Trojan.Cachecachekit

Question

pedrofigo 0 Newbie Poster

18 Years Ago

Hi,

I've been trying to get rid of this Trojan but it seems impossible.
Here is my HJT and my Ewido log.

---------------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 19:38:27, on 29-09-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://www.hotwebsearch.com/ie_search.html[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ddedc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://uk.search.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.abola.pt/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\omqsw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ddedc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\omqsw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com[/url]
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F3B52DC-E394-9E36-27E7-01C5F21E4FA5} - (no file)
O2 - BHO: (no name) - {31952D98-201F-E44F-99D8-B80E37D78431} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {6819E8F9-6B65-C66F-C5D9-F681C6CDEFBF} - C:\WINDOWS\netht.dll (file missing)
O2 - BHO: Class - {819A7027-6EEA-44B4-49C1-52F6992DCD01} - C:\WINDOWS\addrg.dll (file missing)
O2 - BHO: Class - {BB37280E-3BA4-0CF4-3710-D1E7E658044E} - C:\WINDOWS\apihv.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: Class - {CAF6E144-63FF-5169-432A-A4605DE3B9A4} - C:\WINDOWS\syswi32.dll (file missing)
O2 - BHO: Class - {D33C8F81-1BDD-D468-2853-B1D36D92CA19} - C:\WINDOWS\sysch32.dll (file missing)
O2 - BHO: Class - {F9D7B838-0128-DA47-424A-9E6B5C35E7D6} - C:\WINDOWS\system32\iepi32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\pt-pt\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Descarregar pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Descarregar tudo pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - [url]http://www.searchwww.com/search.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - [url]http://www.contenidospc.com/ruboskizo2.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - [url]http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab[/url]
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - [url]http://chat.yahoo.com/cab/yuplapp.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9A934FAF-30A4-4A85-A1C4-958E8438E98C} (Inst Class) - [url]http://www.freemusiccenter.com/dl/waeb.cab[/url]
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - [url]http://www.webcamnow.com/broadcast/ActiveXWebCam.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab[/url]
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - [url]http://chat.yahoo.com/cab/yvwrctl.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Windows Codecs (Codec) - Unknown owner - C:\WINDOWS\wincodec.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe
O23 - Service: MS Smc Service (MSsmc) - Unknown owner - C:\WINDOWS\winsmc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: TCP/IP NetBIOS Connections (nbconn) - Unknown owner - C:\WINDOWS\winstub.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)


---------------------------------------------------

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          0:30:15, 29-09-2005
 + Report-Checksum:     9061D38C

 + Scan result:

    HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\adm.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8}\TypeLib\\ -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{000020DD-C72E-4113-AF77-DD56626C6C42} -> Spyware.TwainTech : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{11F6B95F-0774-4B8D-8C9E-6B552CBCAD14} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{11F6B95F-0774-4B8D-8C9E-6B552CBCAD14}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{419C268B-53F5-4B4F-99BF-0B9B04B57B62} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{419C268B-53F5-4B4F-99BF-0B9B04B57B62}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{423BD222-52BE-471A-BE01-75FCCEB3D48F} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{423BD222-52BE-471A-BE01-75FCCEB3D48F}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{676575DD-4D46-911D-8037-9B10D6EE8BB5} -> Spyware.CoolWebSearch : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{6986A6CF-9D58-11D6-91C2-00E02964E8E3} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{9A934FAF-30A4-4A85-A1C4-958E8438E98C}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{C258EAA1-F9FE-491E-B8FF-CE9AF7A7AFF5} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{C258EAA1-F9FE-491E-B8FF-CE9AF7A7AFF5}\TypeLib\\ -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{CBA523B2-1906-4D14-95A2-CD8E233701C7} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{CBA523B2-1906-4D14-95A2-CD8E233701C7}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{E2F2B9D0-96B9-4B25-B90C-636ECB207D18} -> Spyware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{E539DEA3-BA67-4F1F-A897-5F2F4F29A063} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{E539DEA3-BA67-4F1F-A897-5F2F4F29A063}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{EEF29D20-9A47-4657-ADF7-283EC2504001} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{EEF29D20-9A47-4657-ADF7-283EC2504001}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{F347B129-8900-4BE9-9E32-E46625187DA5} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\CLSID\{F347B129-8900-4BE9-9E32-E46625187DA5}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.amo\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.amo.1\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.dbi\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.dbi.1\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.iiittt\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.iiittt.1\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.momo\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.momo.1\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.ohb\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\gwtbob.ohb.1\CLSID\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{057373AE-177E-489C-BA9B-D41ADFA10B12}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1005A61E-4BCB-48E4-93C2-6C29082BCE4A} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1005A61E-4BCB-48E4-93C2-6C29082BCE4A}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{16F08434-9FB5-4415-86E6-088B040208BE} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{16F08434-9FB5-4415-86E6-088B040208BE}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{1A3D7701-C8A3-4037-9351-29B8093A4060}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{32915734-240A-4B3D-B673-AC060AAB36DC}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{48EB9347-32EF-4FEA-803D-3CD314105CB5} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{48EB9347-32EF-4FEA-803D-3CD314105CB5}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{6850FB28-7C06-4B38-AAAD-5565CE7F86E8} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{6850FB28-7C06-4B38-AAAD-5565CE7F86E8}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{7BA07821-D9EF-45DF-8E7B-E2C242568F7F} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{7BA07821-D9EF-45DF-8E7B-E2C242568F7F}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{7BA3AEE4-8BD2-4D88-A1EB-7627A086C2E6} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{7BA3AEE4-8BD2-4D88-A1EB-7627A086C2E6}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{7C56C023-DF45-41A1-A94B-2DD2CBAFCCB0}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{831975B3-13A0-4DA4-AA6F-6C427175C30E} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{831975B3-13A0-4DA4-AA6F-6C427175C30E}\TypeLib\\ -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8DD50C56-8A07-40B9-98C4-3F169E3AE28E} -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{8DD50C56-8A07-40B9-98C4-3F169E3AE28E}\TypeLib\\ -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{EB5A8952-78F8-4F1C-B1E4-6DC41CD18F46}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Interface\{F322F50E-7AE2-423B-80A8-DF9C5A51E499}\TypeLib\\ -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\Pagomaster.IntPagomaster\CLSID\\ -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Pagomaster.IntPagomaster.1\CLSID\\ -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ruboskizo.IntRuboskizo2 -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ruboskizo.IntRuboskizo2\CLSID -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ruboskizo.IntRuboskizo2\CurVer -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\Ruboskizo.IntRuboskizo2.1 -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Classes\SomaticCAB.Setup\Clsid\\ -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\spoolsvv.Class1 -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\spoolsvv.Class1\Clsid -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\spoolsvv.Class1\Clsid\\ -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1 -> Spyware.BetterInternet : Cleaned with backup
