Hello all, I am trying to rid my friends Laptop (http://www.pcguide.com/vb/showthread.php?t=39299) of all Scumware. I've ran CW Shedder, Ad-Aware, and Spybot S&D. So here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:06:47 AM, on 8/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\windows\system32\nrsfqf.exe
D:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.ou.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AutoLoaderws4l1dMXZQXW] "C:\WINDOWS\System32\wexrxy.exe"
O4 - HKLM\..\Run: [wFnP3pR] wexrxy.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Nbburi.exe
O4 - HKLM\..\Run: [Okelgv] C:\Program Files\Lleakq\Ttupsp.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\aaraon.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitencc32.exe
O4 - HKLM\..\Run: [dvdqozf] c:\windows\system32\nrsfqf.exe r
O4 - HKLM\..\RunOnce: [DeleteYourSiteBar] rundll32.exe advpack.dll,DelNodeRunDLL32 "C:\Program Files\YourSiteBar\ysb.dll"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ho4FRfd3e] vfpcrap.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [qqik] C:\PROGRA~1\COMMON~1\qqik\qqikm.exe
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Global Startup: dpkp.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - [url]http://a19.g.akamai.net/7/19/7125/1446/ftp.coupons.com/r3302/cpbrkpie.cab[/url]
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe

Thanks,
Jason

Please download, install, and update the free version of Ewido trojan scanner (http://www.ewido.net/en/download/):

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Exit Ewido. DO NOT scan yet.


Download CCleaner (http://www.ccleaner.com/ccdownload.asp) and install, but do not run it yet.

Please download this revised installer for the Nailfix utility (http://users.pandora.be/bluepatchy/nailfix.exe).
DO NOT run it yet.

Reboot into Safe Mode. To do this with Windows XP, you can follow these steps from Microsoft (http://support.microsoft.com/default.aspx?kbid=315222):

Restart your computer and start pressing the F8 key on your keyboard. On a computer that is configured for booting to multiple operating systems, you can press the F8 key when you the Boot Menu appears.
Select an option when the Windows Advanced Options menu appears, and then press ENTER.
When the Boot menu appears again, and the words "Safe Mode" appear in blue at the bottom, select the installation that you want to start, and then press ENTER.


Once in Safe Mode, please double-click on nailfix.exe. Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish". Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Next, run Ewido again.

Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.



Then run HijackThis, click Scan, and place a checkmark by the following item:

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe

Close all open windows except for HijackThis and click Fix Checked.

Now, run CCleaner.

Uncheck "Cookies" under "Internet Explorer".
If running Firefox: click on the "Applications" tab and uncheck "Cookies" under "Firefox".
Click on Run Cleaner in the lower right-hand corner. This can take quite a while to run.

Finally, restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Thanks Classicsoftware... I have done as you've asked.. This is kind of long but I had to break this post up into 4 parts.. Here are the logs:

1st HJT Log
Logfile of HijackThis v1.99.1
Scan saved at 4:57:19 AM, on 8/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
c:\windows\system32\mrlyle.exe
C:\WINDOWS\System32\aaraon.exe
C:\tools\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.ou.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)
O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AutoLoaderws4l1dMXZQXW] "C:\WINDOWS\System32\wexrxy.exe"
O4 - HKLM\..\Run: [wFnP3pR] wexrxy.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Nbburi.exe
O4 - HKLM\..\Run: [Okelgv] C:\Program Files\Lleakq\Ttupsp.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\aaraon.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitencc32.exe
O4 - HKLM\..\Run: [gprocpa] c:\windows\system32\mrlyle.exe r
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ho4FRfd3e] vfpcrap.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [qqik] C:\PROGRA~1\COMMON~1\qqik\qqikm.exe
O4 - HKCU\..\Run: [DellSupport] "C:\PROGRA~1\DELLSU~1\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - [url]http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/drakken/us/win/QuickTimeInstaller.exe[/url]
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - [url]http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab[/url]
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - [url]http://a19.g.akamai.net/7/19/7125/1446/ftp.coupons.com/r3302/cpbrkpie.cab[/url]
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewi

(PART 1 of 4)

(PART 2 of 4)
---------------------------------------------------------

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:55:09 AM, 8/3/2005
+ Report-Checksum: 74681085

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{B5AB638F-D76C-415B-A8F2-F3CEAC502212} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{05080E6B-A88A-4CFD-8C3D-9B2557670B6E} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BC333116-6EA1-40A1-9D07-ECB192DB8CEA} -> Spyware.AproposMedia : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\dealhelper -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\dealhelper\KeyWord -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\DelFin -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{0019C3E2-DD48-4A6D-ABCD-8D32436323D9} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\DelFin Media Viewer -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\MediaLoads Enhanced -> Spyware.Downloadware : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\Surf SideKick -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uni nstall\WinDH -> Spyware.DealHelper : Cleaned with backup
HKLM\SOFTWARE\PerfectNav -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO\HomePage -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\PerfectNav\BHO\RedirectURLS -> Spyware.KeenValue : Cleaned with backup
HKU\S-1-5-21-448486026-2437969446-162025716-1006\Software\DelFin -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-448486026-2437969446-162025716-1006\Software\DelFin\PromulGate -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-448486026-2437969446-162025716-1006\Software\LQ -> Dialer.Generic : Cleaned with backup
HKU\S-1-5-21-448486026-2437969446-162025716-1006\Software\WinUpdt -> Spyware.SecondThought : Cleaned with backup
[1772] c:\windows\system32\cqpkumv.exe -> Adware.BetterInternet : Cleaned with backup
[1452] C:\WINDOWS\System32\donob.dll -> TrojanDownloader.Qoologic.n : Cleaned with backup
[912] C:\WINDOWS\System32\aaraon.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Documents and Settings\Guest\Cookies\guest@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\Documents and Settings\Lexi\Cookies\lexi@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Lexi\Cookies\lexi@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\180sainstaller.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\180sainstallersilsais1.exe/clientax.dll -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\8UQUQUSJ.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\Cookies\lexi@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\f251514759.exe -> TrojanDownloader.Qoologic.n : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\installer_MARKETING49 -> TrojanDownloader.Adload.a : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\LeisureBoxInst_ppi1.exe -> TrojanDownloader.VB.ft : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\nstC.EXE -> Spyware.SmartPops : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\Patch221.exe -> TrojanDropper.Agent.r : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\pcs_0006.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\pcs_0029.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\ptf_0002.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\ptf_0006.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\ptf_0009.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\ptf_0029.exe -> Spyware.Pacer : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\toc_0018.exe -> TrojanDownloader.Agent.jq : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temp\ts_8_new.exe -> TrojanDownloader.TSUpdate.f : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temporary Internet Files\Content.IE5\1QPFQF3C\AppWrap[1].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temporary Internet Files\Content.IE5\1QPFQF3C\AppWrap[2].exe -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Lexi\Local Settings\Temporary Internet Files\Content.IE5\1QPFQF3C\sfi2[1].dll -> Spyware.SearchIt : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe/Save.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe/SaveUninst.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe/Weather.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\BearShare\Installer\saveinstwm.exe/Uninst.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Program Files\Common Files\qqik\qqika.exe -> TrojanDownloader.TSUpdate.l : Cleaned with backup
C:\Program Files\Common Files\qqik\qqikl.exe -> TrojanDownloader.TSUpdate.j : Cleaned with backup
C:\Program Files\Common Files\qqik\qqikp.exe -> Spyware.Xupiter :

(Part 3 of 4)

