KMB1962
join:2002-03-23
Tujunga, CA
| help getting rid of pokapoka70.exe
I have been trying to get rid of pokapoka, I think it's a trojan. I can't seem to find it in the registry or in windows. It shows up in my start up list even if i disable it. I am using Adaware, Spybot, Spyware Blaster and HJT. I just started using Avast.
the location for this, according to my startup list is:
C:WINDOWS\etb\pokapoka70.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ok so...how do I find this thing?
Thanks for any help!! |
|
Click the big red li
@inet.fi | I hope to be the first to post this: »Security »I think my computer is infected or hijacked. What should I do? |
|
sfdghseth
@net.au
| reply to KMB1962
First off, the techs on this site are going to tell you to go to this "http://www.dslreports.com/faq/8428" which is this sites form a help document that works in most cases, second off all what is your OS eg. windows xp (Home or pro??), windows 2000 etc.
Third point, what have you tried so far eg. deleting the C:WINDOWS\etb\ folder, scanning with antivirus etc. Running regedit to delete the entry???
fourth point i ran a search on the .exe but nothing came up but some ilatlian or french site that had a hijackthis log on it, seen i am an Aussie i can't read whatever language it was, i searched pokapoka.exe and came up with this
»www.geekstogo.com/forum/index.ph···&t=64671
THen this
»www.geekstogo.com/forum/index.ph···ic=53468
»www.itfreaks.com/forum/pokapoka-···651.html
Obviously the end number eg 69 on one of the logs is known as a virus, it COULD be related but since i am no expert i would not know, hope someone else could shead some light. |
|
KMB1962
join:2002-03-23
Tujunga, CA
| I have run Spybot, Adaware, Avast and installed Trojan Hunter which came up with alot of crap that I deleted. When I go to msconfig and startup that pokapoka thing is still there...I CANNOT find the Windows\etb folder. I have it set to show all folders so why can't I find that one?
Is HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run the registry path? If so I can't find that there either. Any ideas or help would be appreciated....Thanks! |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to KMB1962
It's clear what one of the items on your system is from the file name (you have an elitum toolbar infection), and what the fix is, but download and post a HijackThis log first. You may have something else bad running, and you could also have other protection programs running that could prevent some changes.
Download 'Hijack This!'. www.spywareinfo.com/~merijn/files/HijackThis.exe
Save it in a convenient permanent folder such as C:\HJT\, double click HijackThis.exe, and hit "Scan".
When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that, save the log, Ctrl-A to Select All, and copy its contents here. Most of what it lists will be harmless or even essential, don't fix anything yet.
--
Proud ASAP member since 2005 |
|
KMB1962
join:2002-03-23
Tujunga, CA
| Logfile of HijackThis v1.99.1
Scan saved at 2:50:48 PM, on 9/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\xrnfig.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\etb\pokapoka70.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.oaktreeracing.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkklm.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [stratas] xmconfig.exe
O4 - HKLM\..\Run: [rcctratas] xrnfig.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [THGuard] "D:\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\RunServices: [stratas] xmconfig.exe
O4 - HKLM\..\RunServices: [rcctratas] xrnfig.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [stratas] xmconfig.exe
O4 - HKCU\..\Run: [rcctratas] xrnfig.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: »awbeta.net-nucleus.com (HKLM)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - »www.miniclip.com/platypus/minicl···ader.dll
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - »racing.youbet.com/wr_5_3/control···uest.cab
O16 - DPF: {85AC0EFC-2CA1-4C1C-82AE-5C31184A13EF} (VAMCtrl Class) - »209.203.126.66/plugin/h263ctrl.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »zone.msn.com/bingame/zuma/defaul···r_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - »tools.ebayimg.com/eps/activex/EP···-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - »download.mcafee.com/molbin/iss-l···scan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - »cdn.digitalcity.com/_media/dalai···ampx.cab
O20 - Winlogon Notify: awvtr - C:\WINDOWS\system32\awvtr.dll (file missing)
O20 - Winlogon Notify: jkklm - C:\WINDOWS\SYSTEM32\jkklm.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe |
|
adamt56
join:2005-06-21
Saint Petersburg, FL
| reply to KMB1962
C:\WINDOWS\etb is hidden from the Windows API.
