Trojan infection - hclean32.exe

**BeHunie** · 16-09-2005

I am under a crunch here - my son's computer has a virus and I need to get it cleaned up by the end of this weekend so he can tak it with him to school.

Here is the problem, when I go into the internet, I receive the virus notification from nortons antivirus that there is a trojan virus detected the file listed is hclean32.exe. Norton's cannot clean or delete the file.

Also receive the following error: 'WARNING: Windows firewall detected suspicious network activity on your computer. Malicious software codes try to steal your privacy information such as credit card numbers, electronic mail accounts, financial data and passwords. Do you want to learn how to protect your computer?' Clicking on the YES button takes you to a listing on the internet for anti-pyware, etc.

Norton scan doesn't find anything. Lavasoft Adaware doesn't find anything. Spybot search and destroy doesn't find anything.

Am running HijackThis and will add the log file when it is finished. Is there anything else I can run to clean this nasty virus off of my computer?

Thank you in advance for your help.
Amy

**BeHunie** · 16-09-2005

HIJACKTHIS LOG 9-15-2005 6:50pm: (Hope this helps, and someone can help me soon)

Logfile of HijackThis v1.97.7
Scan saved at 6:55:16 PM, on 9/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 2.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Support\HijackThis Spyware removal tool\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.globalcomputer.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Chris\Application Data\usai.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZCxdm480YYUS
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://citrix.co.outagamie.wi.us/Ci...a32/wficat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093655804381
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...8212.692974537
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/p...ed/install.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (Triplet Control) - http://mirror.worldwinner.com/games/...et/triplet.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play03.pogo.com/game/deluxe/z...ploader_v5.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...42/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...bio5_1_1_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{518C108B-C4C6-446C-B26C-9A55BB0A871D}: NameServer = 195.95.218.36,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{687CE6CD-B97E-45E1-98D7-B408072F5325}: NameServer = 195.95.218.36,85.255.112.15

**Neal** · 16-09-2005

Hi and welcome,

Let's see if we can get this computer ready for school.

Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.

Please download, install, update and scan your system with the free version of Ewido trojan scanner: www.ewido.net/en/download/

1. When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".

2. When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.

3. From the main ewido screen, click on UPDATE in the left menu, then click the Start update button.

4. After the update finishes (the status bar at the bottom will display "Update successful"), click on the Scanner button in the left menu, then click on the Start button. This scan can take quite a while to run.

5. If ewido finds anything, it will pop up a notification. You can select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

6. When the scan finishes, click on "Save Report". This will create a text file. Please then paste the contents of the text file to this thread, along with a new HijackThis log.

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal.

Restart your computer in normal mode and please post a new HijackThis log, as well as the log from the Ewido scan.

Are you sure that was the complete log?
Appears to be short for a XP system

**BeHunie** · 16-09-2005

Neal - thanks for your quick response. I have been running windows updates all evening since I originally posted so that is why it took me so long to get back to this.

I saved the HJT log and then copied and paste it into the thread. I am not sure why it was so short. But you are correct I am running on WinXP and there is a lot of stuff installed on this computer.

I am running the ewido right now and it looks like it will run all night. I will post tomorrow afternoon (morning if possible before going to work) the results.

Thank you again for your help.

**BeHunie** · 17-09-2005

Neal,

The following is all the steps I took since your last post. After my description is the Ewido and HijackThis log files, both initially run in normal mode and then the log files after starting in diagnostic mode.