C:\Program Files\Kazaa\TopSearch.dll -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Lleakq\Ttupsp.exe -> Trojan.Small.cy : Cleaned with backup
C:\Program Files\MediaLoads\notify\notify.exe -> Spyware.ClipGenie : Cleaned with backup
C:\Program Files\MediaLoads\v1\ML.exe -> Spyware.DownloadWare : Cleaned with backup
C:\Program Files\PerfectNav\BHO\Tipb.exe -> TrojanDownloader.Keenval.e : Cleaned with backup
C:\Program Files\rdso\eetu.exe -> Spyware.Look2Me : Cleaned with backup
C:\Program Files\SurfSideKick 3\Ssk.exe -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskBho.dll -> Spyware.SurfSide : Cleaned with backup
C:\Program Files\SurfSideKick 3\SskCore.dll -> Spyware.SurfSide : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0073667.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0073668.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0073673.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0073674.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0073675.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074628.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074629.exe -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074630.exe -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074639.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074640.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074641.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074643.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074645.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074648.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074649.dll -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0074650.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP229\A0075624.exe -> Spyware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0075628.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076625.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076629.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076635.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076641.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076660.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076677.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076692.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076710.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076718.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076719.exe -> TrojanDownloader.Agent.jq : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076720.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076721.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076722.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076723.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076725.exe -> TrojanDownloader.TSUpdate.k : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076727.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076728.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076729.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076732.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076735.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076736.dll -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076741.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076742.exe -> Trojan.Small.cy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076745.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076746.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076749.exe -> Spyware.Downloadware : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076750.DLL -> Spyware.MediaPops : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076751.DLL -> Spyware.MediaPops : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076754.dll -> Adware.BrilliantDigital : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076756.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076759.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076760.dll -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076762.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076763.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076764.exe -> Spyware.Altnet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076767.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076768.exe -> TrojanDownloader.Dyfuca.dk : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076769.exe -> TrojanDownloader.IstBar.ij : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076770.dll -> Spyware.ImiBar : Cleaned with backup

(PART 4 of 4)

C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076771.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076773.exe -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076774.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076775.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076776.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076777.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076778.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076779.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076780.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076781.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076783.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076784.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076785.dll -> Spyware.ReSearch : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076786.exe -> Adware.eZula : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076789.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076790.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076791.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076793.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP230\A0076794.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076798.exe -> Spyware.180Solutions : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076806.exe -> TrojanDownloader.Keenal : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076807.exe -> TrojanDownloader.Keenal : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076808.exe -> TrojanDownloader.Keenval : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076810.DLL -> Spyware.MyWay : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076811.exe -> Spyware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076812.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076813.exe -> TrojanDownloader.Agent.hw : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076814.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076815.dll -> Spyware.DealHelper : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076822.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076837.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{11B4CBB0-31B0-483C-A4FE-D6E9E8C1A928}\RP231\A0076855.exe -> Adware.BetterInternet : Cleaned with backup
C:\temp\bundle_cdt1006.exe -> Adware.Saha : Cleaned with backup
C:\temp\Installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\temporary\aun_0018.exe -> TrojanDownloader.Small.akz : Cleaned with backup
C:\WINDOWS\ABox.exe -> Spyware.AdBox : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\site.ocx -> TrojanDownloader.Agent.ex : Cleaned with backup
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll -> Spyware.EliteBar : Cleaned with backup
C:\WINDOWS\logon.exe -> TrojanDownloader.VB.hg : Cleaned with backup
C:\WINDOWS\NDNuninstall5_64.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\pss\webdav.exeCommon Startup -> Backdoor.SpyBot.gen : Cleaned with backup
C:\WINDOWS\ru.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\sfita.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SSK3_B5.exe -> TrojanDropper.Small.qn : Cleaned with backup
C:\WINDOWS\SYSTEM\svrflgcui.exe -> TrojanDownloader.Small.ayh : Cleaned with backup
C:\WINDOWS\SYSTEM32\ADStartUp.exe -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\SYSTEM32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\ca2.dll -> Spyware.SearchIt : Cleaned with backup
C:\WINDOWS\SYSTEM32\Cache\Installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\Cache\ven_d1.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\CdmFiles\sottrnfoqq.dll -> Spyware.SmartPops : Cleaned with backup
C:\WINDOWS\SYSTEM32\CdmFiles\sottrnfoqq.exe -> Spyware.SmartPops : Cleaned with backup
C:\WINDOWS\SYSTEM32\conres.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\cqpkumv.exe -> Adware.BetterInternet : Cleaned with backup
C:\WINDOWS\SYSTEM32\datadx.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\dist001.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\WINDOWS\SYSTEM32\dovoice.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\dstmsft.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\eetu.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitemfu32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitencc32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\elitetrl32.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\ENENTCLS.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\exp -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\GNKRSRC.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\installer_MARKETING49.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\LBNKINFO.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\LeisureBoxInst_ppi1a.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\lMprxy.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mcjter35.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mmxdoubleexe.exe.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\MRWMDMSP.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\Nbburi.exe -> Spyware.DealHelper : Cleaned with backup
C:\WINDOWS\SYSTEM32\nltman.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsb51.dll -> Spyware.HotSearchBar : Cleaned with backup
C:\WINDOWS\SYSTEM32\nymkcert.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\PMTSetup1.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\PSof1.exe -> Spyware.Pacer : Cleaned with backup
C:\WINDOWS\SYSTEM32\sfi2.dll -> Spyware.SearchIt : Cleaned with backup
C:\WINDOWS\SYSTEM32\SJRWVDRV.DLL -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\sqe.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\SSK3_B5 Seedcorn 4.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\uci.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\vfpcrap.exe -> TrojanDownloader.Agent.ed : Cleaned with backup
C:\WINDOWS\SYSTEM32\Vnkslk.exe -> Trojan.Popmon.a : Cleaned with backup
C:\WINDOWS\SYSTEM32\VVSNInst.exe/VVSN.exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\tct101.dll -> TrojanDownloader.Dyfuca.eg : Cleaned with backup
C:\WINDOWS\Temp\!update.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\Temp\f1648620.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\Temp\upd209.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/UCMTSAIE.DLL -> Spyware.UCmore : Cleaned with backup
C:\WINDOWS\ucmoreiex.exe/IUCMORE.DLL -> Spyware.UCmore : Cleaned with backup