Try booting into safe mode and deleting the directory in the command line. Not sure if it will work, but worth a try nevertheless.
Go to Start ---> Run ---> cmd ---> Change directory to root:
cd..
c:\>cd WINDOWS
c:\WINDOWS>del c:\WINDOWS\etb
Then, download a reputable anti-spyware/adware program and try to remove the rest of Elite Toolbar.
Good-luck. |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to KMB1962
You system is severely compromised. See this page for a description on one of the Trojans you have:
»www.sophos.com/virusinfo/analyse···ahr.html
This trojan can:
start an FTP server
start a Proxy server
start a web server
take part in distributed denial of service (DDoS) attacks
log keypresses
capture screen/webcam images
packet sniffing
port scanning
download/execute arbitrary files
start a remote shell (RLOGIN)
steal product registration information from certain software
steal/send text through AOL Instant Messenger (AIM)
At the very least, after cleaning, you need to change all your passwords for account on the system and any system you access through it. Any information on that system is compromised, such as personal information or financial data. If you do financial work on your computer, I would immediately contact your financial institution before you do anything else.
Please print these instructions. You will not have access to them on-line once you get to the point where you need to be in Safe Mode.
Download, install, and update the free version of Ewido trojan scanner:
[*]When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
[*]Run Ewido --- When you run it for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
[*]From the main ewido screen, click on update in the left menu, then click the Start update button.
[*]After the update finishes (the status bar at the bottom will display "Update successful")
[*]Exit Ewido. DO NOT scan yet.
Download users.pandora.be/bluepatchy/miekiemoes/tools/LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.
Please download www.atribune.org/downloads/VundoFix.exe to your desktop.
[*]Double-click VundoFix.exe to extract the files
[*]This will create a VundoFix folder on your desktop.
[*]After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\jkklm.dll.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\mlkkj.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkklm.dll
O4 - HKLM\..\Run: [stratas] xmconfig.exe
O4 - HKLM\..\Run: [rcctratas] xrnfig.exe
O4 - HKLM\..\Run: [System service70] C:\WINDOWS\etb\pokapoka70.exe
O4 - HKLM\..\RunServices: [stratas] xmconfig.exe
O4 - HKLM\..\RunServices: [rcctratas] xrnfig.exe
O4 - HKCU\..\Run: [stratas] xmconfig.exe
O4 - HKCU\..\Run: [rcctratas] xrnfig.exe
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O20 - Winlogon Notify: awvtr - C:\WINDOWS\system32\awvtr.dll (file missing)
O20 - Winlogon Notify: jkklm - C:\WINDOWS\SYSTEM32\jkklm.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
Run Ewido
[*]Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
[*]If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
[*]When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan and Ewido results and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.
--
Proud ASAP member since 2005 |
|
foxsteve
Premium
join:2001-12-28
Campbell, CA
| TheJoker  , according to the worm description a victim gets:
The worm copies itself to a file named xmconfig.exe in the Windows system folder and creates the following registry entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
stratas "xmconfig.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
stratas "xmconfig.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
stratas "xmconfig.exe"
W32/Rbot-AHR drops a file as msdirectx.sys and loads the file as a driver. Sophos's anti-virus products detect msdirectx.sys as Troj/NtRootK-F.
W32/Rbot-AHR spreads through network shares.
