117650.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0117657.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0117680.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118694.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118721.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118747.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118757.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\aympvcno.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\cqusapi.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\en8ql1l51.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\enl6l13s1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\fnj0211mg.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\g4jo0e13eh.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\i4420ehoeh4c0.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\imrnonce.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ir20l5fm1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\irnol5531.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\j4p00e7meh.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\j60slgd7160.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\l44q0eh5eh4.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\l48m0el1ehq.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lv6m09j1e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\system32\lvp6097se.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP82\A0100414.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP82\A0101509.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP82\A0101620.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0111576.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0111578.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP119\A0123307.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP82\A0100413.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0103690.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0103691.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP98\A0109247.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP98\A0109248.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP98\A0109249.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\logonui.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\qqvv.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\WINDOWS\system32\userinit.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP103\A0110328.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112642.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0115581.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0117576.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0117593.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118736.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP84\A0104009.exe/toolbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP89\A0106208.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\sfdsfjjs.exe/toolbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\zornnn.exe/toolbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\peakclick.exe/toolbar.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP102\A0109437.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0111583.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0111585.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112579.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118682.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118706.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP108\A0118707.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP85\A0105069.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP86\A0105077.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP103\A0109545.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP73\A0094704.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\WINDOWS\system32\microsoft32.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112585.exe -> Backdoor.VB.ary : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP82\A0100478.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP82\A0100489.exe -> Downloader.Adload.bo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP82\A0100481.exe -> Downloader.Adload.bv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP82\A0100498.exe -> Downloader.Adload.bv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102666.exe -> Downloader.Adload.ce : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102667.exe -> Downloader.Adload.ce : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102679.exe -> Downloader.Adload.cf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP109\A0118849.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102672.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102673.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102674.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102678.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP89\A0107210.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP89\A0108208.exe -> Downloader.Adload.ch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112581.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112583.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112584.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112586.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112589.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112590.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112591.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112592.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112593.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112594.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112595.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112596.exe -> Downloader.Adload.ck : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112582.exe -> Downloader.Adload.cm : Cleaned with backup (quarantined).
C:\Documents and Settings\khatri\Local Settings\Temporary Internet Files\Content.IE5\J0XJRI5Z\SysProtectScannerInstall[1].exe -> Downloader.Agent.alr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP109\A0118861.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP109\A0118862.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\w0057584.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\ac3_0010.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102669.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102670.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102671.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102676.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102677.exe -> Downloader.VB.afn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP109\A0118859.exe -> Downloader.VB.afv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP100\A0109294.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP103\A0110330.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0110680.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0112580.exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0102680.exe -> Hijacker.VB.fb : Cleaned with backup (quarantined).
C:\Documents and Settings\khatri\Local Settings\Temporary Internet Files\Content.IE5\PA706BZ8\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N822M1605NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[1].txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP119\A0123308.exe -> Trojan.PurityAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP107\A0115580.exe -> Trojan.Scapur.k : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP83\A0103689.exe -> Trojan.VB.abv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP84\A0104010.exe -> Trojan.VB.abv : Cleaned with backup (quarantined).
C:\WINDOWS\lojsfj.exe -> Trojan.VB.abv : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B41DD476-FA9F-4521-A3DE-4D65A0AE0DBE}\RP109\A0118864.exe -> Trojan.Zapchast.bl : Cleaned with backup (quarantined).


::Report end


Cheers
Phil
Email This Email  Print This Print  Tweet This Send to Facebook Send to MySpace Send to StumbleUpon Digg This | More Services More
Reply
Page 1 of 4 1 234

THIS THREAD HAS EXPIRED.
Are you having the same problem? We have volunteers ready to answer your question, but first you'll have to join for free. Need help getting started? Check out our Welcome Guide.

Search Tech Support Guy

Find the solution to your
computer problem!

« Previous Thread | Virus & Other Malware Removal | Next Thread »

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
WELCOME TO TECH SUPPORT GUY! Are you looking for the solution to your computer problem? Join our site today to ask your question -- for free! Our site is run completely by volunteers who want to help you solve your computer problems. See our Welcome Guide to get started.
Thread Tools



Facebook Facebook Twitter Twitter TechGuy.tv TechGuy.tv Mobile TSG Mobile
Contact Us - HelpOnThe.Net - Archive - Terms of Service - Top
You Are Using:
Server ID
Advertisements do not imply our endorsement of that product or service.
All times are GMT -4. The time now is 02:10 PM.
Copyright © 1996 - 2011 TechGuy, Inc. All rights reserved.

 Powered by Cermak Technologies, Inc.