Steps taken:

Ran Ewido Security Suite - found 37 infected files - removed them all.
Ran HijackThis
Restarted computer in Diagnostic Mode
Before starting anything received a Norton message - infected file EUAA.DLL but could not repair or delete-access denied.
Ran Ewido Security Suite - found 1 infected file (euaa.dll) - removed it.
Ran Hijack This
Rebooted in normal mode
At startup - AOL Instant Messenger and AIM Today start up.
Received Norton Antivirus messages: "Detected a virus on your computer. C:\Windows\system32\hclean32.exe. Virus Name: Trojan Horse . Unable to repair this file." Then Norton Antivirus message: "Could not delete the file - access denied". This set of messages appearred 4 time each before going away.
Windows Pop-Up balloon on system tray: "Your virus protection status is bad. Spyware activity detected. Click balloon to fix the problem"

**BeHunie** · 17-09-2005

EWIDO LOG - Normal mode first
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:14:58 AM, 9/16/2005
+ Report-Checksum: 7BAE19BF

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{7C559105-9ECF-42b8-B3F7-832E75EDD959} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{0F2A4ADC-DABF-4980-8DB4-19F67D7B1F95} -> Spyware.ClearSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{4A0F42B7-A61B-4131-BF41-BF05A2635BFD} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{E9CBBEED-20B6-456C-8589-CF364D9D2370} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544} -> Spyware.CometCursor : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\ISTx.Installer\CLSID -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1C78AB3F-A857-482E-80C0-3A1E5238A565} -> Spyware.iSearch : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} -> Spyware.PopularScreensavers : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{5FA6752A-C4A0-4222-88C2-928AE5AB4966} -> Spyware.Adlogix : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Mod uleUsage\C:/WINDOWS/Downloaded Program Files/ISTactivex.dll -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT -> Spyware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Secu rity -> Spyware.NaviSearch : Cleaned with backup
HKLM\SYSTEM\CurrentControlSet\Services\ZESOFT\Enum -> Spyware.NaviSearch : Cleaned with backup
HKU\S-1-5-21-3657561249-2035789119-2382750585-1005\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E} -> Spyware.CometCursor : Cleaned with backup
HKU\S-1-5-21-3657561249-2035789119-2382750585-1005\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{5FA6752A-C4A0-4222-88C2-928AE5AB4966} -> Spyware.Adlogix : Cleaned with backup
HKU\S-1-5-21-3657561249-2035789119-2382750585-1011\Software\2nd -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-3657561249-2035789119-2382750585-1011\Software\2nd\Client -> Spyware.SecondThought : Cleaned with backup
HKU\S-1-5-21-3657561249-2035789119-2382750585-1011\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{5FA6752A-C4A0-4222-88C2-928AE5AB4966} -> Spyware.Adlogix : Cleaned with backup
HKU\S-1-5-21-3657561249-2035789119-2382750585-1011\Software\WareOut -> TrojanDownloader.Wareout : Cleaned with backup
HKU\S-1-5-21-3657561249-2035789119-2382750585-1011\Software\WareOut\Options -> TrojanDownloader.Wareout : Cleaned with backup
C:\WINDOWS\system32\hsrb.dll -> Spyware.HotBar : Cleaned with backup
C:\WINDOWS\system32\ielg.dll -> TrojanDownloader.Agent.bc : Cleaned with backup
C:\WINDOWS\system32\rzzph.dll -> Spyware.SBSoft : Cleaned with backup
C:\WINDOWS\system32\gpsresl32.exe -> TrojanDownloader.Agent.sy : Cleaned with backup
C:\WINDOWS\system32\сhkdsk.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\system32\popcorn72.exe -> TrojanDownloader.Agent.sy : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.RiskWare.Downloader.PopCap.a : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.00 7\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.2.0.00 7\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\aconti.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@ehg-rr.hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@advertising[2].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Amy\Cookies\amy@hitbox[2].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
C:\Documents and Settings\Jeff\Guest\Local Settings\Temporary Internet Files\Content.IE5\DCWXD089\CAD9LVU2.aspx -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Jeff\Guest\Local Settings\Temporary Internet Files\Content.IE5\OFAKYJ0L\CAVNTT1T.aspx -> Spyware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Chris\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@ad.yieldmanager[2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@servedby.advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\Chris\Cookies\chris@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\Program Files\Lycos\IEagent\FNuninstaller.EXE -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\Lycos\IEagent\A_ClearSearch.DLL -> Spyware.ClearSearch : Cleaned with backup
C:\Program Files\Lycos\IEagent\csAOLldr.exe -> Spyware.ClearSearch : Cleaned with backup