W32/Rbot-AHR can be controlled by a remote attacker over IRC channels. The backdoor component of W32/Rbot-AHR can be instructed by a remote user
If it is detailed information about all components of the worm itself and its support in the Registry and Disk, I think it is enough to delete these components after closing IRC port. |
|
KMB1962
join:2002-03-23
Tujunga, CA | OK......I'm doing this now but I just saw the new post from foxsteve...I'm at the point where I download the vundofix....should I continue? And umm...how do I close a IRC port? Thanks and if we get this done...dinner is on me! |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire
| foxsteve is providing additional info regarding malware and you should continue following detailed instruction by TheJoker
Cudni
--
What is now proved was once only imagined.Help yourself so God can help you |
|
KMB1962
join:2002-03-23
Tujunga, CA | ok great.....on i go....wish me luck! |
|
Cudni
La Merma - Vigilado
Premium,MVM
join:2003-12-20
Someshire | Good luck 
Cudni |
|
KMB1962
join:2002-03-23
Tujunga, CA
1 edit | reply to TheJoker
I did all that I was supposed to except that I had a problem with the vundo fix...when I put in the second file path it told me that the filepath does not seem to exist. Here are the results of the other scans:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------
+ Created on: 11:35:03 AM, 9/26/2005
+ Report-Checksum: D3983F2E
+ Scan result:
	HKLM\SOFTWARE\Classes\Bar.WebBar\CLSID\\ -> Spyware.NewtonKnows : Cleaned with backup
	HKLM\SOFTWARE\Classes\Bar.WebBar.1\CLSID\\ -> Spyware.NewtonKnows : Cleaned with backu
*p
	HKLM\SOFTWARE\Classes\CLSID\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.Internet
*Optimizer : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB} -> Spyware.PopularS
*creensavers : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug
*: Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTre
*e : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucle
*us : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow
*: Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{CEA206E8-8057-4A04-ACE9-FF0D69A92297} -> Spyware.SafeSurf
*ing : Cleaned with backup
	HKLM\SOFTWARE\Classes\CLSID\{EE392A64-F30B-47C8-A363-CDA1CEC7DC1B} -> Spyware.NewtonKn
*ows : Cleaned with backup
	HKLM\SOFTWARE\Classes\Eac_mindef.MDefControl\CLSID\\ -> Spyware.StopSign : Cleaned wit
*h backup
	HKLM\SOFTWARE\Classes\Eac_mindef.MDefControl.1\CLSID\\ -> Spyware.StopSign : Cleaned w
*ith backup
	HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\StopSignRCS\\ -> Spyware.eAcc
*eleration : Cleaned with backup
	HKLM\SOFTWARE\Classes\FunWebProductsInstaller.Start\CLSID\\ -> Spyware.PopularScreensa
*vers : Cleaned with backup
	HKLM\SOFTWARE\Classes\FunWebProductsInstaller.Start.1\CLSID\\ -> Spyware.PopularScreen
*savers : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{05774849-67D2-492C-AB96-E6AF16452632}\TypeLib\\ -> Sp
*yware.MediaMotor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{1CA6F6BB-1586-4748-8309-55D409FCCA39}\TypeLib\\ -> Sp
*yware.MediaMotor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{23C0C96E-71AC-4040-92C2-551AE5139A70}\TypeLib\\ -> Sp
*yware.MediaMotor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{4A0F42B7-A61B-4131-BF41-BF05A2635BFD} -> Spyware.Come
*tCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{4A0F42B7-A61B-4131-BF41-BF05A2635BFD}\TypeLib\\ -> Sp
*yware.CometCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C} -> Spyware.Come
*tCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{665ABE65-2C16-4341-B4B8-01FF799E8F4C}\TypeLib\\ -> Sp
*yware.CometCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D} -> Spyware.Come
*tCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{9DBDD71C-0A7F-48AC-9FFA-E102B3750B9D}\TypeLib\\ -> Sp
*yware.CometCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTB
*ar : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\TypeLib\\ -> Sp
*yware.SafeSurfing : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.Save
*Now : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956} -> Spyware.Come
*tCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{C2E56E18-2F04-4AB9-9333-B2DB3C350956}\TypeLib\\ -> Sp
*yware.CometCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{C6504DBF-3DBE-4BF8-8150-39DDE7B489CC}\TypeLib\\ -> Sp
*yware.MediaMotor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Gener
*ic : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}\TypeLib\\ -> Sp
*yware.SafeSurfing : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544} -> Spyware.Come
*tCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\Interface\{F8C5EA77-7D72-405C-B90A-093655B0F544}\TypeLib\\ -> Sp
*yware.CometCursor : Cleaned with backup
	HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBu
*g : Cleaned with backup
	HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.Mini
*Bug : Cleaned with backup
	HKLM\SOFTWARE\Classes\msielink.relatedlinksProtocol -> Spyware.WebSearch : Cleaned wit
*h backup
	HKLM\SOFTWARE\Classes\msielink.relatedlinksProtocol\Clsid -> Spyware.WebSearch : Clean
*ed with backup
	HKLM\SOFTWARE\Classes\msielink.relatedlinksProtocol\Clsid\\ -> Spyware.WebSearch : Cle
*aned with backup
	HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Spyware.WebSearch : Cleaned
*with backup
	HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
	HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
	HKLM\SOFTWARE\Classes\TypeLib\{8992B6CA-B8C9-4AED-BF89-0A17F6296A06} -> Spyware.WebSea
*rch : Cleaned with backup
	HKLM\SOFTWARE\Classes\YSBactivex.Installer -> Spyware.YourSiteBar : Cleaned with backu
*p
	HKLM\SOFTWARE\Classes\YSBactivex.Installer\CLSID -> Spyware.YourSiteBar : Cleaned with
* backup
	HKLM\SOFTWARE\Dsi -> Spyware.Delfin : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{850CD0B8-DA33-4558-A8C8-95D79
*08E37A7} -> Spyware.WebSearch : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned wit
*h backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bargain Buddy -
*> Spyware.BargainBuddy : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{1A00C40B-DA85-
*4aa3-A67F-582D9347EECD} -> Spyware.iSearch : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-
*489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{BC3BBF86-E4EC-
*4412-9676-8355468B3B05} -> Spyware.Maxspeed : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Progr
*am Files/btiein.dll\\.Owner -> Spyware.HuntBar : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Progr
*am Files/btiein.dll\\{26E8361F-BCE7-4F75-A347-98C88B418322} -> Spyware.HuntBar : Cleaned w
*ith backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Progr
*am Files/HDPlugin1019.dll\\.Owner -> Spyware.Gator : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Progr
*am Files/HDPlugin1019.dll\\{DBAE7000-01EC-4162-8FEB-8A27AC937CA0} -> Spyware.Gator : Clean
*ed with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Progr
*am Files/QDow_AS2.dll\\.Owner -> Spyware.WebSearch : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Progr
*am Files/QDow_AS2.dll\\{87067F04-DE4C-4688-BC3C-4FCF39D609E7} -> Spyware.WebSearch : Clean
*ed with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Progr
*am Files/UCSearch.ocx\\.Owner -> Spyware.UCmore : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Progr
*am Files/UCSearch.ocx\\{1FDEC088-A699-46FE-BF76-D5FD6DAE6150} -> Spyware.UCmore : Cleaned
*with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ASYCFIL
*T.DLL\\{1FDEC088-A699-46FE-BF76-D5FD6DAE6150} -> Spyware.UCmore : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/COMCAT.
*DLL\\{1FDEC088-A699-46FE-BF76-D5FD6DAE6150} -> Spyware.UCmore : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/MSSTKPR
*P.DLL\\{1FDEC088-A699-46FE-BF76-D5FD6DAE6150} -> Spyware.UCmore : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvbvm6
*0.dll\\{1FDEC088-A699-46FE-BF76-D5FD6DAE6150} -> Spyware.UCmore : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ObjSafe
*.tlb\\.Owner -> Spyware.Roimoi : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/ObjSafe
*.tlb\\{E0CE16CB-741C-4B24-8D04-A817856E07F4} -> Spyware.Roimoi : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/OLEAUT3
*2.DLL\\{1FDEC088-A699-46FE-BF76-D5FD6DAE6150} -> Spyware.UCmore : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro3
*2.dll\\{1FDEC088-A699-46FE-BF76-D5FD6DAE6150} -> Spyware.UCmore : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/STDOLE2
*.TLB\\{1FDEC088-A699-46FE-BF76-D5FD6DAE6150} -> Spyware.UCmore : Cleaned with backup
	HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Del
*fin : Cleaned with backup
	HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
	HKU\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{1A00C40B-DA8
*5-4aa3-A67F-582D9347EECD} -> Spyware.iSearch : Cleaned with backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Internet Explorer\E
*xplorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E} -> Spyware.CometCursor : Cleaned with
*backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Internet Explorer\E
*xplorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76} -> Spyware.CometCursor : Cleaned with
*backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Internet Explorer\E
*xtensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned
* with backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{00000010-6F7D-442C-93E3-4A4827C2E4C8} -> Spyware.InternetOptimizer : Cleane
*d with backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with ba
*ckup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with back
*up
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{28CAEFF3-0F18-4036-B504-51D73BD81ABC} -> Spyware.SearchMiracle : Cleaned wi
*th backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with bac
*kup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{36A59337-6EEF-40AE-94B1-ED443A0C4740} -> Spyware.BetterInternet : Cleaned w
*ith backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{79849612-A98F-45B8-95E9-4D13C7B6B35C} -> Spyware.Crazywinnings : Cleaned wi
*th backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{825CF5BD-8862-4430-B771-0C15C5CA8DEF} -> Spyware.EliteBar : Cleaned with ba
*ckup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{86227D9C-0EFE-4F8A-AA55-30386A3F5686} -> Spyware.YourSiteBar : Cleaned with
* backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} -> Spyware.MoneyTree : Cleaned with b
*ackup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.Mirar : Cleaned with backu
*p
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} -> Spyware.NetNucleus : Cleaned with
*backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{A3FDD654-A057-4971-9844-4ED8E67DBBB8} -> Spyware.ISTBar : Cleaned with back
*up
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{EE392A64-F30B-47C8-A363-CDA1CEC7DC1B} -> Spyware.NewtonKnows : Cleaned with
* backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Microsoft\Windows\CurrentVers
*ion\Ext\Stats\{F4E04583-354E-4076-BE7D-ED6A80FD66DA} -> Spyware.BargainBuddy : Cleaned wit
*h backup
	HKU\S-1-5-21-329068152-926492609-725345543-1004\Software\Mvu -> Spyware.Delfin : Clean
*ed with backup
	HKU\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{1A00C40B-DA8
*5-4aa3-A67F-582D9347EECD} -> Spyware.iSearch : Error during cleaning
	C:\WINDOWS\system32\mlljj.dll -> Trojan.Crypt.o : Cleaned with backup
	C:\WINDOWS\system32\ddayy.dll -> Trojan.Crypt.o : Cleaned with backup
	C:\WINDOWS\system32\geedb.dll -> Trojan.Crypt.o : Cleaned with backup
	C:\WINDOWS\Downloaded Program Files\CONFLICT.1\popcaploader.dll -> Not-A-Virus.RiskWar
*e.Downloader.PopCap.a : Cleaned with backup
	C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar : Cleane
*d with backup
	C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
	C:\WINDOWS\NDNuninstall5_40.exe -> Spyware.NewDotNet : Cleaned with backup
	C:\WINDOWS\mm81.ocx -> TrojanDownloader.VB.ov : Cleaned with backup
	C:\WINDOWS\876029.exe -> Adware.SaveNow : Cleaned with backup
	C:\Documents and Settings\Karen\Local Settings\Temp\Cookies\karen@casalemedia[2].txt -
*> Spyware.Cookie.Casalemedia : Cleaned with backup
	C:\Documents and Settings\Karen\Local Settings\Temp\Cookies\karen@cz4.clickzs[2].txt -
*> Spyware.Cookie.Clickzs : Cleaned with backup
	C:\Documents and Settings\Karen\Local Settings\Temp\Cookies\karen@ad.yieldmanager[2].t
*xt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
	C:\Documents and Settings\Karen\Local Settings\Temp\180sainstallersilsais1.exe/clienta
*x.dll -> Spyware.180Solutions : Cleaned with backup
	C:\Documents and Settings\Karen\Local Settings\Temp\180sainstallersilsais1.exe/clienta
*x.dll -> Spyware.180Solutions : Cleaned with backup
	C:\Documents and Settings\Karen\Local Settings\Application Data\Wildtangent\Cdacache\0
*0\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@abetterinternet[2].txt -> Spyware.Cookie
*.Abetterinternet : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@z1.adserver[1].txt -> Spyware.Cookie.Ads
*erver : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@edge.ru4[1].txt -> Spyware.Cookie.Ru4 :
*Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@yieldmanager[1].txt -> Spyware.Cookie.Yi
*eldmanager : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@serving-sys[2].txt -> Spyware.Cookie.Ser
*ving-sys : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@ysbweb[1].txt -> Spyware.Cookie.Ysbweb :
* Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@adopt.specificclick[2].txt -> Spyware.Co
*okie.Specificclick : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@atdmt[1].txt -> Spyware.Cookie.Atdmt : C
*leaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@advertising[2].txt -> Spyware.Cookie.Adv
*ertising : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@mediaplex[2].txt -> Spyware.Cookie.Media
*plex : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@bfast[2].txt -> Spyware.Cookie.Bfast : C
*leaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@hitbox[2].txt -> Spyware.Cookie.Hitbox :
* Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@servedby.advertising[2].txt -> Spyware.C
*ookie.Advertising : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@msnportal.112.2o7[1].txt -> Spyware.Cook
*ie.2o7 : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@ehg-tigerdirect2.hitbox[2].txt -> Spywar
*e.Cookie.Hitbox : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@com[2].txt -> Spyware.Cookie.Com : Clean
*ed with backup
	C:\Documents and Settings\Karen\Cookies\karen@statcounter[2].txt -> Spyware.Cookie.Sta
*tcounter : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@valueclick[2].txt -> Spyware.Cookie.Valu
*eclick : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@2o7[1].txt -> Spyware.Cookie.2o7 : Clean
*ed with backup
	C:\Documents and Settings\Karen\Cookies\karen@targetnet[1].txt -> Spyware.Cookie.Targe
*tnet : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@cnn.122.2o7[2].txt -> Spyware.Cookie.2o7
* : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@rotator.adjuggler[2].txt -> Spyware.Cook
*ie.Adjuggler : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@server.iad.liveperson[1].txt -> Spyware.
*Cookie.Liveperson : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@trafficmp[2].txt -> Spyware.Cookie.Traff
*icmp : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@ad.yieldmanager[2].txt -> Spyware.Cookie
*.Yieldmanager : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@burstnet[1].txt -> Spyware.Cookie.Burstn
*et : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@www.burstnet[1].txt -> Spyware.Cookie.Bu
*rstnet : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@www.burstbeacon[2].txt -> Spyware.Cookie
*.Burstbeacon : Cleaned with backup
	C:\Documents and Settings\Karen\Cookies\karen@casalemedia[2].txt -> Spyware.Cookie.Cas
*alemedia : Cleaned with backup
	C:\Documents and Settings\Karen\msdirectx.sys -> Trojan.Rootkit.h : Cleaned with backu
*p
	C:\Documents and Settings\Karen\msdirectx.sys.tcf -> Trojan.Rootkit.h : Cleaned with b
*ackup
	C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll.tcf -> Spyware.Wheaterbug : Cle
*aned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP446\A005
*7487.exe -> Trojan.EliteBar.c : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP446\A005
*7495.sys.tcf -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP446\A005
*7496.sys.tcf -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP447\A005
*7528.sys.tcf -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP448\A006
*0564.dll -> Spyware.Wheaterbug : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP448\A005
*8536.sys.tcf -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP448\A005
*8537.sys.tcf -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP448\A005
*9551.sys.tcf -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP448\A006
*0555.sys.tcf -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP449\A006
*2571.sys -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP449\A006
*2572.sys -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP449\A006
*2622.exe -> Spyware.EliteBar : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP449\A006
*2623.dll -> Spyware.YourSiteBar : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP449\A006
*2719.sys -> Trojan.Rootkit.h : Cleaned with backup
	C:\System Volume Information\_restore{8357CB77-1DBD-43BC-B2F8-E849AAB0887F}\RP449\A006
*2720.sys -> Trojan.Rootkit.h : Cleaned with backup
(*) WARNING 142 long line(s) split
Detected Disinfected
Virus 32 32
Spyware 44 0
Hacking Tools 2 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0
Logfile of HijackThis v1.99.1
Scan saved at 1:05:57 PM, on 9/26/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\drivers\dcfssvc.exe
D:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = »www.oaktreeracing.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = 1
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkklm.dll
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\PSFree.exe"
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O15 - Trusted Zone: »awbeta.net-nucleus.com (HKLM)
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - »www.miniclip.com/platypus/minicl···ader.dll
O16 - DPF: {670821E0-76D1-11D4-9F60-009027A966BF} (YouBet Secure Data Transfer Control) - »racing.youbet.com/wr_5_3/control···uest.cab
O16 - DPF: {85AC0EFC-2CA1-4C1C-82AE-5C31184A13EF} (VAMCtrl Class) - »209.203.126.66/plugin/h263ctrl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - »www.pandasoftware.com/activescan···inst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - »zone.msn.com/bingame/zuma/defaul···r_v5.cab
O16 - DPF: {E855A2D4-987E-4F3B-A51C-64D10A7E2479} (EPSImageControl Class) - »tools.ebayimg.com/eps/activex/EP···-3-0.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - »download.mcafee.com/molbin/iss-l···scan.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - »fdl.msn.com/public/chat/msnchat45.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - »cdn.digitalcity.com/_media/dalai···ampx.cab
O20 - Winlogon Notify: jkklm - C:\WINDOWS\SYSTEM32\jkklm.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Dcfssvc - Eastman Kodak Company - C:\WINDOWS\system32\drivers\dcfssvc.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe |
|
Lion69
join:2005-09-26
| reply to KMB1962
Hi.
I am having the same problem. Obviously i need to do the same and i have all the programs as stated but need to know what to do
PLease please please advise.
Lion. |
|
CalamityJane
Premium,VIP,MVM
join:2002-08-27
Eustis, FL
| Hello Lion,
Please go here and follow these steps first as directed:
»Security »I think my computer is infected or hijacked. What should I do?
When you have done that, please start your own new topic. There is no way your problem is exactly the same, as each system and sometime multitude of infections (such as on this one) can be handled in a single thread. Each persons system and unique problems will need special handling and the files names and tools used can be quite different. We ask each person needing help after following the FAQ above to start their own topic, please.
--
It takes a disaster to make a woman out of a female
Microsoft MVP/Windows Security 2003-2005
Proud Member of ASAP (Alliance of Security Analysis Professionals) |
|
Depresor
@Red-83-33-156.dynami
|  reply to KMB1962
My English isn't good, but i try to answer that.
yesterday I was fixing my friend's pc and it appear (pokapoka70.exe) when I connected internet.
I don't which is it, but that produces more errors in my friend's pc. After scan all folders with:Avast!, McAfee, Norton, Ad-Aware, ... Only the Avast antivirus and Ad-aware recognize that malware, but can't erase that. I decide format C:\.
I save a copy of pokapoka70 and i think that is a trojan, because it infects all windows Xp (system 32 and *.ini) and creates more problems in pc.
Sorry, but only I have than info. |
|
Depresor
@Red-83-33-156.dynami
| reply to KMB1962
My english isn't good, but i try to answer that.
yesterday I was fixing my friend's pc and it appear (pokapoka70.exe) when I connected internet.
I don't which is it, but that produces more errors in my friend's pc. After scan all folders with:Avast!, McAfee, Norton, Ad-Aware, ... Only the Avast antivirus and Ad-aware recognize that malware, but can't erase that. I decide format C:\.
I save a copy of pokapoka70 and i think that is a trojan, because it infects all windows Xp (system 32 and *.ini) and creates more problems in pc.
Sorry, but only I have than info. |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to foxsteve
said by foxsteve :If it is detailed information about all components of the worm itself and its support in the Registry and Disk, I think it is enough to delete these components after closing IRC port. Yes, you can. The question though is because someone else potentially had absolute and complete control of the system, what else is there on it? And all the info on that system has potentially been compromised. Depending on what he had on it, he could even be a victim of identify theft.
--
Proud ASAP member since 2005 |
|
TheJoker
Premium,VIP,MVM
join:2001-04-26
Alexandria, VA
| reply to KMB1962
You still have the vundo infection.
[*]Please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
[*]Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
[*]You will first be presented with a warning and a list of forums to seek help at.
it should look like this
VundoFix V2.1 by Atri
By pressing enter you agree that you are using this at your own risk
Please seek assistance at one of the following forums:
http://www.atribune.org/forums
http://www.247fixes.com/forums
http://www.geekstogo.com/forum
http://forums.net-integration.net
[*] Next you will see:
Type in the filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\jkklm.dll.dll
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*] Next you will see:
Please type in the second filepath as instructed by the forum staff
Then Press Enter, Then F6, Then Enter Again to continue with the fix.
C:\WINDOWS\SYSTEM32\mlkkj.*
[*]Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
[*]The fix will run then HijackThis will open.
[*]In HijackThis, please place a check next to the following items and click FIX CHECKED:
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\jkklm.dll
O20 - Winlogon Notify: jkklm - C:\WINDOWS\SYSTEM32\jkklm.dll
[*]After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
[*]Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
[*]Once your machine reboots please continue with the instructions below.
Then, please run this online virus scan: ActiveScan
Copy the results of the ActiveScan along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic. Please don't forget the text from vundofix.txt this time.
--
Proud ASAP member since 2005 |
|