    HKLM\SOFTWARE\Classes\TwaintecDll.TwaintecDllObj.1\CLSID\\ -> Spyware.TwainTech : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{AE7D03C2-3826-480F-846D-15E61333DB66} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{D1020AD1-3754-4C54-BF4D-EA01652EC4BE} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Classes\TypeLib\{FA284AE3-27BA-43C9-BE27-F438D48D52D8} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6986A6CF-9D58-11D6-91C2-00E02964E8E3} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{702AD576-FDDB-4d0f-9811-A43252064684} -> Spyware.Xupiter : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{11F6B95F-0774-4B8D-8C9E-6B552CBCAD14} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar\\{423BD222-52BE-471A-BE01-75FCCEB3D48F} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\nCASE -> Spyware.180Solutions : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{000020DD-C72E-4113-AF77-DD56626C6C42} -> Spyware.TwainTech : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A045DC85-FC44-45be-8A50-E4F9C62C9A84} -> Spyware.KeenValue : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CBA523B2-1906-4D14-95A2-CD8E233701C7} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E539DEA3-BA67-4F1F-A897-5F2F4F29A063} -> Spyware.i-Lookup : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/nCaseInstaller.dll\\.Owner -> Spyware.NCase : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/nCaseInstaller.dll\\{6EB5B540-1E74-4D91-A7F0-5B758D333702} -> Spyware.NCase : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/nCASELib.dll\\.Owner -> Spyware.NCase : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/nCASELib.dll\\{6EB5B540-1E74-4D91-A7F0-5B758D333702} -> Spyware.NCase : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/OELoader.dll\\.Owner -> Spyware.Xupiter : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/OELoader.dll\\{D7B3E460-9968-4191-BD6F-BEED1BC18482} -> Spyware.Xupiter : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/pagomaster.dll\\.Owner -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/pagomaster.dll\\{6986A6CF-9D58-11D6-91C2-00E02964E8E3} -> Dialer.Generic : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/somaticCAB.exe\\.Owner -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/somaticCAB.exe\\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WUInst.dll\\.Owner -> Spyware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/WUInst.dll\\{E2F2B9D0-96B9-4B25-B90C-636ECB207D18} -> Spyware.SaveNow : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ASYCFILT.DLL\\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/COMCAT.DLL\\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll\\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvbvm60.dll\\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll\\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/OLEAUT32.DLL\\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll\\{E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} -> Spyware.MoneyTree : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll\\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/STDOLE2.TLB\\{BB0578ED-E672-4697-9663-EC5A0460B949} -> Spyware.SearchCentrix : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
    HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
    HKLM\SOFTWARE\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\.DEFAULT\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
    HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\.DEFAULT\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\.DEFAULT\Software\salm -> Spyware.180Solutions : Cleaned with backup
    HKU\S-1-5-21-73586283-764733703-682003330-1003\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{669695BC-A811-4A9D-8CDF-BA8C795F261C} -> Spyware.PowerStrip : Cleaned with backup
    HKU\S-1-5-21-73586283-764733703-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup
    HKU\S-1-5-21-73586283-764733703-682003330-1003\Software\VB and VBA Program Settings\MyGeek -> Spyware.SearchCentrix : Cleaned with backup
    HKU\S-1-5-21-73586283-764733703-682003330-1003\Software\VB and VBA Program Settings\MyGeek\Settings -> Spyware.SearchCentrix : Cleaned with backup
    HKU\S-1-5-18\Software\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Error during cleaning
    HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-18\Software\Policies\Avenue Media -> Spyware.InternetOptimizer : Cleaned with backup
    HKU\S-1-5-18\Software\salm -> Spyware.180Solutions : Cleaned with backup
    C:\98.exe -> Spyware.WinAD : Cleaned with backup
    C:\Documents and Settings\Pedro\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-7e60c2e9-69ce7674.class -> Trojan.Java.Femad : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@centrport[1].txt -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@ilead.itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@perf.overture[1].txt -> Spyware.Cookie.Overture : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@questionmarket[1].txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@statcounter[1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@www.shopathomeselect[1].txt -> Spyware.Cookie.Shopathomeselect : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@zdnet.com[1].txt -> Spyware.Cookie.Com : Cleaned with backup