::Report End
-------------------------------------------------------------------------

HijackThis - normal mode

Logfile of HijackThis v1.97.7
Scan saved at 6:55:16 PM, on 9/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Norton Internet Security\NISSERV.EXE
C:\Program Files\Norton Internet Security\SymProxySvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 2.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Norton Internet Security\IAMAPP.EXE
C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Support\HijackThis Spyware removal tool\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.globalcomputer.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O2 - BHO: (no name) - {5FA6752A-C4A0-4222-88C2-928AE5AB4966} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb1 2.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [iamapp] C:\Program Files\Norton Internet Security\IAMAPP.EXE
O4 - HKLM\..\Run: [VTPreset] VTPreset.exe
O4 - HKLM\..\Run: [WinPatrol] "C:\PROGRA~1\BILLPS~1\WINPAT~1\WinPatrol.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [Crao] C:\Documents and Settings\Chris\Application Data\usai.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\KODAK\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZCxdm480YYUS
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {1C78AB3F-A857-482E-80C0-3A1E5238A565} - file://C:\install.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...p1.0.0.8-2.cab
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://citrix.co.outagamie.wi.us/Ci...a32/wficat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1093655804381
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...8212.692974537
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/p...ed/install.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (Triplet Control) - http://mirror.worldwinner.com/games/...et/triplet.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play03.pogo.com/game/deluxe/z...ploader_v5.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...42/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...bio5_1_1_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{518C108B-C4C6-446C-B26C-9A55BB0A871D}: NameServer = 195.95.218.36,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{687CE6CD-B97E-45E1-98D7-B408072F5325}: NameServer = 195.95.218.36,85.255.112.15

**BeHunie** · 17-09-2005

EWIDO Log - in Diagnostic mode

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:32:57 PM, 9/16/2005
+ Report-Checksum: 2359E0CE

+ Scan result:

C:\WINDOWS\system32\euaa.dll -> TrojanDownloader.Small.azk : Cleaned with backup

::Report End

--------------------------------------------------------------------------

HijackThis Log - in diagnostic mode

Logfile of HijackThis v1.97.7
Scan saved at 7:34:04 PM, on 9/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\LVComsX.exe
C:\Support\HijackThis Spyware removal tool\HijackThis.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,Shellnext = http://www.globalcomputer.com/
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0. dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...S_ZCxdm480YYUS
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM)
O9 - Extra button: AIM (HKLM)
O9 - Extra button: Real.com (HKLM)
O9 - Extra button: Messenger (HKLM)
O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM)
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .tiff: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.globalcomputer.com
O16 - DPF: {02BCC737-B171-4746-94C9-0D8A0B2C0089} (Microsoft Office Template and Media Control) - http://office.microsoft.com/templates/ieawsdc.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - https://citrix.co.outagamie.wi.us/Ci...a32/wficat.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://download.yahoo.com/dl/installs/yinst0401.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1126834989626
O16 - DPF: {6BB594E2-6E4D-4CC9-98B0-931C323F9165} (DepHlp Control) - http://mirror.worldwinner.com/games/shared/dephlp.cab
O16 - DPF: {6F74F92E-8DD8-4DDE-8FB8-CBB882A68048} (Microsoft Office XP Professional Step by Step Interactive) - file://C:\Program Files\Microsoft Interactive Training\O10C\mitm0026.cab
O16 - DPF: {7CF052DE-C74F-421B-B04A-3B3037EF5887} (CCMPGui Class) - http://64.124.45.181/chaincast/proxy/CCMP.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...8212.692974537
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...mmapi_0727.dll
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} (WTHoster Class) - http://install.wildtangent.com/bgn/p...ed/install.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (Triplet Control) - http://mirror.worldwinner.com/games/...et/triplet.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {BAC01377-73DD-4796-854D-2A8997E3D68A} (Yahoo! Photos Easy Upload Tool Class) - http://us.dl1.yimg.com/download.yaho...opper1_4us.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O16 - DPF: {DE910060-8EFB-44B9-B492-75180696643F} (iiittt Class) - http://www.hotsearchbar.com/toolbar30/hsrb.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://play03.pogo.com/game/deluxe/z...ploader_v5.cab
O16 - DPF: {E93A6FCA-C052-45DF-AC9B-B729066092F8} (Util Class) - https://isupport4.hp.com/motivedocs/...er/MotUtil.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/is...42/mcfscan.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Companion) - http://us.dl1.yimg.com/download.yaho...bio5_1_1_0.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{518C108B-C4C6-446C-B26C-9A55BB0A871D}: NameServer = 195.95.218.36,85.255.112.15
O17 - HKLM\System\CCS\Services\Tcpip\..\{687CE6CD-B97E-45E1-98D7-B408072F5325}: NameServer = 195.95.218.36,85.255.112.15

