problems with browser trojan(RESOLVED)

**bawheed** · 23-03-2006

hi can anyone help me with with this trojan i have it keeps directing me all over the placein internet explorer the trojan is TR/Dldr.Agent.UJ.65 i have tried searching for a removal tool but nothing works and when i do a search on google it doesnt find it.
I have posted my hijack this log if that helps
Thanks
Logfile of HijackThis v1.99.1
Scan saved at 19:37:22, on 23/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jimbo\Desktop\New Folder (2)\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {32660B7B-01DD-608A-ED1C-7EE235BB3C0A} - mozilla-text.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {79CCE223-78EE-5E3C-986F-5FA7194FC4B0} - C:\WINDOWS\system32\kybdtvk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Windows Registers] Svchosts.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD26799-77CF-4219-AFF6-66FE8A1DDA76}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA957213-0F41-47D4-BE31-B28BB50EBA27}: NameServer = 85.255.115.27,85.255.112.120
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

**Neal** · 23-03-2006

Welcome to DAL,

Is the following your internet provider?
They show up as 017's in your hijacktthis log. Don't do anything with them just let me know please.

85.255.112.0 - 85.255.127.255
inhoster
Inhoster hosting company
OOO Inhoster, Poltavskij Shliax 24, Kharkiv, 61000, Ukraine

Andrei Kislizin
address: OOO Inhoster,
address: ul.Antonova 5, Kiev,
address: 03186, Ukraine
phone: +38 044 2404332
nic-hdl: AK4026-RIPE
notify: *******@inhoster.com
notify: *******@ydav.com
*******@ydav.com 20050725

Please download, install, and update the NEW free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Post the log Ewido makes back here please.

**bawheed** · 23-03-2006

hi i dont recognise the service providers that are in the log, my service provider is telewest
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 22:50:37, 23/03/2006
+ Report-Checksum: AB545188

+ Scan result:

[536] VM_00D70000 -> Downloader.Agent.uj : Error during cleaning
[560] VM_00A20000 -> Downloader.Agent.uj : Error during cleaning
[604] VM_00760000 -> Downloader.Agent.uj : Error during cleaning
[616] VM_00050000 -> Downloader.Agent.uj : Error during cleaning
[812] VM_00730000 -> Downloader.Agent.uj : Error during cleaning
[860] VM_00730000 -> Downloader.Agent.uj : Error during cleaning
[924] VM_007C0000 -> Downloader.Agent.uj : Error during cleaning
[984] VM_00630000 -> Downloader.Agent.uj : Error during cleaning
[1096] VM_008F0000 -> Downloader.Agent.uj : Error during cleaning
[1256] VM_017D0000 -> Downloader.Agent.uj : Error during cleaning
[1292] VM_00BB0000 -> Downloader.Agent.uj : Error during cleaning
[1300] VM_00EA0000 -> Downloader.Agent.uj : Error during cleaning
[1436] VM_00D30000 -> Downloader.Agent.uj : Error during cleaning
[1448] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning
[1720] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
[1800] VM_00CF0000 -> Downloader.Agent.uj : Error during cleaning
[1828] VM_00720000 -> Downloader.Agent.uj : Error during cleaning
[1920] VM_00680000 -> Downloader.Agent.uj : Error during cleaning
[1980] VM_00610000 -> Downloader.Agent.uj : Error during cleaning
[2024] VM_01B80000 -> Downloader.Agent.uj : Error during cleaning
[360] VM_003C0000 -> Downloader.Agent.uj : Error during cleaning
[380] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
[396] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning
[404] VM_00860000 -> Downloader.Agent.uj : Error during cleaning
[736] VM_003D0000 -> Downloader.Agent.uj : Error during cleaning
[2212] VM_00850000 -> Downloader.Agent.uj : Error during cleaning
[2440] VM_006B0000 -> Downloader.Agent.uj : Error during cleaning
[3908] VM_00A00000 -> Trojan.Pakes : Error during cleaning
[704] VM_00970000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\jimbo\Cookies\jimbo@e-2dj6wjlyckdjedq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\jimbo\Cookies\jimbo@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\jimbo\Cookies\jimbo@www.myaffiliateprogra m[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings\jimbo\Cookies\jimbo@yadro[2].txt -> TrackingCookie.Yadro : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP227\A0126802.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP227\A0126814.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP227\A0126823.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP227\A0126836.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP228\A0126867.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP228\A0126877.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP229\A0126895.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP229\A0126906.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP230\A0126919.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP230\A0126932.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP232\A0126984.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP232\A0127982.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP232\A0127997.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP232\A0128010.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP232\A0128019.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP233\A0128032.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP233\A0129045.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP234\A0129055.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP234\A0129068.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP235\A0129086.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP235\A0130084.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP235\A0130097.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP236\A0130102.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP236\A0130508.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP236\A0130518.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP236\A0130527.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP236\A0130543.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP237\A0130556.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP238\A0130581.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP239\A0130594.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP240\A0130638.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP240\A0130657.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP242\A0130669.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP242\A0130679.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP242\A0130693.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP243\A0130698.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP243\A0130862.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP243\A0130964.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP243\A0130983.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP243\A0131011.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP244\A0131029.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP244\A0131040.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP244\A0131051.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP245\A0131070.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP245\A0131078.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP245\A0131092.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP246\A0131102.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP246\A0131126.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP246\A0131134.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP247\A0131152.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP247\A0131166.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP247\A0132166.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP249\A0132188.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP249\A0132205.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP249\A0133204.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP249\A0134220.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP249\A0134231.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP249\A0134242.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP249\A0134251.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP249\A0134260.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP250\A0134274.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP250\A0134285.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP250\A0134292.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP251\A0134303.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP251\A0134315.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP251\A0134326.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP251\A0134336.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP253\A0134414.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP253\A0134423.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP253\A0134432.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0134444.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0134456.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0134463.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0134474.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0135472.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0135483.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0136481.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0136498.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP254\A0136507.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP255\A0136518.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP255\A0136527.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP255\A0136539.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP255\A0136550.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP255\A0136557.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP255\A0136569.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP256\A0136580.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP256\A0136589.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP256\A0136600.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP256\A0136609.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP257\A0136620.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP257\A0136631.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP257\A0136643.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP258\A0136656.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP258\A0136665.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP258\A0136679.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP258\A0136688.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP258\A0136700.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP259\A0136710.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP260\A0136722.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP260\A0136737.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP260\A0136744.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP260\A0136752.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP260\A0136764.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP260\A0136773.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0136785.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0136794.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0136802.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0136861.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0136957.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0136965.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0136974.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0137974.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0137980.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0137988.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0138000.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP261\A0138006.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP262\A0138015.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP262\A0138023.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP263\A0138056.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP263\A0138062.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP264\A0138074.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP264\A0138082.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP265\A0138091.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP265\A0138097.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP265\A0138107.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP265\A0138115.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP265\A0138122.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP265\A0139122.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP266\A0139131.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP266\A0139140.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP266\A0139151.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP266\A0139159.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP267\A0139167.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP267\A0139180.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP267\A0139188.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP267\A0139194.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP267\A0139205.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP267\A0139215.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP268\A0139225.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP268\A0140223.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP268\A0140232.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP268\A0141231.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP268\A0141247.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP268\A0141258.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP269\A0141265.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP269\A0141275.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP269\A0141283.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP269\A0141291.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP269\A0142291.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP269\A0143291.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP270\A0143298.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP271\A0143324.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP271\A0143330.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP271\A0143342.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP271\A0143350.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP272\A0143359.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP272\A0144359.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP272\A0144367.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP273\A0144378.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP273\A0144386.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP273\A0144394.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP273\A0144402.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP274\A0144411.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP274\A0145411.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP274\A0145417.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP275\A0146419.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP275\A0146425.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP275\A0146435.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP275\A0147435.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP275\A0147443.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147455.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147466.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147473.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147481.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147491.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147499.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147507.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147515.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP276\A0147527.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP277\A0147534.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP277\A0147545.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP278\A0147560.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP278\A0147571.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP279\A0147592.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP280\A0147612.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP280\A0147623.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP280\A0147631.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP280\A0148631.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP281\A0148640.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP281\A0148648.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP281\A0148655.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP281\A0148664.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP282\A0148679.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP282\A0148693.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP282\A0148701.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP282\A0148715.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP282\A0148724.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP284\A0148787.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP284\A0148798.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP284\A0148809.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP284\A0148816.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP286\A0148834.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP286\A0148843.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP286\A0148852.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP287\A0148862.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP287\A0148871.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP287\A0148880.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP288\A0148890.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP288\A0148899.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP288\A0148908.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP288\A0148917.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP288\A0149915.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP289\A0150917.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP289\A0150926.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP290\A0150934.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP290\A0151175.exe -> Hijacker.Small : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP290\A0151176.dll -> Adware.SBSoft : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WinAdServX.dll -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\system32\mѕiexec.exe -> Adware.PurityScan : Cleaned with backup

::Report End

**Neal** · 24-03-2006

Well you got a bad one alright, let's try to kill it now.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/file...Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads please post the text that will open (report.txt) and a new Hijackthis log.

Also give me a new Ewido scan log also please. Thanks.

