Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Need help, thank you [RESOLVED]

Started by Dillan , Feb 16 2006 09:01 PM

  • This topic is locked This topic is locked

#1
Dillan
Posted 16 February 2006 - 09:01 PM

Dillan

    Member

  • Member
  • PipPip
  • 35 posts
Alright, I have 2 main problems, number 1 AVG keeps telling me that a virus has been found with the name Trojan Horse Downloader.Generic.QIG in the file C:\Windows\System32\qspanpp.dll and it wont go away. Number 2 Microsoft anti spyware keeps showing 2 files that keep showing up, there names are: eXact.downloader, and eXact.Bargainbuddy, and I really need these to be gone, so I will post my hijack this! log and hopefully someone can get back to me, thank you for all of your help.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yqrkcr.exe reg_run
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: pwgi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety....lscbase2213.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133403943093
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KDP - Unknown owner - C:\DOCUME~1\DILLAN~1\LOCALS~1\Temp\KDP.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
Kat
Posted 16 February 2006 - 09:12 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Hello and welcome to GeeksToGo. My name is Kat, and I will be helping you.

You also have a Q00logic infection. We can get you cleaned up, but first I need to see a complete HijackThis log. Please scan for and save a new log, then paste me the entire contents of the log.

Also, I would like to see an Uninstall list from HijackThis.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please reply with the uninstall list, and a full copy of your HijackThis log. :tazz:
  • 0

#3
Dillan
Posted 16 February 2006 - 09:14 PM

Dillan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
My apologies, I didnt realize I didnt post a complete log, anyways, here is the complete log, and the uninstall log will come a post after this one

Logfile of HijackThis v1.99.1
Scan saved at 10:11:50 PM, on 2/16/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Dillan Betts\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yqrkcr.exe reg_run
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: pwgi.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety....lscbase2213.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133403943093
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KDP - Unknown owner - C:\DOCUME~1\DILLAN~1\LOCALS~1\Temp\KDP.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

#4
Dillan
Posted 16 February 2006 - 09:16 PM

Dillan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Heres the uninstall log

ABBYY FineReader 5.0 Sprint Plus
Adobe Acrobat - Reader 6.0.2 Update
Adobe Acrobat 5.0
Adobe Acrobat and Reader 6.0.3 Update
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 6.0.1
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Communicator (remove only)
AOL Connectivity Services
AOL Deskbar
AOL Spyware Protection
AOL You've Got Pictures Screensaver
AVG Free Edition
AviSynth 2.5
BellSouth FastAccess DSL Help Center
CCleaner (remove only)
Classic PhoneTools
CleanUp!
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
Cypress USB Mass Storage Driver Installation
Dell Digital Jukebox Driver
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell Solution Center
Dell Support 5.0.0 (766)
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
Empire Earth II
EPSON Printer Software
ewido security suite
Google Earth
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Intel® PRO Ethernet Adapter and Software
Intel® PROSet II
iPod for Windows 2005-09-06
iPod for Windows User Guide
iPod System Software Updater 2.1
IrfanView (remove only)
iTunes
Java 2 Runtime Environment, SE v1.4.2_05
Learn2 Player (Uninstall Only)
Lexmark X6100 Series
LimeWire 4.8.1
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia Shockwave Player
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft AntiSpyware
Microsoft Encarta Encyclopedia Standard 2003
Microsoft Money 2003
Microsoft Money 2003 System Pack
Microsoft Picture It! Photo 7.0
Microsoft Streets and Trips 2002
Microsoft Windows Journal Viewer
Microsoft Word 2002
Microsoft Works 2003 Setup Launcher
Microsoft Works 7.0
Microsoft Works Suite Add-in for Microsoft Word
Modem Helper
Mozilla Firefox (1.0.7)
MSN Messenger 7.0
MSXML 4.0 SP2 Parser and SDK
MSXML4 Parser
Napster
Napster Burn Engine
NVIDIA Display Driver
NVIDIA Windows 2000/XP Display Drivers
Paint Shop Pro 7
PowerDVD
Print to Fax
PSP Video 9 1.53
Pure Networks Port Magic
QuickTime
RealPlayer
RTC Client API v1.2
Shockwave
Sound Blaster Live!
Star Wars Galaxies
Stronghold Crusader
Terayon DOCSIS Modem
The Battle for Middle-earth ™
The Sims 2
The Sims Superstar
TrojanHunter 4.2
USB Storage Adapter FX (SM1)
Windows Genuine Advantage v1.3.0254.0
Windows Live Safety scanner
Windows Media Format Runtime
Windows Media Player 10
World of Warcraft
  • 0