**Neal** · 17-09-2005

I just noticed and should of sooner my fault is that your version of HJT is out of date so:

Download the new version of hijackthis here:
http://www.thatcomputerguy.us/downloads-cat4.html
or here:
http://majorgeeks.com/download3155.html

Create a folder HJT such as C:\HJT or C:\Program Files\HJT. Copy or drag-and-drop the HijackThis program to the newly created folder. Then make or alter the shortcut to the HJT program.

Notepad will open up and results of scan will be there, copy and paste that into your next reply. Thanks.

Before you post the new HJT please do these scans and both scanners will make logs of what is found if anything so post those logs here for me with the new version of HJT.

Internet Explorer required
Run these two online virus scanners (Panda Activescan) following these instructions below:
http://www.pandasoftware.com/product..._principal.htm

Internet Explorer required
Also this excellent(BitDefender) scanner:http://www.bitdefender.com/scan8/ie.html

These scans will take more than an hour to complete, so make sure you have time to let them run thru. Save the Panda scan log and the BitDefender log and post them back here please with a new Hijackthis log.

Thanks.

Make sure you can see hidden files/folders
In Windows XP
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
After you're cleaned, please "rehide" them again.

Also do a search on your computer for the full path of hclean32.exe and post it back here please.

**BeHunie** · 17-09-2005

Okay - ran the ActiveScan by Panda and the BitDefender programs, here are the logs:

ActiveScan Log:

Incident Status Location
Virus:Trj/Downloader.OA Disinfected C:\WINDOWS\system32\O

Virus:Trj/Downloader.OA Disinfected C:\WINDOWS\system32\O.BAT

Adware:Adware/Twain-Tech No disinfected C:\WINDOWS\inf\twaintec.inf

Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf

Adware:adware/comet No disinfected C:\WINDOWS\inf\dm.inf

Adware:Adware/ISearch No disinfected C:\WINDOWS\Downloaded Program Files\initial.inf

Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf

Adware:Adware/MyDailyHoroscopeNo disinfected C:\WINDOWS\bundles\setup_silent_14725.exe

Adware:adware/ipinsight No disinfected C:\WINDOWS\alchem.ini

Adware:adware/sbsoft No disinfected C:\WINDOWS\rdt.ini

Adware:adware/cws No disinfected C:\Documents and Settings\All Users\Favorites\AdultGambling.url

Adware:adware/tvmedia No disinfected C:\Documents and Settings\Chris\Application Data\tvmcwrd.dll

Spyware:spyware/wareout No disinfected C:\Documents and Settings\Chris\Application Data\wo.tmp

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bg.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\c.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\ce.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\q.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bi.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bl.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bo.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\i.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\r.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bt.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\b.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\d.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\f.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\l.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\s.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\a.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\m.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\n.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\j.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\p.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\w.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\x.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\y.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bu.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\ba.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bb.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bz.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bd.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\be.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bf.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bh.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cb.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bj.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bk.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cf.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bm.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bn.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\bp.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bq.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\br.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bc.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bs.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\ch.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bv.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bw.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\bx.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\t.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\by.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\ca.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cj.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cc.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cd.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cl.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cg.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cn.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\ci.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\Main.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cu.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\ck.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cv.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cm.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cx.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\co.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cs.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\cp.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\cq.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\cr.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\ct.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\da.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\cz.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\db.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dc.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dd.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\de.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\u.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dv.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\df.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\di.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\h.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dw.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dl.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dx.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dm.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\dn.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\dp.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\dy.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dr.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\ds.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\dt.class