    C:\Documents and Settings\Pedro\Desktop\CrackSearcher.exe -> Not-A-Virus.HackTool.CrackSearch.a : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\asmfiles.cab/asm.exe -> Spyware.Altnet : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\bundle.exe -> Adware.SAHA : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@180solutions[2].txt -> Spyware.Cookie.180solutions : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@adtech[2].txt -> Spyware.Cookie.Adtech : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@bis.180solutions[1].txt -> Spyware.Cookie.180solutions : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@centrport[2].txt -> Spyware.Cookie.Centrport : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@counter14.sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@counter5.sextracker[1].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@cs.sexcounter[2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@gator[1].txt -> Spyware.Cookie.Gator : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@ilead.itrack[1].txt -> Spyware.Cookie.Itrack : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@mediaplex[1].txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@revenue[1].txt -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@sextracker[2].txt -> Spyware.Cookie.Sextracker : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@weborama[1].txt -> Spyware.Cookie.Weborama : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Cookies\pedro@www.casinodelrio[1].txt -> Spyware.Cookie.Casinodelrio : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Del19.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\Del5.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\remove.exe -> TrojanDownloader.Keenval.f : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\THI60FC.tmp\twaintec.cab/twaintec.dll -> Spyware.BiSpy : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\THI60FC.tmp\twaintec.cab/preInsTT.exe -> Spyware.BiSpy : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\update.exe -> Adware.SAHA : Cleaned with backup
    C:\Documents and Settings\Pedro\Local Settings\Temp\__unin__.exe -> Spyware.Altnet : Cleaned with backup
    C:\Program Files\Global DiVX Player\SaveInstWm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Global DiVX Player\SaveInstWm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Global DiVX Player\SaveInstWm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Global DiVX Player\SaveInstWm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Global DiVX Player\SaveInstWm.exe/Weather.exe -> Spyware.WeatherCast : Cleaned with backup
    C:\Program Files\Global DiVX Player\SaveInstWm.exe/Uninst.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Global DiVX Player\SaveInstWm.exe/Weather.exe -> Spyware.WeatherCast : Cleaned with backup
    C:\Program Files\Global DiVX Player\SaveInstWm.exe/Uninst.exe -> Adware.SaveNow : Cleaned with backup
    C:\RECYCLER\NPROTECT\00960690.EXE -> Backdoor.SdBot.afp : Cleaned with backup
    C:\RECYCLER\NPROTECT\00960697.cab/clientax.dll -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00960698.dll -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00960700.dll -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961067.cab/clientax.dll -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961068.dll -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961074.dll -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961133.exe -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961476.dll -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961481.exe -> Spyware.180Solutions : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961733.exe -> Adware.Saha : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961734.dll -> Adware.SAHA : Cleaned with backup
    C:\RECYCLER\NPROTECT\00961736.exe -> Adware.SAHA : Cleaned with backup
    C:\temp\180SAInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
    C:\temp\180SAInstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
    C:\temp\bundle_cdt1006.exe -> Adware.Saha : Cleaned with backup
    C:\WINDOWS\csrs.exe -> Backdoor.Agobot.afk : Cleaned with backup
    C:\WINDOWS\DirectX.log:zsdko -> TrojanDownloader.Agent.bq : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\nCASELib.dll -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\Downloaded Program Files\pagomaster.dll -> Dialer.Generic : Cleaned with backup
    C:\WINDOWS\setupact.log:nfdmwg -> Spyware.SearchPage : Cleaned with backup
    C:\WINDOWS\sysnp32.exe -> TrojanDownloader.Agent.bq : Cleaned with backup
    C:\WINDOWS\system32:lcaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup
    C:\WINDOWS\system32\drivers\etc\3.hosts -> Trojan.Qhost : Cleaned with backup
    C:\WINDOWS\system32\eraseme_08733.exe -> Backdoor.Agobot.afk : Cleaned with backup
    C:\WINDOWS\system32\eraseme_28830.exe -> Backdoor.SdBot.afp : Cleaned with backup
    C:\WINDOWS\system32\eraseme_37440.exe -> Backdoor.Agobot.afk : Cleaned with backup
    C:\WINDOWS\system32\sahagent1014.exe -> Adware.SAHA : Cleaned with backup
    C:\WINDOWS\system32\winenc32.dll -> TrojanSpy.Globar.a : Cleaned with backup
    C:\WINDOWS\system32\wmon32.exe -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup
    C:\WINDOWS\Temp\Altnet\dmfiles.cab/AltnetUninstall.exe -> Spyware.Altnet : Cleaned with backup
    C:\WINDOWS\Temp\Altnet\dmfiles.cab/asmend.exe -> Spyware.Altnet : Cleaned with backup
    C:\WINDOWS\Temp\Altnet\pmfiles.cab/sysdetect.dll -> Adware.BrilliantDigital : Cleaned with backup
    C:\WINDOWS\Temp\Altnet\Setup.exe -> Spyware.Altnet : Cleaned with backup
    C:\WINDOWS\Temp\BUNDLE~1.EXE -> Adware.Saha : Cleaned with backup
    C:\WINDOWS\Temp\res16.tmp -> Spyware.180Solutions : Cleaned with backup
    C:\WINDOWS\Temp\res1B.tmp -> Spyware.180Solutions : Cleaned with backup


::Report End

What can I do with this? Tx in advance.

windows-virus

Edited 11 Years Ago by mike_2000_17 because: Fixed formatting

2 Contributors
8 Replies
353 Views
2 Days Discussion Span
Latest Post 18 Years Ago Latest Post by crunchie

All 8 Replies

crunchie 990 Most Valuable Poster

18 Years Ago

Download CWShredder 2.15 from here. Run it and press the *fix,* not scan and allow it to clean the infection. Close all browser and explorer windows before hitting the fix button.

===============

Download AboutBuster 5:

http://www.besttechie.net/tools/AboutBuster5.zip
http://www.malwarebytes.biz/AboutBuster5.zip

Once downloaded, unzip it, and put the folder on your desktop. Then double-click on the AboutBuster icon to start the program.

Click Update. This will start updating AboutBuster with the latest definition database.

Once it's done updating and you see that dialog, click Ok.

Close AboutBuster.

Reboot into safe mode following the instructions here.

Start AboutBuster and click Begin Removal.

When the scan is done, click Ok.

Run Ewido, and do a full scan. During the scan it will prompt you to clean files, click OK.

Save the logfile from the scan. Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

crunchie 990 Most Valuable Poster

18 Years Ago

Please do the following and then we will try to update about:buster later.

Please go to Jotti's and have these files scanned. Post the results back here.

C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\winstub.exe
C:\WINDOWS\csrss.exe

===============

When we're done cleaning off your system, I'd recommend that you install all the critical windows updates available from Microsoft, up to service pack 1. This will help to make your system more secure and prevent many 'problems' from reoccurring in the future.

===============

Now, let's open a command prompt by going to the start menu and then select 'Run'.

In the box that pops up type in 'cmd'. The command prompt will open.

OR

You can go to Start -> Programs -> Accessories -> Command Prompt. Unregister the dll(s) we're going to remove, by entering the following:

regsvr32 /u awtqo.dll

It's ok, if these aren't found or 'error' out. If you want, just copy and paste the individual lines to the command prompt to save typing them in.

===============

Run HiJackThis, click "Scan", then check(tick) the following, if present:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank

R3 - Default URLSearchHook is missing

O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: (no name) - {1F3B52DC-E394-9E36-27E7-01C5F21E4FA5} - (no file)
O2 - BHO: (no name) - {31952D98-201F-E44F-99D8-B80E37D78431} - (no file)
O2 - BHO: Class - {6819E8F9-6B65-C66F-C5D9-F681C6CDEFBF} - C:\WINDOWS\netht.dll (file missing)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awtqo.dll
O2 - BHO: Class - {819A7027-6EEA-44B4-49C1-52F6992DCD01} - C:\WINDOWS\addrg.dll (file missing)
O2 - BHO: Class - {BB37280E-3BA4-0CF4-3710-D1E7E658044E} - C:\WINDOWS\apihv.dll (file missing)
O2 - BHO: Class - {CAF6E144-63FF-5169-432A-A4605DE3B9A4} - C:\WINDOWS\syswi32.dll (file missing)
O2 - BHO: Class - {D33C8F81-1BDD-D468-2853-B1D36D92CA19} - C:\WINDOWS\sysch32.dll (file missing)
O2 - BHO: Class - {F9D7B838-0128-DA47-424A-9E6B5C35E7D6} - C:\WINDOWS\system32\iepi32.dll (file missing)

O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - http://www.contenidospc.com/ruboskizo2.cab
O16 - DPF: {9A934FAF-30A4-4A85-A1C4-958E8438E98C} (Inst Class) - http://www.freemusiccenter.com/dl/waeb.cab

O20 - Winlogon Notify: awtqo - C:\WINDOWS\System32\awtqo.dll

Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Locate and delete the following item(s), if present. Make sure you are able to view system and hidden files/ folders:

files...

C:\WINDOWS\System32\awtqo.dll

-

Note that some of these file(s)/folder(s) may or may not be present. If present, and cannot be deleted because they're 'in use', try deleting them in "Safe Mode".

-

Reboot.

===============

To help protect your system from hostile ActiveX content, or special 'downloadable' files:

Download, install and keep updated, SpywareBlaster. If you've installed it for the first time:

1) Check for any available updates; if present, they'll be automatically downloaded and installed.
2) Next, "Enable all protection".
3) Exit the program.

-

Note: Remember to regularly check for updates.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

pedrofigo 0 Newbie Poster · Answer 1 · 2005-09-30T13:13:23+00:00

Hi these are my last logs in HJT and Ewido.