**bawheed** · 25-03-2006

Hi i have run fixwareout and the report is as fllows
Check for missing files
.....
C:\WINDOWS\system32\AUTOEXEC.NT not there
.....
End check for missing files
.....
VXD Check
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\VirtualDeviceDrivers]
"VDD"=hex(7):00
.....
End vxd check
.....
please post this at the forum

here is the hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 21:40:38, on 24/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\jimbo\Desktop\New Folder (2)\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {32660B7B-01DD-608A-ED1C-7EE235BB3C0A} - mozilla-text.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {79CCE223-78EE-5E3C-986F-5FA7194FC4B0} - C:\WINDOWS\system32\kybdtvk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Windows Registers] Svchosts.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD26799-77CF-4219-AFF6-66FE8A1DDA76}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA957213-0F41-47D4-BE31-B28BB50EBA27}: NameServer = 85.255.115.27,85.255.112.120
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

here is the ewildo log
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 23

51, 24/03/2006
+ Report-Checksum: A97E1452

+ Scan result:

[532] VM_00DA0000 -> Downloader.Agent.uj : Error during cleaning
[556] VM_00F00000 -> Downloader.Agent.uj : Error during cleaning
[2556] VM_009D0000 -> Downloader.Agent.uj : Error during cleaning
[2660] VM_003C0000 -> Downloader.Agent.uj : Error during cleaning
[2788] VM_009B0000 -> Downloader.Agent.uj : Error during cleaning
[2872] VM_003E0000 -> Downloader.Agent.uj : Error during cleaning
[2880] VM_00860000 -> Downloader.Agent.uj : Error during cleaning
[2956] VM_003D0000 -> Downloader.Agent.uj : Error during cleaning
[3712] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning
[3428] VM_00A00000 -> Downloader.Agent.uj : Error during cleaning
C:\Documents and Settings\jimbo\Cookies\jimbo@cs.sexcounter[2].txt -> TrackingCookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\jimbo\Cookies\jimbo@e-2dj6wfkigldzglq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\jimbo\Cookies\jimbo@e-2dj6wgl4kgczggo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\jimbo\Cookies\jimbo@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP290\A0151177.exe -> Adware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP291\A0151187.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP291\A0151198.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP291\A0151206.exe -> Trojan.Pakes : Cleaned with backup
C:\System Volume Information\_restore{8B984396-F460-4E54-A537-3B93039BC46C}\RP291\A0151216.exe -> Trojan.Pakes : Cleaned with backup

::Report End

thanks
sorry i took so long to get back to you .

**Neal** · 25-03-2006

Hi,

From the tool

C:\WINDOWS\system32\AUTOEXEC.NT not there

You are missing a file which is preventing you from running the wareoutfix tool.

Go to the link below and select your operating system and click the link on that site and follow instructions for obtaining the missing file and try the wareoutfix tool again please. Thanks.

fixautont.html: http://www.tech-forums.net/computer/topic/29806.html

**bawheed** · 25-03-2006

Hi here is the updated fixwareout report

Fixwareout ver 1.003
Last edited march/15/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\hximd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\xedocne
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\gib_ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\repiwoh
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\golmedi
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\23plhps
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\mgcppp
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\tesvaf
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\32refaselif
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\putesprpgd
...

Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmixh.exe"=-
...

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\DMIXH.EXE
C:\WINDOWS\SYSTEM32\CSOUD.EXE

»»»»» Misc files

»»»»» Checking for older varients covered by the Rem3 tool
here is an updated hijackthis log
Logfile of HijackThis v1.99.1
Scan saved at 14:58:58, on 25/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\jimbo\Desktop\New Folder (2)\hijackthis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {32660B7B-01DD-608A-ED1C-7EE235BB3C0A} - mozilla-text.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: (no name) - {79CCE223-78EE-5E3C-986F-5FA7194FC4B0} - C:\WINDOWS\system32\kybdtvk.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Windows Registers] Svchosts.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD26799-77CF-4219-AFF6-66FE8A1DDA76}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA957213-0F41-47D4-BE31-B28BB50EBA27}: NameServer = 85.255.115.27,85.255.112.120
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

her is the ewido log
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:48:47, 25/03/2006
+ Report-Checksum: B4311651

+ Scan result:

C:\RECYCLER\S-1-5-21-2025429265-57989841-839522115-1003\Dc5.exe -> Hijacker.Small : Cleaned with backup
C:\RECYCLER\S-1-5-21-2025429265-57989841-839522115-1003\Dc7.exe -> Adware.Msnagent : Cleaned with backup
C:\WINDOWS\system32\dmixh.exe -> Trojan.Pakes : Cleaned with backup

::Report End

I hope this helps
Thanks

**Neal** · 25-03-2006

Excellent job there

Print these instructions out please

You absolutely must do this now before anything else:
Create a folder such as C:\HJT or C:\Program Files\HJT and move Hijackthis.exe into the newly created folder so we can have backups if needed.