Adware:Adware/MoeMoney No disinfected C:\Program Files\LimeShop\System\Code\dz.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\du.class

Adware:Adware/TopMoxie No disinfected C:\Program Files\LimeShop\System\Code\ed.class

Spyware:Spyware/ClearSearch No disinfected C:\Program Files\Lycos\IEagent\CSIEINST.DLL

Spyware:Spyware/ClearSearch No disinfected C:\Program Files\Lycos\IEagent\CSAOLINST.DLL

Virus:Exploit/CodeBase.A Disinfected C:\install.htm

**BeHunie** · 17-09-2005

BitDefender Scan Log

BitDefender Online Scanner

Scan report generated at: Sat, Sep 17, 2005 - 05:18:57

Scan path: A:\;C:\;D:\;E:\;F:\;G:\;H:\;I:\;J:\;K:\;

Statistics Time 00:35:29
Files 212493
Folders 6298
Boot Sectors 5
Archives 1241
Packed Files 36563

Results Identified Viruses 4
Infected Files 4
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 6

Engines Info Virus Definitions 208283
Engine build AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)
Scan plugins 13
Archive plugins 39
Unpack plugins 4
E-mail plugins 6
System plugins 1

Scan Settings
First Action.........Disinfect
Second Action......Delete
Heuristics............Yes
Enable Warnings...Yes
Scanned Extensions ...... exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;cl ass;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xl a;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp ;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cm d;bas;

Exclude Extensions
Scan Emails.........Yes
Scan Archives......Yes
Scan Packed........Yes
Scan Files............Yes
Scan Boot............Yes

Scanned File
Status

C:\Documents and Settings\Chris\Application Data\tizupd.bin=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Purityad.P

C:\Documents and Settings\Chris\Application Data\tizupd.bin=>(NSIS o)=>zlib_nsis0002
Disinfection failed

C:\Documents and Settings\Chris\Application Data\tizupd.bin=>(NSIS o)=>zlib_nsis0002
Deleted

C:\Documents and Settings\Chris\Application Data\tizupd.bin=>(NSIS o)
Update failed

C:\Program Files\Norton AntiVirus\Quarantine\6C8B7CE5.exe=>(Quarantine-1)
Infected with: Trojan.SecondThought.AA

C:\Program Files\Norton AntiVirus\Quarantine\6C8B7CE5.exe=>(Quarantine-1)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\6C8B7CE5.exe=>(Quarantine-1)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\314A70A0.exe=>(Quarantine-1)
Infected with: Trojan.Crypt.D

C:\Program Files\Norton AntiVirus\Quarantine\314A70A0.exe=>(Quarantine-1)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\314A70A0.exe=>(Quarantine-1)
Deleted

C:\Support\AOL Instant Messanger AIM\version 5.5\Install_AIM.exe=>wise0038=>wise0008
Detected with: Adware.Wheaterbug.A

C:\Support\AOL Instant Messanger AIM\version 5.5\Install_AIM.exe=>wise0038=>wise0008
Disinfection failed

C:\Support\AOL Instant Messanger AIM\version 5.5\Install_AIM.exe=>wise0038=>wise0008
Deleted

C:\Support\AOL Instant Messanger AIM\version 5.5\Install_AIM.exe=>wise0038
Update failed

Trojan infection - hclean32.exe

Trojan infection - hclean32.exe

Similar Threads

An Infection That Doesn't Want to Go Away

Please help with Bagle infection!

Dropped:Trojan.Hoax Infection

hclean32.exe and rdsndin.exe

Peper Trojan Infection : help please (Resolved)