::Report End

Thanks for the help....

Open Hijackthis, place a check next to the following and click fix checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/cus...://my.yahoo.com

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll (file missing)

O2 - BHO: Bucket Class - {00000001-C003-4A2F-9142-7CB1D78DE6C1} - C:\WINDOWS\tct101.dll (file missing)

O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [Adstartup] C:\WINDOWS\System32\Adstartup.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [AutoLoaderws4l1dMXZQXW] "C:\WINDOWS\System32\wexrxy.exe"
O4 - HKLM\..\Run: [wFnP3pR] wexrxy.exe
O4 - HKLM\..\Run: [version] C:\WINDOWS\System32\Nbburi.exe
O4 - HKLM\..\Run: [Okelgv] C:\Program Files\Lleakq\Ttupsp.exe
O4 - HKLM\..\Run: [WinLogon] C:\WINDOWS\logon.exe
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\System32\aaraon.exe reg_run
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitencc32.exe
O4 - HKLM\..\Run: [gprocpa] c:\windows\system32\mrlyle.exe r
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [ho4FRfd3e] vfpcrap.exe
O4 - HKCU\..\Run: [sf] C:\Program Files\sf\sf.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\sf.exe"
O4 - HKCU\..\Run: [qqik] C:\PROGRA~1\COMMON~1\qqik\sf.exe.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/1...02/cpbrkpie.cab

Reboot and delete the following files:

C:\Program Files\SurfSideKick 3\SskBho.dll
C:\WINDOWS\tct101.dll
C:\Program Files\BearShare\BearShare.exe
C:\WINDOWS\System32\Adstartup.exe
C:\WINDOWS\System32\PSof1.exe
C:\PROGRA~1\VBouncer\VirtualBouncer.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\exp
AUNPS2.DLL (you may have to search for this one)
C:\WINDOWS\System32\wexrxy.exe
wexrxy.exe (you may have to search for this one)
C:\WINDOWS\System32\Nbburi.exe
C:\Program Files\Lleakq\Ttupsp.exe
C:\WINDOWS\logon.exe
C:\WINDOWS\System32\aaraon.exe reg_run
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\windows\system32\elitencc32.exe
c:\windows\system32\mrlyle.exe
C:\Program Files\SpyKiller\spykiller.exe
vfpcrap.exe (you may have to search for this one)
C:\Program Files\sf\sf.exe
C:\Program Files\Cas\Client\sf.exe
C:\PROGRA~1\COMMON~1\qqik\sf.exe.exe
C:\Program Files\SurfSideKick 3\Ssk.exe

Re-post a new log and let us know how the system is running.

Just wanted to let you know that I've fixed the problems..... A big thanks to you Classicsoftware :cool: . I've never used Ewido trojan scanner before but I was very impressed. Also what in the heck was Nailfix? The link you had was not working at that time, but I was able to find it somewhere else, but I was unable to see what it did or even what it was :confused: Anyway I had a goodtime working on this problem. Does that make me some type of wierdo :eek:

I simple blows me away how jacked-up a persons computer can get. Does anyone know of a good website, other than this one :) , where I can point friends, family, and co-workers so that they can know how to better safeguard themselves from future events such as these....

Many thanks,
Jason
PS. Classicsoftware Sorry to hear about Pinkston..

NailFix is basically a batch file that was developed by some malware fighters to deal with this specific infection... Every time the slimers put out a new infection, the malware fighters go to work trying to figure out how to stop it... Nail is now getting batched with at least 2 other infections, so it is getting to be even harder to kill it... One of those infections reinstalls Nail if you don't kill that infection in the first go...

There are a number of sites that will help to clean up computers when they are infected and most of the good ones work together... I work with about 6 of them at this point and have contact with most of the others... However, the best bet is to set up protections so that you are less likely to get infected in the first place... Here is my prevention speech to help with that... classicsoftware will probably add some thoughts as well....

This is a good time to set up protection against further
attacks. Read the article linked below about "How did I
get infected". You need an antivirus that is updated, a
good firewall (a router firewall is not enough) and a
spyware blocker like SpywareBlaster and also IE-Spyads.
All of these have good free versions available... be very
cautious about any security software that advertises in
popups or other intrusive ways, they are not only usually
useless, but also often have malware in them....

http://www.computercops.biz/postlite7736-.html

Here is my personal protection regimen:

1) Stay away from porn sites.

2) Use Firefox (http://www.mozilla.org/products/firefox/) as your web browser.

3) Use Thunderbird (http://www.mozilla.org/products/thunderbird/) as your e-mail client.

4) Use SpywareBlaster (http://www.javacoolsoftware.com/sbdownload.html) . Keep it updated.

5) Use a good Anti-virus program. I personally use Avast (http://www.avast.com/eng/down_home.html). You must keep it updated and scan regularly.

6) Use a software and hardware firewall. I personally use Sygate (http://www.sygate.com/firewall/).

7) DON'T open attachments in an e-mail unless you are expecting it.

8) Keep your temp files cleaned out. While it takes some effort to configure, I think Eraser (http://www.heidi.ie/eraser/download.php) works better than other programs.

9) Scan weekly with Adaware (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10045910.html?part=dl-ad-aware&subj=dl&tag=top5) and Spybot (http://www.safer-networking.org/en/download/index.html) after you clean up from an infection for the first month and then monthly thereafter.

10) Keep your OS up to date. Run Windows update and apply all critical patches.

First, you should post a follow up log to make sure all of it is gone or it can come back with a vengenace.

Second once you are clean:

1) Delete all if your restore points.

2) Create a new restore point.

3) Backup your data.

4) Run Windows update and update your OS. Apply all patches.

PS. Classicsoftware Sorry to hear about Pinkston..

Greg Lewis will step up and do just fine.......