Logfile of HijackThis v1.99.1
Scan saved at 8:11:18, on 30-09-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wincodec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\winstub.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = [url]http://www.hotwebsearch.com/ie_search.html[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ddedc.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://uk.search.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.abola.pt/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\omqsw.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ddedc.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\omqsw.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com[/url]
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\System32\awtqr.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F3B52DC-E394-9E36-27E7-01C5F21E4FA5} - (no file)
O2 - BHO: (no name) - {31952D98-201F-E44F-99D8-B80E37D78431} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {6819E8F9-6B65-C66F-C5D9-F681C6CDEFBF} - C:\WINDOWS\netht.dll (file missing)
O2 - BHO: Class - {819A7027-6EEA-44B4-49C1-52F6992DCD01} - C:\WINDOWS\addrg.dll (file missing)
O2 - BHO: Class - {BB37280E-3BA4-0CF4-3710-D1E7E658044E} - C:\WINDOWS\apihv.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: Class - {CAF6E144-63FF-5169-432A-A4605DE3B9A4} - C:\WINDOWS\syswi32.dll (file missing)
O2 - BHO: Class - {D33C8F81-1BDD-D468-2853-B1D36D92CA19} - C:\WINDOWS\sysch32.dll (file missing)
O2 - BHO: Class - {F9D7B838-0128-DA47-424A-9E6B5C35E7D6} - C:\WINDOWS\system32\iepi32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\pt-pt\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Descarregar pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Descarregar tudo pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - [url]http://www.searchwww.com/search.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - [url]http://www.contenidospc.com/ruboskizo2.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - [url]http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab[/url]
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - [url]http://chat.yahoo.com/cab/yuplapp.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9A934FAF-30A4-4A85-A1C4-958E8438E98C} (Inst Class) - [url]http://www.freemusiccenter.com/dl/waeb.cab[/url]
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - [url]http://www.webcamnow.com/broadcast/ActiveXWebCam.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab[/url]
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - [url]http://chat.yahoo.com/cab/yvwrctl.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url]
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A3FD79-7312-4BCA-8C10-9B16DF6FDD27}: NameServer = 194.65.100.117
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtqr - C:\WINDOWS\SYSTEM32\awtqr.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Windows Codecs (Codec) - Unknown owner - C:\WINDOWS\wincodec.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe (file missing)
O23 - Service: MS Smc Service (MSsmc) - Unknown owner - C:\WINDOWS\winsmc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: TCP/IP NetBIOS Connections (nbconn) - Unknown owner - C:\WINDOWS\winstub.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)


---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          1:34:51, 30-09-2005
 + Report-Checksum:     CD777643

 + Scan result:

    C:\Documents and Settings\Pedro\Cookies\pedro@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@fastclick[1].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\WINDOWS\system32\rdriv.sys -> Trojan.Rootkit.k : Cleaned with backup
    C:\WINDOWS\system32\waeb.dll -> Spyware.WorldAnywhere : Cleaned with backup


::Report End

---------------------------------------------

The computer keeps showing the NAV warning message about the Trojan.Cachecachekit

pedrofigo 0 Newbie Poster · Answer 2 · 2005-10-01T03:33:06+00:00

I followed the steps until the moment I was supposed to update AboutBuster, it won't let me, it showed a "Run-time error '5':Invalid procedure call or argument". So I had to use without the update. Here are the logs.

AboutBuster 5.0 reference file 28
Scan started on [30-09-2005] at [20:00:36]
------------------------------------------------
Removed Stream! C:\WINDOWS\RtlRack.ini:kdixyj
Removed Stream! C:\WINDOWS\ZipItFast Pro 3.0 - A Free, Fast All in One Archive Utility! Setup Log.txt:bivpdx
------------------------------------------------
Removed File! : C:\Windows\kbamg.dat
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 20:01:12

------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 22:01:30, on 30-09-2005
Platform: Windows XP  (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wincodec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\winstub.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\winsmc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://uk.search.yahoo.com[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.abola.pt/[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com[/url]
R3 - Default URLSearchHook is missing
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1F3B52DC-E394-9E36-27E7-01C5F21E4FA5} - (no file)
O2 - BHO: (no name) - {31952D98-201F-E44F-99D8-B80E37D78431} - (no file)
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Class - {6819E8F9-6B65-C66F-C5D9-F681C6CDEFBF} - C:\WINDOWS\netht.dll (file missing)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awtqo.dll
O2 - BHO: Class - {819A7027-6EEA-44B4-49C1-52F6992DCD01} - C:\WINDOWS\addrg.dll (file missing)
O2 - BHO: Class - {BB37280E-3BA4-0CF4-3710-D1E7E658044E} - C:\WINDOWS\apihv.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: Class - {CAF6E144-63FF-5169-432A-A4605DE3B9A4} - C:\WINDOWS\syswi32.dll (file missing)
O2 - BHO: Class - {D33C8F81-1BDD-D468-2853-B1D36D92CA19} - C:\WINDOWS\sysch32.dll (file missing)
O2 - BHO: Class - {F9D7B838-0128-DA47-424A-9E6B5C35E7D6} - C:\WINDOWS\system32\iepi32.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\pt-pt\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Descarregar pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Descarregar tudo pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - [url]http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab[/url]
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - [url]http://www.searchwww.com/search.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab[/url]
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4B6015E7-3ABB-45DC-96B7-55A843751F28} (IntRuboskizo2 Class) - [url]http://www.contenidospc.com/ruboskizo2.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - [url]http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab[/url]
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - [url]http://chat.yahoo.com/cab/yuplapp.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - [url]http://www.pandasoftware.com/activescan/as5free/asinst.cab[/url]
O16 - DPF: {9A934FAF-30A4-4A85-A1C4-958E8438E98C} (Inst Class) - [url]http://www.freemusiccenter.com/dl/waeb.cab[/url]
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - [url]http://www.webcamnow.com/broadcast/ActiveXWebCam.cab[/url]
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - [url]http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab[/url]
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - [url]http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab[/url]
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - [url]http://chat.yahoo.com/cab/yvwrctl.cab[/url]
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - [url]http://chat.msn.com/bin/msnchat45.cab[/url]
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtqo - C:\WINDOWS\System32\awtqo.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Windows Codecs (Codec) - Unknown owner - C:\WINDOWS\wincodec.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe (file missing)
O23 - Service: MS Smc Service (MSsmc) - Unknown owner - C:\WINDOWS\winsmc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: TCP/IP NetBIOS Connections (nbconn) - Unknown owner - C:\WINDOWS\winstub.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)

-----------------------------------------------------

---------------------------------------------------------
 ewido security suite - Scan report
---------------------------------------------------------

 + Created on:          21:40:55, 30-09-2005
 + Report-Checksum:     4F6E66D0

 + Scan result:

    C:\Documents and Settings\Pedro\Cookies\pedro@as1.falkag[2].txt -> Spyware.Cookie.Falkag : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@doubleclick[2].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@revenue[2].txt -> Spyware.Cookie.Revenue : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@rotator.adjuggler[2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
    C:\Documents and Settings\Pedro\Cookies\pedro@www.myaffiliateprogram[2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
    C:\WINDOWS\system32\awtqr.dll -> TrojanDownloader.Small.bpk : Cleaned with backup
    C:\WINDOWS\system32\awtsq.dll -> TrojanDownloader.Small.bpk : Cleaned with backup


::Report End

-------------------------------------------

What may I do with this?

pedrofigo 0 Newbie Poster · Answer 3 · 2005-10-01T13:04:14+00:00

File: winstub.exe
Status: INFECTED/MALWARE
MD5 da898dc90f96795de5a0f2ecce950c7a
Packers detected: PE_PATCH, MEWBUNDLE, MEW
Scanner results
AntiVir Found Packer/MEW
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found BehavesLike:Trojan.FWDisable (probable variant)
ClamAV Found Worm.Mytob.GH
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of IRC/SdBot
Norman Virus Control Found W32/Suspicious_M.gen
UNA Found nothing
VBA32 Found Backdoor.Rbot.1 (probable variant)
---------------------------------------------------------
File: csrs.exe
Status: INFECTED/MALWARE
MD5 2d3a265ee8e40040095137d476020022
Packers detected: PE_PATCH, MEWBUNDLE, MEW
Scanner results
AntiVir Found Packer/MEW
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Backdoor.SDBot.4CBA7C1C
ClamAV Found Worm.Mytob.GH
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found Backdoor.Win32.Agobot.afk
NOD32 Found a variant of IRC/SdBot
Norman Virus Control Found W32/Suspicious_M.gen
UNA Found nothing
VBA32 Found Backdoor.Rbot.1 (probable variant)
-----------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 8:01:02, on 01-10-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wincodec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\winstub.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abola.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awtqo.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\pt-pt\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Descarregar pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Descarregar tudo pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9A934FAF-30A4-4A85-A1C4-958E8438E98C} (Inst Class) - http://www.freemusiccenter.com/dl/waeb.cab
O16 - DPF: {9CCE3B43-4DE0-4236-A84E-108CA848EE6A} (WebCam Control) - http://www.webcamnow.com/broadcast/ActiveXWebCam.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A3FD79-7312-4BCA-8C10-9B16DF6FDD27}: NameServer = 194.65.100.117
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtqo - C:\WINDOWS\System32\awtqo.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Windows Codecs (Codec) - Unknown owner - C:\WINDOWS\wincodec.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe (file missing)
O23 - Service: MS Smc Service (MSsmc) - Unknown owner - C:\WINDOWS\winsmc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: TCP/IP NetBIOS Connections (nbconn) - Unknown owner - C:\WINDOWS\winstub.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)

pedrofigo 0 Newbie Poster · Answer 4 · 2005-10-01T21:00:45+00:00

The NAV window keeps on popping, with the "Trojan.Cachecachekit" reference.

pedrofigo 0 Newbie Poster · Answer 5 · 2005-10-02T10:00:20+00:00

The NAV window about the Trojan.Cachecachekit as finished, but I don't know why, I still can't seem to work with my cam on Yahoo messenger, the image appears dusty, but it works perfectly on MSN Messenger.
Here is my latest HJT log.

-------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 4:55:02, on 02-10-2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\wincodec.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\winstub.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\Program Files\The Cleaner\tca.exe
C:\Program Files\The Cleaner\tcm.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://uk.search.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.abola.pt/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://uk.search.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awtqo.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\pt-pt\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [DataLayer] C:\PROGRA~1\COMMON~1\PCSuite\DATALA~1\DATALA~1.EXE
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\PROGRA~1\Nokia\NOKIAP~1\TRAYAP~1.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~2\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [tcactive] C:\Program Files\The Cleaner\tca.exe
O4 - HKLM\..\Run: [tcmonitor] C:\Program Files\The Cleaner\tcm.exe
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Descarregar pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: Descarregar tudo pelo Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: E&xportar para o Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O12 - Plugin for .bcf: C:\Program Files\Internet Explorer\Plugins\NPBelv32.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by17fd.bay17.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/installers/pinstall/pinstall.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9A934FAF-30A4-4A85-A1C4-958E8438E98C} (Inst Class) - http://www.freemusiccenter.com/dl/waeb.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D6A3FD79-7312-4BCA-8C10-9B16DF6FDD27}: NameServer = 194.65.100.117
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: awtqo - C:\WINDOWS\System32\awtqo.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Windows Codecs (Codec) - Unknown owner - C:\WINDOWS\wincodec.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Enables Java Support (Java) - Unknown owner - C:\WINDOWS\System32\winjava.exe (file missing)
O23 - Service: MS Smc Service (MSsmc) - Unknown owner - C:\WINDOWS\winsmc.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: TCP/IP NetBIOS Connections (nbconn) - Unknown owner - C:\WINDOWS\winstub.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Time Sync (wservtime) - Unknown owner - C:\WINDOWS\csrss.exe (file missing)

---------------------------------------------------------

crunchie 990 Most Valuable Poster Team Colleague Featured Poster · Answer 6 · 2005-10-02T15:13:23+00:00

I need you to upload each of these files to Jotti's so that I can see what they are;

C:\WINDOWS\wincodec.exe
C:\WINDOWS\System32\winjava.exe
C:\WINDOWS\winsmc.exe

Please post back the results for each.

==

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to extract the files
This will create a VundoFix folder on your desktop.
After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
At this point press enter one time.
Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
At this point please type the following file path (make sure to enter it exactly as below!):
C:\WINDOWS\System32\awtqo.dll

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:

Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.

[*]At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\ogtwa.dll

[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.

[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\awtqo.dll

O20 - Winlogon Notify: awtqo - C:\WINDOWS\System32\awtqo.dll

[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

Trojan.Cachecachekit

Recommended Answers Collapse Answers

All 8 Replies

Recommended Answers