Go here to learn how to show hidden files/folders:

http://www.xtra.co.nz/help/0,,4155-1916458,00.html#5
Rehide after you are clean

Download Clean.bat to your desktop(Save page as or Save as): for later use to clean out your TEMPORARY and PREFETCH files.
http://www.thatcomputerguy.us/downloads/clean.bat

Run hijackthis and click on scan button and put checks next to these items:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {32660B7B-01DD-608A-ED1C-7EE235BB3C0A} - mozilla-text.dll (file missing)

O2 - BHO: (no name) - {79CCE223-78EE-5E3C-986F-5FA7194FC4B0} - C:\WINDOWS\system32\kybdtvk.dll (file missing)

O4 - HKLM\..\RunServices: [Windows Registers] Svchosts.exe

Caution: Removing 017 entries may cause the loss of your Internet connection.

017 Removal and Internet Connection is lost. To restore Internet connection.
This is the most important reason for having HJT in its own folder.
Since you have HijackThis in its own folder, any entry fixed with Hijack This can be restored from the HJT backups folder. It is as simple as doing the following.

Open HijackThis |Click Config |Click Backups | click on those entries | click Restore.

O17 - HKLM\System\CCS\Services\Tcpip\..\{7CD26799-77CF-4219-AFF6-66FE8A1DDA76}: NameServer = 85.255.115.27,85.255.112.120
O17 - HKLM\System\CCS\Services\Tcpip\..\{DA957213-0F41-47D4-BE31-B28BB50EBA27}: NameServer = 85.255.115.27,85.255.112.120

Nothing open but hijackthis and click on "fix checked"

Now reboot into safe mode by tapping your F8 key upon restart and safe mode screen appears, select safe mode and press enter.

Hunt for and delete if present:

Svchosts.exe < file---Take special note of the spelling, there is an S at the end of Svchosts.exe, delete that one only I believe it will be in the system32 folder if hijackthis doesn't get it.

Now run that clean batch file you created earlier, type in 'Y' a couple of times and press enter each time you type in "Y" until black box disappears.

Then:

Go to Start > Run and type: CLEANMGR.EXE and hit enter.
When prompted select the C: drive and click ok.
Check the boxes for:
Temporary Internet Files
Downloaded Program Files
Recycle Bin
Temporary Files
Click OK or Enter

Reboot

Make sure you are set to normal startup. Click Start -> Run -> Type Msconfig -> Press Enter -> make sure Startup is set to Normal Start

Post a new HJT log for further review

**bawheed** · 26-03-2006

Hi i have followed your instructions and here is the new hjt log
Logfile of HijackThis v1.99.1
Scan saved at 16:15:23, on 26/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Tmas\Tmas.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hjt\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Windows Registers] Svchosts.exe
O4 - HKLM\..\Run: [Testimonials] ActionScr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Microsoft Update] MSlti32.exe
O4 - HKLM\..\Run: [LXBRKsk] C:\PROGRA~1\LEXMAR~1\LXBRKsk.exe
O4 - HKLM\..\Run: [Lexmark 3100 Series] "C:\Program Files\Lexmark 3100 Series\lxbrbmgr.exe"
O4 - HKLM\..\Run: [kmw_run.exe] kmw_run.exe
O4 - HKLM\..\Run: [init32] UserSp1.exe
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Office Mouse\moffice.exe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\per.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [uio] browsebar.exe
O4 - HKCU\..\Run: [Temo] C:\Documents and Settings\jimbo\Application Data\sdsu.exe
O4 - HKCU\..\Run: [Rbnwmkt] C:\WINDOWS\system32\m?iexec.exe
O4 - HKCU\..\Run: [desktop] C:\WINDOWS\system32\idemlog.exe
O4 - HKCU\..\Run: [ActionScr] hyandex.exe
O4 - Startup: PalNetaware.lnk = C:\Program Files\Paltalk\pnetaware.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O4 - Global Startup: palstart.exe
O4 - Global Startup: Trend Micro Anti-Spyware.lnk = C:\Program Files\Trend Micro\Tmas\Tmas.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: E&xporter vers Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-24.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O23 - Service: AntiVir Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Service (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

i hope this helps
Thanks

**Neal** · 26-03-2006

We had you clean and now your all infected again worse than before.

Go do the wareoutfix again and post that log and do an Ewido scan from safe mode and post that log.

Is there more than one user account on this computer?

Is this computer hooked to another computer?

Thanks.

problems with browser trojan(RESOLVED)

problems with browser trojan(RESOLVED)

Similar Threads

Browser Problems(RESOLVED)

browser(RESOLVED)

Trojan Problems (RESOLVED)

Trojan hijacking my browser

please look at my hijack file ...trojan horse downloader.xren.a problems (Resolved)