#5
Kat
Posted 16 February 2006 - 09:28 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
1. Show Hidden Files and Folders:
  • Click Start
  • Double click on “My Computer”
  • Select Tools menu, and click on Folder Options..then click the View tab
  • Under Hidden Files and Folders heading, select “Show hidden files and folders”
  • uncheck the “hide protected operating systems files” options.
  • uncheck the “Hide file extensions for known file types” box
  • Click “yes” to confirm, then click “ok”

2. Please open your Ewido program, and manually update it. Now close Ewido, we will use it later.

3. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\yqrkcr.exe reg_run
O4 - Global Startup: pwgi.exe


4. Now close all windows other than HiJackThis, then click Fix Checked.

5. Reboot into safe mode.Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

6. Please run Ewido as follows:
  • It is VERY IMPORTANT that you do not "multi task" while Ewido runs. Please do not open/run ANYTHING else during the scan...this includes all files, programs, folders, games, etc. ONLY have Ewido running.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

7. Reboot normally!

8. Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
9. Please reply here with a new HijackThis log, a copy of the Ewido report, and the scan results from ActiveScan. :tazz:
  • 0

#6
Dillan
Posted 16 February 2006 - 11:31 PM

Dillan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
OK im running the Panda Scan right now, but its taking awhile so i will post the results to everything all at once tomorow, thank you very much for your help.
  • 0

#7
Kat
Posted 17 February 2006 - 11:45 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
You're welcome. :tazz: I will be gone for a few hours this afternoon, but will be back later this evening. I'll check in on you again then.
  • 0

#8
Dillan
Posted 17 February 2006 - 06:41 PM

Dillan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Ok, Here is the Hijack This! log:

Logfile of HijackThis v1.99.1
Scan saved at 7:37:33 PM, on 2/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Dillan Betts\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety....lscbase2213.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133403943093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KDP - Unknown owner - C:\DOCUME~1\DILLAN~1\LOCALS~1\Temp\KDP.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Here is the Ewido Scan Log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:59:47 PM, 2/16/2006
+ Report-Checksum: D7463AC6

+ Scan result:

HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Adware.BargainBuddy : Error during cleaning
HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Adware.BargainBuddy : Error during cleaning
HKLM\SOFTWARE\Classes\ADP.UrlCatcher.1 -> Adware.BargainBuddy : Error during cleaning
HKLM\SOFTWARE\Classes\WToolsB.ResProtocol -> Adware.WebSearch : Error during cleaning
HKLM\SOFTWARE\Microsoft\Netstat -> Adware.Ezula : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Webext -> Adware.Ezula : Cleaned with backup
HKU\.DEFAULT\Software\aurora -> Adware.BetterInternet : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\aurora -> Adware.BetterInternet : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Brooks Betts\Application Data\Mozilla\Firefox\Profiles\4xqaucss.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Brooks Betts\Application Data\Mozilla\Firefox\Profiles\4xqaucss.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Brooks Betts\Application Data\Mozilla\Firefox\Profiles\4xqaucss.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Brooks Betts\Application Data\Mozilla\Firefox\Profiles\4xqaucss.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Brooks Betts\Application Data\Mozilla\Firefox\Profiles\4xqaucss.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Brooks Betts\Cookies\brooks [email protected][1].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Brooks Betts\Cookies\brooks betts@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Linkbuddies : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup
:mozilla.99:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned with backup
:mozilla.132:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.133:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup
:mozilla.138:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Starware : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@centrport[1].txt -> TrackingCookie.Centrport : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@clickbank[1].txt -> TrackingCookie.Clickbank : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][2].txt -> TrackingCookie.Tracking101 : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][1].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][1].txt -> TrackingCookie.Adbrite : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][1].txt -> TrackingCookie.Coremetrics : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@valueclick[1].txt -> TrackingCookie.Valueclick : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Dillan Betts\Desktop\backups\backup-20060216-225044-414-pwgi.exe -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\02BE828F-0381-45AF-869C-598798.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\03009478-24FD-455B-881B-14E6F3.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\04C9D4AF-FDC0-4119-AC32-6497BD.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\08AB30AA-09D5-4247-A6F6-325A9A.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\08C052FA-4449-4AF3-9BA2-D745A9.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0DB24E2E-452A-41DA-8DF8-21729F.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\10492A93-22C2-4A34-A2C1-CFBB19.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\14F56F6F-341B-4E0D-B156-BFF06E.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\19F8643B-F523-4E32-8B82-224C57.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1B3CFAA9-DC18-49F8-A9ED-C9027C.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1BBA897A-939C-4843-B1BE-04C66C.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\20873130-2B44-4260-85EF-31B025.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\21D33A77-DA24-42E6-9C35-AADDFF.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\25F80B35-8E38-415D-AF57-4551CA.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2C7CFA25-90EB-4931-8B6F-842830.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2FDE9A64-711A-472D-9FA5-22C1F8.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\35029452-9AD5-4F20-A468-B7404B.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3B014367-DB2F-47D4-98B4-6276B8.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3CF002C1-8565-40DB-8185-1CF9E8.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3DEBB7B5-EA5D-4471-B06F-F12E89.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\464F3213-F32F-4BAE-9AFA-D326E7.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\467E8015-93D6-42F2-BB67-93A679.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\497D1EE4-F1B0-4FCE-AFB1-C4DC20.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\52A3C70C-2D89-4DA5-8F1C-EACE1B.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\620AC319-EDCF-4FA1-8CDE-C6075B.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\65E178DF-88C1-45FD-AABB-5C2F01.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\71F3207E-553A-475E-BC3C-F88C55.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\812F92DF-4238-47DC-BF9D-E5FF8D.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\825D977C-ED0D-4ACA-839D-11FC4D.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\85CBC0D0-4684-4214-B2F5-85B5B8.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\874FA537-9EC5-4318-B769-AFF767.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\92ABC226-3141-4613-BC90-A327DB.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\960F20F4-4766-4E0A-B7B6-4C5EE5.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\97E5E47D-EEBA-4921-BD38-B2AF36.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\97F8D7CB-045F-49AD-8ACC-DA1662.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9C37197A-D536-4484-A4F9-9BF99B.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9D6C4ADB-3EE6-4179-8DED-B99376.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AB714E1B-9878-4E74-818C-8F0474.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AD0F8E83-157D-4889-AB46-BFF148.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B3E6CE14-B46E-46B1-8E48-11EC89.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\BA02F53D-2AB9-4FAA-B358-700E61.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\BB8EDA67-1FAF-4E5F-B1D8-BDA5F4.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C3813698-8444-4A86-88AD-40EEFE.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\CCC80F69-B025-4B13-A437-13E3D6.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\CFAB9FC7-1543-449A-8914-6997CD.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D5BC9BE9-ED46-4DBB-9E75-8A01B5.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\DA23BD74-3CD3-40B4-A0D7-0062B8.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\DAF2A2DE-B815-4174-8473-250195.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\DC1F6F1E-5316-46CF-8482-8F818A.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E11E2273-F927-40F0-8FBE-FCD274.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E7B64E98-8F73-4A8F-96E5-9821EE.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E8178747-6D5B-41D4-BFCB-B12DE6.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E9290F5D-7099-4655-88A8-2DBA85.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EA0235CD-8541-4FD2-BAB7-3107FD.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EA339898-0E38-48F9-A837-2CA8E3.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F33089D1-A927-49A5-87CA-CF8615.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F7CB4CFC-F2E3-4E9B-AE9D-4173F0.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F83D560A-CA41-411E-B289-3D7B45.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F8562A87-19CA-4969-A8D0-191EDB.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\FB68FB4A-9C21-4EEC-9ECB-19E2C2.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\FF1FC6F5-0F93-4950-940C-1B2087.asq -> Downloader.Qoologic.aw : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\F20C02EB-37E9-4E68-A86A-75E4FB\E53B0B58-C0C9-4EE7-8C1A-91FD7C -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\SYSTEM32\kvdcddv.exe -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\SYSTEM32\qgbvk.dat -> Downloader.Qoologic.aw : Cleaned with backup
C:\WINDOWS\SYSTEM32\word\dlcl.edp -> Backdoor.Zapchast : Cleaned with backup
C:\WINDOWS\SYSTEM32\word\few.exe -> Not-A-Virus.NetTool.Win32.Sniffer.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\yqrkcr.exe -> Downloader.Qoologic.aw : Cleaned with backup


::Report End

And here is the Panda Active Scan Report:


Incident Status Location

Adware:adware/cws Not disinfected C:\Documents and Settings\Dillan Betts\Favorites\LIVING\Find a Degree.lnk
Spyware:spyware/whazit Not disinfected C:\WINDOWS\SYSTEM32\fiz1
Adware:adware/popuper Not disinfected C:\Documents and Settings\Dillan Betts\Favorites\Online Pharmacy.url
Potentially unwanted tool:application/regclean32 Not disinfected C:\PROGRAM FILES\Registry Cleaner Trial
Adware:adware program Not disinfected C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Dillan Betts\Favorites\1111
Adware:adware/wupd Not disinfected Windows Registry
Potentially unwanted tool:application/myway Not disinfected HKEY_CLASSES_ROOT\CLSID\{66FC8717-EFA7-4546-8C4A-E224F3A80C76}
Adware:adware/webext Not disinfected Windows Registry
Potentially unwanted tool:application/winfixer2005 Not disinfected HKEY_CLASSES_ROOT\AppID\{8C65AEF6-E413-4314-815B-82717A3F1603}
Adware:adware/bigtrafficnet Not disinfected Windows Registry
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@adrevolver[3].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@ask[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@banner[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@bravenet[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@maxserving[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@realmedia[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@rn11[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@tucows[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt[.ask.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt[.i.screensavers.com/]
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Brooks Betts\Application Data\Mozilla\Firefox\Profiles\4xqaucss.default\cookies.txt[]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Brooks Betts\Cookies\brooks [email protected][2].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Brooks Betts\Cookies\brooks betts@ask[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dillan Betts\Application Data\Mozilla\Firefox\Profiles\2135liz5.default\cookies.txt[]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan [email protected][2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@adrevolver[3].txt
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@ask[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@banner[2].txt
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@bravenet[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@maxserving[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@realmedia[2].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@rn11[1].txt
Spyware:Cookie/Tucows Not disinfected C:\Documents and Settings\Dillan Betts\Cookies\dillan betts@tucows[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mary Betts\Cookies\mary betts@realmedia[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\plumchoice\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\plumchoice\l2mfix.exe[Process.exe]
Adware:Adware/VirtualBouncer Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\2D9B347A-115A-4792-AE75-07A0B8\5C2C159C-9092-44DB-82AA-C0052A
Spyware:Spyware/ClearSearch Not disinfected C:\WINDOWS\SYSTEM32\O.BAT
  • 0

#9
Kat
Posted 17 February 2006 - 07:06 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
1. Disable a bad running service:
  • Go to Start | Run
  • Then type services.msc
  • This will lauch a new window, scroll down on the list and search for (KDP)
  • Right click on this entry and select stop
  • Now right click and select properties, you will get new box with tabs.
    In the General Tab, look for Start Up Type: in the drop down box select Disabled
  • Click Apply then OK and close out of the console.
2. Show Hidden Files and Folders:
  • Click Start
  • Double click on “My Computer”
  • Select Tools menu, and click on Folder Options..then click the View tab
  • Under Hidden Files and Folders heading, select “Show hidden files and folders”
  • uncheck the “hide protected operating systems files” options.
  • uncheck the “Hide file extensions for known file types” box
  • Click “yes” to confirm, then click “ok”

3. Reboot to safe mode by continually tapping the F8 key as the computer begins to boot.

4. Delete the following files:

C:\Documents and Settings\Dillan Betts\Favorites\LIVING\Find a Degree.lnk
C:\WINDOWS\SYSTEM32\fiz1
C:\Documents and Settings\Dillan Betts\Favorites\Online Pharmacy.url
C:\WINDOWS\SYSTEM32\cache32dsrf4535dfs
C:\Documents and Settings\Dillan Betts\Favorites\1111
C:\WINDOWS\SYSTEM32\O.BAT

5. Deleting an NT service:
  • Open HJT and click the "Open misc tools" section. Then click "Delete an NT service". In the text box paste or type KDP and click OK. Then let the machine reboot!
6. Launch Notepad, and copy/paste the contents of the quote box below into a new Notepad file. Save it with file name options.txt and save as file type: all files to your desktop.

RegSearch Options File

[Search]
wupd
webext
winfixer2005
bigtrafficnet
ADP.UrlCatcher
WToolsB.ResProtocol

[Exclude]

[Options]
Filter=KVDLUI



7. Download Registry Search to your desktop.
  • Right click on the compressed RegSearch folder, and choose "Extract All". In the box that pops open, click "Next", then "Next" again, and then "Finish". You now have another RegSearch folder on your desktop.
  • Open the new folder, and double click on regsearch.exe
  • Click "Import" in the lower left corner and browse to the options.txt file that you just saved on your desktop. Do not choose the one in the RegSearch folder itself.
  • Click OK and Registry Search will scan your registry for the file(s), and a Notepad box will open with a report.
  • Please reply here with the entire contents of the Notepad file from RegSearch.
8. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

9. Please make a reply here with a new HijackThis log, and the contents of the RegistrySearch report. :tazz:
  • 0

#10
Dillan
Posted 17 February 2006 - 08:06 PM

Dillan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Here is the RegSearch Log:

REGEDIT4

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.0.1

; Results at 2/17/2006 8:55:09 PM for strings:
; 'wupd'
; 'webext'
; 'winfixer2005'
; 'bigtrafficnet'
; 'adp.urlcatcher'
; 'wtoolsb.resprotocol'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B881261C-BDB3-11D0-B19E-00A0C91E29D8}]
@="WebExtenderClient Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B881261C-BDB3-11D0-B19E-00A0C91E29D8}\ProgID]
@="WECAPI5.WebExtenderClient.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B881261C-BDB3-11D0-B19E-00A0C91E29D8}\VersionIndependentProgID]
@="WECAPI5.WebExtenderClient"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}]
@="WebExtenderClient Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}\ProgID]
@="WECAPI2.WebExtenderClient.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}\VersionIndependentProgID]
@="WECAPI2.WebExtenderClient"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient]
@="WebExtenderClient Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient.1]
@="WebExtenderClient Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient]
@="WebExtenderClient Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.1]
@="WebExtenderClient Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.1\CLSID]

; End Of The Log...



And here is the Hijack This! log:

Logfile of HijackThis v1.99.1
Scan saved at 9:03:00 PM, on 2/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Dillan Betts\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bellsouth.net
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Lexmark X6100 Series] "C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {13EC55CF-D993-475B-9ACA-F4A384957956} (Controller Class) - https://www.windowso...nSSWebAgent.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com...kup/qdiagcc.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (CwlscInstall Object) - https://scan.safety....lscbase2213.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133403943093
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Unknown owner - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#11
Kat
Posted 17 February 2006 - 09:01 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Copy the entire contents of the code box below into a new Notepad file. Save the file on your desktop with file name fix.reg and save as file type all files

REGEDIT 4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher\CLSID]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\ADP.UrlCatcher.1\CLSID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B881261C-BDB3-11D0-B19E-00A0C91E29D8}]
"WebExtenderClient Class"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B881261C-BDB3-11D0-B19E-00A0C91E29D8}\ProgID]
"WECAPI5.WebExtenderClient.1"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B881261C-BDB3-11D0-B19E-00A0C91E29D8}\VersionIndependentProgID]
"WECAPI5.WebExtenderClient"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}]
"WebExtenderClient Class"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}\ProgID]
"WECAPI2.WebExtenderClient.1"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F6FD0A13-43F0-11D1-BE58-00A0C90A4335}\VersionIndependentProgID]
"WECAPI2.WebExtenderClient"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient]
"WebExtenderClient Class"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient\CLSID]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient.1]
"WebExtenderClient Class"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI2.WebExtenderClient.1\CLSID]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient]
"WebExtenderClient Class"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient\CLSID]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.1]
"WebExtenderClient Class"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WECAPI5.WebExtenderClient.1\CLSID]

Be sure everything else is closed, then double click on fix.reg on your desktop. You will receive a prompt similar to "Are you sure you wish to merge with the registry". Please answer Yes. When you see the message "merged successfully", click "ok" or exit out.

Once you have done this, please reply here and let me know how things are running now. Your HijackThis log is clean. If you're still having issues..please let me know exactly what they are, and we'll deal with them. :tazz:
  • 0

#12
Dillan
Posted 17 February 2006 - 09:20 PM

Dillan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I followed the directions you gave me but when i clicked "yes" to the "are you sure you wish to merge with the registry" I got an alert that says "Registry Editor: Cannot import C:\Documents and Settings\Dillan Betts\Desktop\fix.reg: The specified file is not a registry script. You can only import binary registry files from within the registry editor".
  • 0

#13
Kat
Posted 18 February 2006 - 04:09 AM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
did you use Notepad, and not wordpad or Microsoft word? It has to be Notepad. Also, the name has to be fix.reg and it must be saved as type all files.
  • 0

#14
Dillan
Posted 18 February 2006 - 05:33 PM

Dillan

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Yes, I used Notepad and Yes it is called fix.reg and it is saved to all files. Oh and the annoying AVG alert isnt coming up anymore so no more Trojan downloader. But windows antivirus still shows that eXact.downloader and eXact.BargainBuddy is still in my computer.
  • 0

#15
Kat
Posted 18 February 2006 - 09:26 PM

Kat

    Retired

  • Retired Staff
  • 19,711 posts
  • MVP
Can you tell me where Windows antivirus is saying that those are located?

Let's run SpySweeper on a free trial. This program is very good at clearing junk out of the registry, and also cleaning things that Ewido can't find. Unfortunately, no one program can find it all. :tazz:

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click Download Now to download the program.
  • Install it. Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Please be sure to NOT surf the internet or anything else while SpySweeper is running. :)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP