Virus Invasion

[Rackers]

Dear Cybertech,

I have been attacked by a Trojan Virus. The AVG software keeps displaying a box saying 'Virus Detected'. It names the Trojan as 'clicker.FR'. I have run Ad-aware, Spybot, Ewido and Shredder (this did delete something at least) all in an effort to remove it, but, despite all of that the virus remains and seems to have disabled all four in some way. A year or two ago Ann-Marie helped remove other malware that had infected my PC that included a toolbar that I was unable to remove. This toolbar has now also re-appeared in IE. Furthermore. a piece of software called 'Kill and Clean' seems to have appeared. I certainly did not deliberately load this.

I have included an Hijack this log and a silent runners log. I can see in the HJT log a number of suspicious items that probably need to be removed but I have left them ther for the moment so that you, the experts, can assess the damage.

Thank you in anticipation of your help

HIJACKTHIS LOG ....

Logfile of HijackThis v1.99.1
Scan saved at 9:50:52, on 23/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PC World
R3 - URLSearchHook: (no name) - {F35F7E71-185F-7836-B73C-780D09EA6857} - AliceSD.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{D9C55909-9C1C-4E5C-BF80-7190B2BD574E}.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: SearchToolbar - {08BEC6AA-49FC-4379-3587-4B21E286C19E} - C:\WINDOWS\system32\{D9C55909-9C1C-4E5C-BF80-7190B2BD574E}.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [powerdll] borlandg.exe
O4 - HKLM\..\Run: [SysEntry] dialer423.exe
O4 - HKLM\..\Run: [liqda.exe] C:\WINDOWS\system32\liqda.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [KillAndClean] "C:\Program Files\KillAndClean\KillAndClean.exe"
O4 - HKCU\..\Run: [SysSupport] srbho.exe
O4 - HKCU\..\Run: [browsebar] iesetupdll.exe
O4 - HKCU\..\Run: [AppMasterCenter] _ctcp.exe
O8 - Extra context menu item: &Download using ReGet - C:\INTERNET\REGET\RG_Link.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &List for ReGet - C:\INTERNET\REGET\RG_List.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by Re&Get - C:\INTERNET\REGET\RG_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{11B345ED-B7F0-4568-82B9-DA1C7742DA12}: NameServer = 85.255.114.44,85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\..\{638A4733-ACD2-4467-AC8C-A122A0EBD53A}: NameServer = 85.255.114.44,85.255.112.180
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O17 - HKLM\System\CS1\Services\Tcpip\..\{11B345ED-B7F0-4568-82B9-DA1C7742DA12}: NameServer = 85.255.114.44,85.255.112.180
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O17 - HKLM\System\CS2\Services\Tcpip\..\{11B345ED-B7F0-4568-82B9-DA1C7742DA12}: NameServer = 85.255.114.44,85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe


SILENT RUNNERS LOG ....

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"KillAndClean" = ""C:\Program Files\KillAndClean\KillAndClean.exe"" [file not found]
"SysSupport" = "srbho.exe" [file not found]
"browsebar" = "iesetupdll.exe" [file not found]
"AppMasterCenter" = "_ctcp.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"powerdll" = "borlandg.exe" [file not found]
"SysEntry" = "dialer423.exe" [file not found]
"dmfhb.exe" = "C:\WINDOWS\system32\dmfhb.exe" [null data]
"liqda.exe" = "C:\WINDOWS\system32\liqda.exe" [null data]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{08BEC6AA-49FC-4379-3587-4B21E286C19E}\(Default) = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\{D9C55909-9C1C-4E5C-BF80-7190B2BD574E}.dll" [null data]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\ewido anti-malware\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
INFECTION WARNING! "System" = "csdou.exe" [null data]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\ewido anti-malware\context.dll" ["ewido networks"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\ewido anti-malware\context.dll" ["ewido networks"]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

Group Policies [Description] {enabled Group Policy setting}:
------------------------------------------------------------
HKCU\Software\Microsoft\Windows\CurrentVersion\Pol icies\Explorer\
HIJACK WARNING! "NoBandCustomize"=dword:00000001
[disables toolbar status changes in Internet Explorer|View|Toolbars]
{User Configuration|Administrative Templates|Windows Components|
Internet Explorer|Toolbars|Disable customizing browser toolbars}

Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Eddi.024DC205C909463\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\{D9C55909-9C1C-4E5C-BF80-7190B2BD574E}.dll" [null data]
HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\{D9C55909-9C1C-4E5C-BF80-7190B2BD574E}.dll" [null data]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{08BEC6AA-49FC-4379-3587-4B21E286C19E}" = "SearchToolbar"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\{D9C55909-9C1C-4E5C-BF80-7190B2BD574E}.dll" [null data]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
Missing lines (compared with English-language version):
"{F35F7E71-185F-7836-B73C-780D09EA6857}" = "KeywordFinder"
-> {CLSID}\InProcServer32\(Default) = "AliceSD.dll" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\ewido anti-malware\ewidoctrl.exe" ["ewido networks"]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service" ["Zone Labs, LLC"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 68 seconds, including 18 seconds for message boxes)

[AnnMarie]

Hi again Rackers. Download the trial version of Ewido Security Suite from here to your Desktop and doubleclick on the executable to install it.

Launch Ewido (there should be an icon on your desktop doubleclick it). The program will now go to the main screen. You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update and then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use this link to manually update ewido.
ewido manual updates http://www.ewido.net/en/download/updates/. Do not run a scan yet.

Next, please download FixWareout from here and save it to your Desktop. Doubleclick on Fixwareout.exe to extract the files and click Next and then Install. Make sure that "Run fixit" is checked and click Finish. The fix will begin, follow the prompts. (NB, you must be online to run this fix).

You will be asked to reboot your computer, please do so. Your system may take longer than usual to load but this is normal.

When your system reboots, follow the prompts. Afterwards, HijackThis may launch. Just close it if it does.

When you have done this, boot into Safe Mode (see here for help if you need it),

Run Ewido now. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions. When the scan is finished, click the Save report button at the bottom of the screen. Save the report to your desktop and close Ewido.

Reboot and post a new Hijack This log, a new Silent Runners log and your Ewido report. Also post the contents of the logfile C:\fixwareout\report.txt.

[Rackers]

AnnMarie,
Great to have the help of an expert yet again!
I have completed the tasks you requested and attached the reports. I did notice that when I rebooted to run HJT etc, 'Fixwareout' wanted to run again. I chose not to and have include the first report you requested.

HIJACKTHIS log ...

Logfile of HijackThis v1.99.1
Scan saved at 17:46:58, on 24/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Advanced Browser\browser.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PC World
R3 - URLSearchHook: (no name) - {F35F7E71-185F-7836-B73C-780D09EA6857} - AliceSD.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [powerdll] borlandg.exe
O4 - HKLM\..\Run: [SysEntry] dialer423.exe
O4 - HKLM\..\Run: [zifbt.exe] C:\WINDOWS\system32\zifbt.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SysSupport] srbho.exe
O4 - HKCU\..\Run: [browsebar] iesetupdll.exe
O4 - HKCU\..\Run: [AppMasterCenter] _ctcp.exe
O8 - Extra context menu item: &Download using ReGet - C:\INTERNET\REGET\RG_Link.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &List for ReGet - C:\INTERNET\REGET\RG_List.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by Re&Get - C:\INTERNET\REGET\RG_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{638A4733-ACD2-4467-AC8C-A122A0EBD53A}: NameServer = 85.255.114.44,85.255.112.180
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

SILENT RUNNERS ..
"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
"SysSupport" = "srbho.exe" [file not found]
"browsebar" = "iesetupdll.exe" [file not found]
"AppMasterCenter" = "_ctcp.exe" [file not found]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"powerdll" = "borlandg.exe" [file not found]
"SysEntry" = "dialer423.exe" [file not found]
"zifbt.exe" = "C:\WINDOWS\system32\zifbt.exe" [file not found]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Eddi.024DC205C909463\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Miscellaneous IE Hijack Points
------------------------------
HKCU\Software\Microsoft\Internet Explorer\URLSearchHooks\
Missing lines (compared with English-language version):
"{F35F7E71-185F-7836-B73C-780D09EA6857}" = "KeywordFinder"
-> {CLSID}\InProcServer32\(Default) = "AliceSD.dll" [file not found]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service" ["Zone Labs, LLC"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 64 seconds, including 12 seconds for message boxes)

[Rackers]

FIXWAREOUT LOG ...

Fixwareout ver 1.003
Last edited 07/1/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F96AC758BC63-9B59-EDB4-094A-7373A87D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}0A7F1EECCE16-1C78-D994-E539-3EBA4F45{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}80ECC93FF3E6-8B5A-9D94-C232-5FA1328B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}416E40DAC4C6-EE18-28E4-6E38-E52F24BD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}C0F0CB076FB9-283B-FD74-F1AB-DF8BB915{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}83AC7B8FFF41-96E9-CC84-AC98-FE36D70B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}2941BA85DEF5-D48B-7954-1AE8-440CFA9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}43CF38A1DA12-D189-BC04-051D-EDED178B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}9682DF8332D0-95DB-40E4-2DE8-3895FA48{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}FDCEEB831B18-BB4B-F1D4-FC3A-B9A0120F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}8C15A808A426-38D9-0AC4-F1AA-706DD3E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}AA4C444CBFA5-920B-F8A4-A31D-90E81F7F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}78F66B6A9EF4-1918-4B44-08EC-BCC9FAF7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}71404E483731-84F9-D2A4-F271-93383A27{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}C7CE0EA29610-462A-9D94-CB62-458D2253{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}7DF2C774C1A7-FB88-8574-2FAA-7399DC43{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}77022F3C2D10-9909-9764-0C82-04D1304A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}19AA199124CB-D37A-1AA4-0D60-46D283AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}E89B12EFD4FF-CA19-E0B4-05BB-6FB2F8EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}6EFC64602729-3669-A454-2C16-5F46DE6D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}5582C81B8C9A-07E8-2F54-F777-9D76D653{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}CBA3F5910EB0-3808-8C74-DD5B-6509136A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}BFE556C1BF4E-A7FB-AA54-3E71-17DF8C0B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}A3B60E7F627C-E29A-02D4-775E-F2FB0529{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}69F20483379F-2B69-2764-B2E7-F4DED556{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}BD95B5C0F655-2CB8-4F74-D459-5677961F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}70F37D2085FE-EFE8-ACD4-B032-C08C8DF2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F69C81F35DB3-69E9-5454-FD80-9F642265{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}277645CD737E-878B-A9C4-65EA-E8C970AD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}FB90D14CE58D-6DFA-4CB4-ECE4-EFCDDAEC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}330246B34B54-E50A-3034-14A2-43907FDF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}19E2BC9F9152-6C99-8584-8F3B-7CEE6105{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}936BC9AD55B8-029B-95A4-C2E0-1C8FD67F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}B3D05318F55E-64B9-AD14-C919-70B58AE0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F6C9C0ACE7F2-8C19-6704-F870-912EBFF7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}E476480D5C49-1FB9-F454-D1D0-D04BFC83{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}74150DF0D41E-DD69-D8C4-8BE1-6EFA3F62{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}5E4181F8E3FC-F6A8-AB44-FE08-CD68D80E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}D6F6FE5128D8-B6E9-4C74-836B-CE0978CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F6A17FA8A277-0EDA-6374-9CED-B6A0BA7C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}20E68702C873-A9FB-D194-E3A2-E7DDCC15{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}7BE64FCADE3A-F35A-D514-EE2A-B1909D85{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}588AC7A60638-C90A-D184-BDAB-6ECFE111{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}6D72E81BAC47-A3F8-2334-CE18-2D628756{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}EB77DFECD776-ADDB-1A84-2A05-04A45F16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}4713F5D00D7F-C628-3584-E40E-E407706D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}BA36CEC1CB5D-3A19-A114-D5AF-FF03D5B5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}0B733A2BD583-B778-5574-CCFB-9EACF4DA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}CBD8557E937D-8FAA-6E64-B9E6-CF08554E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}4DE7B6DA8DB5-AFFB-D934-F2A6-4E391141{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}B452D2DAD683-5BC9-9944-5FC1-42D187FE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}0D8CE8551A31-EB69-F234-6BD0-4EBF6BB6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}34ED6C34ECFF-6369-BEA4-0622-BFECBFF5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}4C6715F4C818-1CBA-C784-D102-BA6D2C9F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}3CB51812949D-9059-5544-0E36-6E7D9AB9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}E9FBAFE48CC7-6308-8FB4-7542-C2428CF4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}E32DB89C9CC9-D97A-D494-B49E-0248DAC5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}D868A8AB6943-2D3A-5A04-50CD-DF13A3F2{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}21CFF040595D-ADAA-F664-4EC5-DCBD8BD0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}ACC33D7C97C8-DCCA-7124-5799-29C80F60{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}2F5B6FFAD125-A24B-E664-4C25-8AB3FA80{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}FF45FAF3E004-0568-6304-14F3-1FC9BD8F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}C808DFC24A18-F3E8-2F24-34D8-3643C9B6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}12F8E8CF7B41-5FF8-B774-FC93-0D27C3CA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}8DCDBD6B4E5D-B64B-1174-B3CD-03103289{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}2B148EC3B0BB-5748-E404-B015-16E9ED57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}7F90CCAA7C98-F018-6734-159E-C9F01BB4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}EB152AACBE9A-8D08-1A84-2F10-6553FC2D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}652541504460-0F5A-6394-EEBE-DFC7A33E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}9FC03C3A23FD-61EB-B7E4-720F-EE34036A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}E12A50D09E5D-4DD8-EB84-234A-544FBEC8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}ACEA5920D74C-E08A-E694-CFD8-07DA3168{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}460BC207FD00-D709-F6F4-11B9-D6F893BF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}3E48CBF0D46B-6228-A384-65AB-F1D3F0B8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}BB2D55182A87-A4A8-0054-77A5-8231556E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F766FDDCBDF9-4F09-1794-89D8-AF365C57{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}8E11FFD8C34D-FD68-71C4-052E-585A8698{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}B4995F24D4F0-49BB-DED4-E632-DD6ADE49{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}C0085ABA1A67-56DB-6D34-F608-ABC36530{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}2126F3A1E567-759B-ED14-7DB8-F1ED49EC{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}2B57350EC552-F19A-8734-1026-574ED369{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}A13BF3BD277A-74AB-2534-B2F0-071A54DD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}0935A5CE43FD-E25B-1354-8D96-8F6358CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}89C0B6E3F723-88F8-7104-2F28-45954340{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}049BEA66D4E2-934A-FFE4-ABFB-494AA1F9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F8C62C70B78A-DA9B-E7A4-9FB0-2D226897{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}17374EA839F0-AA2A-2E94-9CEA-D0BC8DCD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}802A7F8070B0-319B-6C44-0451-A316575B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}B443A3C6290A-EE28-6434-5676-888E2F5E{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}878EF057AC84-8439-E314-AFD0-A2B2EB49{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}EB9AF0E863C2-1349-E824-60D2-66A49198{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}2B932B60A965-E089-B004-B7B7-3076B34F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}81B38D5F0498-3539-34E4-BD8C-1C7FB6C0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}564B1FE379E4-8BA9-EC94-A106-39E73D13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}454D738CF613-3FE9-E4B4-1DE9-4EA53C30{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}3808CD111663-2F28-4B04-8B92-0A9961A9{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}78C48E1E15F2-665A-4234-11DF-B32A9250{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}7646123B36AD-6758-3BF4-F3CB-F14045E4{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}719734F6A3CB-ACAB-3E84-BF07-DA9C77C7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F1D20A83661F-F7B8-B334-8D52-E7DC6331{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}A17E7613CC92-C1AA-0494-93A5-64A2A822{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}632964BD66C8-4E99-8884-C667-733FC934{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}740D23EBBA78-2D38-B894-9EDA-47B54DD7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}753D03F87F49-4109-54B4-1FF4-8ACA5A08{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}D43B63B011B9-D958-A224-04B1-0666E4A3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}81395FFF073B-F669-5804-3E26-05BA4104{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}76DB062F06B8-FFA9-8CE4-FD05-E23A4E17{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}9139BBB7C79B-8FA8-21C4-E784-7B529814{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}A0EA78697BCA-4A18-4E04-52E1-010B5691{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}2ED3EEEB0E27-17BB-34C4-BDCE-EEC56785{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}0694C3D3597F-7FFB-76F4-6B3F-E60B08BB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}56CDE423E838-682A-35D4-9870-B96FDF32{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}1EFB1C72F672-B538-22F4-DA40-3F142A47{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}BF864F846001-975A-5E14-EFC9-4E2D47F8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}D75027346A9A-66B9-D0A4-8924-73F3A9CD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}94BF1F4E06F6-BA38-DCA4-2981-995E3154{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}370781E19B3F-6CE9-2D84-24B0-945AF498{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}C64A63B0752E-612B-EBE4-C272-0A8253D5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}A5DBA71074CB-2EBB-5F14-25D0-2F093F13{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}9B93ECA5137B-E568-E484-D5A2-390AFE93{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}CC308BEBADE6-C818-8FE4-384B-18C51E77{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}BE824E3668A5-9979-DED4-78FA-A37D8788{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}45BBC77035A1-D40B-CCF4-6936-6AB7A3E6{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}593C15C5DEF2-FE19-1934-F186-5091A5C8{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F6990BF759BE-57F8-FBD4-5D18-78326842{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}4FDB6BB24157-4ED8-9F54-6889-39DDC6EA{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}AEA723FDCA37-FD5A-DBD4-E520-35406E49{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}8F7BC8C6CC2D-C848-17B4-E9B1-A2BF794A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}6E08480BEEDE-D19B-1384-4444-051B27E1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}5302AC751CC9-A569-2DA4-AA72-2EB6DB14{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}5F009218C556-592B-0BA4-B134-1655904A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}BCBDA14062FD-EB9A-B344-DC72-769C3B14{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}FE267162C6D9-B39A-22C4-C6D2-6EB2FC1D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}BBE1AED05CAB-EE79-13D4-BE3C-1D846817{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}25ED02DF7426-8E99-C624-4705-F41D6582{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}0FB00A2E97E2-FE19-9064-5A46-8660BDB7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}6C67E1A2033E-B7B8-9E34-36CA-99E40D65{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}ED8FC778B801-F7CB-E204-0F31-AFCBB351{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}9BE324C20E54-F17B-7164-ABE5-BDB82A3D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}9911A2C28854-7629-4334-89CC-8A4CAD90{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}C36ADD2B3E95-F13A-B8E4-52CA-2A4EBCF1{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}902E18A817E6-009A-F744-F8E5-8C9182E5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}793516E5FEB0-ADC9-1284-C171-434E7328{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}B3BAF013F58A-A7FB-7314-729D-F953ADDE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}60B4FD29370E-9678-CED4-FC49-18FC84AE{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}73E4BA0074E4-666B-D2A4-5701-6508E526{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}78DB3BDD12BA-47C9-47B4-0579-8FB0E6BD{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}732631C8DB20-6D38-74D4-59C4-45EF483A{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}5E98E16FA0F9-4BDB-D314-8E90-4DE0D014{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}47852AD7F5DB-08DA-BF44-6635-2D9777C7{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F755242A344D-52FB-AED4-A542-1640DB75{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}7341D172BEFD-A148-D864-26A8-E6FC8227{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}E81EB2FB6C71-86AB-B374-052E-3D27D41B{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}5B7B6CE246FD-4FEA-4004-C888-96A7775F{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}03300A3F2522-A5BB-16C4-C44A-52983376{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}C651DAEA5E50-5AFA-42D4-4ED3-BCD8C9AF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}A1FCFA4500FA-B369-3464-5BB6-66CDF257{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}E1DC74B74DBF-9948-7884-ACC4-A981CB07{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}8731236EA17A-6C89-40F4-EDB4-D7B313F5{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}C253708C47AC-237A-C1C4-C307-5CA9C4ED{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}F13C0D8AC243-0E3A-2B34-CD74-A76CE7F3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}4A9B49AAA5B2-D709-2724-2AFE-1F010ED3{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}7668FC01966B-A9C8-3744-FE42-71791BCB{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\eybmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}3EFEF84E6B65-8B1B-4ED4-85B3-EDDB8C72{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}A1EDBA85FA42-B45A-BEF4-5652-105E46F0{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}2E294F31A8D9-8D39-76C4-0451-CE4010CF{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}5E8FBD74F138-B579-4154-6F3A-E98E8C16{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}A1E170C31E64-BCDA-8104-E9DB-370C4A5C{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}865429F157E1-5649-5204-79E2-1A1F3221{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}69E199407333-4548-1524-EDE5-A71DD667{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\ruins\}06247D5CBCD2-D33B-1294-BE7C-E611FC4D{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\swen
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\ogol
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\eno
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\llun
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\eerht
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\ruof
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Urls\evif
...
Microsoft (R) Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmbye.exe"=-
...

[Rackers]

PLEASE NOTE, There WILL be LEGIT FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Example ipsec6.exe is legitimate

»»»»» Search by size and names...
C:\WINDOWS\SYSTEM32\IPSEC6.EXE

»»»»» Misc files
* thequicklink C:\WINDOWS\System32\{D9C55~1.DLL

»»»»» Checking for older varients covered by the Rem3 tool

»»»»»
Search five digit cs, dm and jb files
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSYXS.EXE 51,276 2006-07-22
C:\WINDOWS\SYSTEM32\DMBYE.EXE 61,966 2004-08-04
Other suspects
Directory of C:\WINDOWS\system32
{D9C55909-9C1C-4E5C-BF80-7190B2BD574E}.dll
{D4CF116E-C7EB-4921-B33D-2DCBC5D74260}.exe
{766DD17A-5EDE-4251-8454-333704991E96}.exe
{1223F1A1-2E97-4025-9465-1E751F924568}.exe
{C5A4C073-BD9E-4018-ADCB-46E13C071E1A}.exe
{61C8E89E-A3F6-4514-975B-831F47DBF8E5}.exe
{FC0104EC-1540-4C67-93D8-9D8A13F492E2}.exe
{0F64E501-2565-4FEB-A54B-24AF58ABDE1A}.exe
{27C8BDDE-3B58-4DE4-B1B8-56B6E48FEFE3}.exe
{BCB19717-24EF-4473-8C9A-B66910CF8667}.exe
{3DE010F1-EFA2-4272-907D-2B5AAA94B9A4}.exe
{3F7EC67A-47DC-43B2-A3E0-342CA8D0C31F}.exe
{DE4C9AC5-703C-4C1C-A732-CA74C807352C}.exe
{5F313B7D-4BDE-4F04-98C6-A71AE6321378}.exe
{70BC189A-4CCA-4887-8499-FBD47B47CD1E}.exe
{752FDC66-6BB5-4643-963B-AF0054AFCF1A}.exe
{FA9C8DCB-3DE4-4D24-AFA5-05E5AEAD156C}.exe
{67338925-A44C-4C61-BB5A-2252F3A00330}.exe
{F5777A69-888C-4004-AEF4-DF642EC6B7B5}.exe
{B14D72D3-E250-473B-BA68-17C6BF2BE18E}.exe
{7228CF6E-8A62-468D-841A-DFEB271D1437}.exe
{57BD0461-245A-4DEA-BF25-D443A242557F}.exe
{7C7779D2-5366-44FB-AD80-BD5F7DA25874}.exe
{410D0ED4-09E8-413D-BDB4-9F0AF61E89E5}.exe
{A384FE54-4C95-4D47-83D6-02BD8C136237}.exe
{DB6E0BF8-9750-4B74-9C74-AB21DDB3BD87}.exe
{625E8056-1075-4A2D-B666-4E4700AB4E37}.exe
{EA48CF81-94CF-4DEC-8769-E07392DF4B06}.exe
{EDDA359F-D927-4137-BF7A-A85F310FAB3B}.exe
{8237E434-171C-4821-9CDA-0BEF5E615397}.exe
{5E2819C8-5E8F-447F-A900-6E718A81E209}.exe
{1FCBE4A2-AC25-4E8B-A31F-59E3B2DDA63C}.exe
{09DAC4A8-CC98-4334-9267-45882C2A1199}.exe
{D3A28BDB-5EBA-4617-B71F-45E02C423EB9}.exe
{153BBCFA-13F0-402E-BC7F-108B877CF8DE}.exe
{56D04E99-AC63-43E9-8B7B-E3302A1E76C6}.exe
{7BDB0668-64A5-4609-91EF-2E79E2A00BF0}.exe
{2856D14F-5074-426C-99E8-6247FD20DE52}.exe
{718648D1-C3EB-4D31-97EE-BAC50DEA1EBB}.exe
{D1CF2BE6-2D6C-4C22-A93B-9D6C261762EF}.exe
{41B3C967-27CD-443B-A9BE-DF26041ADBCB}.exe
{A4095561-431B-4AB0-B295-655C812900F5}.exe
{41BD6BE2-27AA-4AD2-965A-9CC157CA2035}.exe
{1E72B150-4444-4831-B91D-EDEEB08480E6}.exe
{A497FB2A-1B9E-4B71-848C-D2CC6C8CB7F8}.exe
{94E60453-025E-4DBD-A5DF-73ACDF327AEA}.exe
{AE6CDD93-9886-45F9-8DE4-75142BB6BDF4}.exe
{24862387-81D5-4DBF-8F75-EB957FB0996F}.exe
{8C5A1905-681F-4391-91EF-2FED5C51C395}.exe
{6E3A7BA6-6396-4FCC-B04D-1A53077CBB54}.exe
{8878D73A-AF87-4DED-9799-5A8663E428EB}.exe
{77E15C81-B483-4EF8-818C-6EDABEB803CC}.exe
{39EFA093-2A5D-484E-865E-B7315ACE39B9}.exe
{31F390F2-0D52-41F5-BBE2-BC47017ABD5A}.exe
{5D3528A0-272C-4EBE-B216-E2570B36A46C}.exe
{894FA549-0B42-48D2-9EC6-F3B91E187073}.exe
{4513E599-1892-4ACD-83AB-6F60E4F1FB49}.exe
{DC9A3F37-4298-4A0D-9B66-A9A64372057D}.exe
{8F74D2E4-9CFE-41E5-A579-100648F468FB}.exe
{74A241F3-04AD-4F22-835B-276F27C1BFE1}.exe
{23FDF69B-0789-4D53-A286-838E324EDC65}.exe
{BB80B06E-F3B6-4F67-BFF7-F7953D3C4960}.exe
{58765CEE-ECDB-4C43-BB71-72E0BEEE3DE2}.exe
{1965B010-1E25-40E4-81A4-ACB79687AE0A}.exe
{418925B7-487E-4C12-8AF8-B97C7BBB9319}.exe
{71E4A32E-50DF-4EC8-9AFF-8B60F260BD67}.exe
{4014AB50-62E3-4085-966F-B370FFF59318}.exe
{3A4E6660-1B40-422A-859D-9B110B36B34D}.exe
{80A5ACA8-4FF1-4B45-9014-94F78F30D357}.exe
{7DD45B74-ADE9-498B-83D2-87ABBE32D047}.exe
{439CF337-766C-4888-99E4-8C66DB469236}.exe
{228A2A46-5A39-4940-AA1C-29CC3167E71A}.exe
{1336CD7E-25D8-433B-8B7F-F16638A02D1F}.exe
{7C77C9AD-70FB-48E3-BACA-BC3A6F437917}.exe
{4E54041F-BC3F-4FB3-8576-DA63B3216467}.exe
{0529A23B-FD11-4324-A566-2F51E1E84C87}.exe
{9A1699A0-29B8-40B4-82F2-366111DC8083}.exe
{03C35AE4-9ED1-4B4E-9EF3-316FC837D454}.exe
{31D37E93-601A-49CE-9AB8-4E973EF1B465}.exe
{0C6BF7C1-C8DB-4E43-9353-8940F5D83B18}.exe
{F43B6703-7B7B-400B-980E-569A06B239B2}.exe
{89194A66-2D06-428E-9431-2C368E0FA9BE}.exe
{94BE2B2A-0DFA-413E-9348-48CA750FE878}.exe
{E5F2E888-6765-4346-82EE-A0926C3A344B}.exe
{B575613A-1540-44C6-B913-0B0708F7A208}.exe
{DCD8CB0D-AEC9-49E2-A2AA-0F938AE47371}.exe
{798622D2-0BF9-4A7E-B9AD-A87B07C26C8F}.exe
{9F1AA494-BFBA-4EFF-A439-2E4D66AEB940}.exe
{04345954-82F2-4017-8F88-327F3E6B0C98}.exe
{FC8536F8-69D8-4531-B52E-DF34EC5A5390}.exe
{DD45A170-0F2B-4352-BA47-A772DB3FB31A}.exe
{963DE475-6201-4378-A91F-255CE05375B2}.exe
{CE94DE1F-8BD7-41DE-B957-765E1A3F6212}.exe
{03563CBA-806F-43D6-BD65-76A1ABA5800C}.exe
{94EDA6DD-236E-4DED-BB94-0F4D42F5994B}.exe
{8968A585-E250-4C17-86DF-D43C8DFF11E8}.exe
{75C563FA-8D98-4971-90F4-9FDBCDDF667F}.exe
{E6551328-5A77-4500-8A4A-78A28155D2BB}.exe
{8B0F3D1F-BA56-483A-8226-B64D0FBC84E3}.exe
{FB398F6D-9B11-4F6F-907D-00DF702CB064}.exe
{8613AD70-8DFC-496E-A80E-C47D0295AECA}.exe
{8CEBF445-A432-48BE-8DD4-D5E90D05A21E}.exe
{A63043EE-F027-4E7B-BE16-DF32A3C30CF9}.exe
{E33A7CFD-EBEE-4936-A5F0-064405145256}.exe
{D2CF3556-01F2-48A1-80D8-A9EBCAA251BE}.exe
{4BB10F9C-E951-4376-810F-89C7AACC09F7}.exe
{75DE9E61-510B-404E-8475-BB0B3CE841B2}.exe
{98230130-DC3B-4711-B46B-D5E4B6DBDCD8}.exe
{AC3C72D0-39CF-477B-8FF5-14B7FC8E8F21}.exe
{6B9C3463-8D43-42F2-8E3F-81A42CFD808C}.exe
{F8DB9CF1-3F41-4036-8650-400E3FAF54FF}.exe
{08AF3BA8-52C4-466E-B42A-521DAFF6B5F2}.exe
{06F08C92-9975-4217-ACCD-8C79C7D33CCA}.exe
{0DB8DBCD-5CE4-466F-AADA-D595040FFC12}.exe
{2F3A31FD-DC05-40A5-A3D2-3496BA8A868D}.exe
{5CAD8420-E94B-494D-A79D-9CC9C98BD23E}.exe
{4FC8242C-2457-4BF8-8036-7CC84EFABF9E}.exe
{9BA9D7E6-63E0-4455-9509-D94921815BC3}.exe
{5FFBCEFB-2260-4AEB-9636-FFCE43C6DE43}.exe
{6BB6FBE4-0DB6-432F-96BE-13A1558EC8D0}.exe
{EF781D24-1CF5-4499-9CB5-386DAD2D254B}.exe
{141193E4-6A2F-439D-BFFA-5BD8AD6B7ED4}.exe
{E45580FC-6E9B-46E6-AAF8-D739E7558DBC}.exe
{AD4FCAE9-BFCC-4755-877B-385DB2A337B0}.exe
{5B5D30FF-FA5D-411A-91A3-D5BC1CEC63AB}.exe
{D607704E-E04E-4853-826C-F7D00D5F3174}.exe
{61F54A40-50A2-48A1-BDDA-677DCEFD77BE}.exe
{657826D2-81EC-4332-8F3A-74CAB18E27D6}.exe
{111EFCE6-BADB-481D-A09C-83606A7CA885}.exe
{58D9091B-A2EE-415D-A53F-A3EDACF46EB7}.exe
{51CCDD7E-2A3E-491D-BF9A-378C20786E02}.exe
{C7AB0A6B-DEC9-4736-ADE0-772A8AF71A6F}.exe
{AC8790EC-B638-47C4-9E6B-8D8215EF6F6D}.exe
{E08D86DC-80EF-44BA-8A6F-CF3E8F1814E5}.exe
{26F3AFE6-1EB8-4C8D-96DD-E14D0FD05147}.exe
{38CFB40D-0D1D-454F-9BF1-94C5D084674E}.exe
{7FFBE219-078F-4076-91C8-2F7ECA0C9C6F}.exe
{0EA85B07-919C-41DA-9B46-E55F81350D3B}.exe
{F76DF8C1-0E2C-4A59-B920-8B55DA9CB639}.exe
{5016EEC7-B3F8-4858-99C6-2519F9CB2E91}.exe
{FDF70934-2A41-4303-A05E-45B43B642033}.exe
{CEADDCFE-4ECE-4BC4-AFD6-D85EC41D09BF}.exe
{DA079C8E-AE56-4C9A-B878-E737DC546772}.exe
{562246F9-08DF-4545-9E96-3BD53F18C96F}.exe
{2FD8C80C-230B-4DCA-8EFE-EF5802D73F07}.exe
{F1697765-954D-47F4-8BC2-556F0C5B59DB}.exe
{655DED4F-7E2B-4672-96B2-F97338402F96}.exe
{9250BF2F-E577-4D20-A92E-C726F7E06B3A}.exe
{B0C8FD71-17E3-45AA-BF7A-E4FB1C655EFB}.exe
{A6319056-B5DD-47C8-8083-0BE0195F3ABC}.exe
{356D67D9-777F-45F2-8E70-A9C8B18C2855}.exe
{D6ED64F5-61C2-454A-9663-92720646CFE6}.exe
{CE8F2BF6-BB50-4B0E-91AC-FF4DFE21B98E}.exe
{FA382D64-06D0-4AA1-A73D-BC421991AA91}.exe
{A4031D40-28C0-4679-9099-01D2C3F22077}.exe
{34CD9937-AAF2-4758-88BF-7A1C477C2FD7}.exe
{3522D854-26BC-49D9-A264-01692AE0EC7C}.exe
{72A38339-172F-4A2D-9F48-137384E40417}.exe
{7FAF9CCB-CE80-44B4-8191-4FE9A6B66F87}.exe
{F7F18E09-D13A-4A8F-B029-5AFBC444C4AA}.exe
{4E3DD607-AA1F-4CA0-9D83-624A808A51C8}.exe
{F0210A9B-A3CF-4D1F-B4BB-81B138BEECDF}.exe
{84AF5983-8ED2-4E04-BD59-0D2338FD2869}.exe
{B871DEDE-D150-40CB-981D-21AD1A83FC34}.exe
{F9AFC044-8EA1-4597-B84D-5FED58AB1492}.exe
{B07D63EF-89CA-48CC-9E69-14FFF8B7CA38}.exe
{519BB8FD-BA1F-47DF-B382-9BF670BC0F0C}.exe
{DB42F25E-83E6-4E82-81EE-6C4CAD04E614}.exe
{B8231AF5-232C-49D9-A5B8-6E3FF39CCE08}.exe
{54F4ABE3-935E-499D-87C1-61ECCEE1F7A0}.exe

[AnnMarie]

You forgot to post your Ewido log. Never mind, I need you to run it again anyway so please make sure that it is updated.

Go here and download Pocket Killbox and unzip it but dont do anything else with it yet.

Close Internet Explorer and any open windows and run Hijack This again. Check the below entries and click on Fix Checked.

R3 - URLSearchHook: (no name) - {F35F7E71-185F-7836-B73C-780D09EA6857} - AliceSD.dll (file missing)

O4 - HKLM\..\Run: [powerdll] borlandg.exe

O4 - HKLM\..\Run: [SysEntry] dialer423.exe

O4 - HKLM\..\Run: [zifbt.exe] C:\WINDOWS\system32\zifbt.exe

O4 - HKCU\..\Run: [SysSupport] srbho.exe

O4 - HKCU\..\Run: [browsebar] iesetupdll.exe

O4 - HKCU\..\Run: [AppMasterCenter] _ctcp.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{638A4733-ACD2-4467-AC8C-A122A0EBD53A}: NameServer = 85.255.114.44,85.255.112.180

O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180

O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.44 85.255.112.180

When you have done this, boot into Safe Mode and run Killbox now. Click on Options and make sure that Remove Directories is checked and Remove Duplicates is unchecked. Next select each the below files (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose Paste. The file and full filepath should now appear in the box. Click on Delete on Reboot and click on the Red X Icon. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot only after you have entered all the files.

C:\WINDOWS\SYSTEM32\CSYXS.EXE
C:\WINDOWS\SYSTEM32\DMBYE.EXE

Boot back into Safe Mode again and run another scan with Ewido. Reboot when finished and please post a new Hijack This log, a new Silent Runners log and your Ewido log.

[Rackers]

AnnMarie,

I performed all the tasks you suggested, however I am now having a great deal of trouble connecting to the Internet! I fear we may have deleted something. As a result i amcurrently unable to send you all the reports I have. I am writng this post from the office Internet Connection. Strangely, I tried to connect to the net from the laptop at home, however it seems to be suffering the same problem. Maybe it wasn't something we deleted. Could you check the items you wanted removed to see if we need to reinstall one of them so I can connect to the internet? Maybe the setup for connection has been altered somehow. Sorry. Everything seemed to be going so well.

Rackers

[AnnMarie]

Hi Rackers, the problem is probably caused by the Wareout infection that we removed.

Please go to Start -> Control Panel, and choose Network Connections. Rightclick on your default connection (usually Local Area Connection or Dial-up Connection if you are using Dial-up) and leftclick on Properties. Doubleclick on the Internet Protocol (TCP/IP) item and select the radio button that says Obtain DNS servers automatically. Click OK twice, and restart your computer. Do the same on your laptop.

[Rackers]

AnnMarie,
Ok, I have recovered my internet connection. Here are the reports from the last set of requests ..

HIJACKTHIS LOG ..

Logfile of HijackThis v1.99.1
Scan saved at 20:51:34, on 24/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by PC World
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: &Download using ReGet - C:\INTERNET\REGET\RG_Link.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &List for ReGet - C:\INTERNET\REGET\RG_List.htm
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download All by Re&Get - C:\INTERNET\REGET\RG_All.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: MsgPlusLoader.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe

SILENT RUNNERS ..

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"ctfmon.exe" = "C:\WINDOWS\system32\ctfmon.exe" [MS]
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1" ["Adobe Systems Incorporated"]
"msnmsgr" = ""C:\Program Files\MSN Messenger\msnmsgr.exe" /background" [MS]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"Zone Labs Client" = ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"" ["Zone Labs, LLC"]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"SoundMan" = "SOUNDMAN.EXE" ["Realtek Semiconductor Corp."]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"!ewido" = ""C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized" ["Anti-Malware Development a.s."]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Spybot - Search & Destroy\SDHelper.dll" ["Safer Networking Limited"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\system32\hticons.dll" ["Hilgraeve, Inc."]
"{E0D79300-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79301-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{E0D79302-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}" = "ICQ Lite Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\Office\OLKFSTUB.DLL" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "ewido anti-spyware 4.0"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\shellexecutehook.dll" ["Anti-Malware Development a.s."]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "MsgPlusLoader.dll" ["Patchou"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\
"System" = (value not set)
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
ewido anti-spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido anti-spyware 4.0\context.dll" ["Anti-Malware Development a.s."]
ICQLiteMenu\(Default) = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ICQLite\ICQLiteShell.dll" [empty string]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
WinZip\(Default) = "{E0D79300-84BE-11CE-9641-444553540000}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WinZip\wzshlext.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Eddi.024DC205C909463\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{B863453A-26C3-4E1F-A54D-A2CD196348E9}\
"ButtonText" = "ICQ Lite"
"MenuText" = "ICQ Lite"
"Exec" = "C:\Program Files\ICQLite\ICQLite.exe" ["ICQ Ltd."]
{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
AVG E-mail Scanner, AVGEMS, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
ewido anti-spyware 4.0 guard, ewido anti-spyware 4.0 guard, "C:\Program Files\ewido anti-spyware 4.0\guard.exe" ["Anti-Malware Development a.s."]
TrueVector Internet Monitor, vsmon, "C:\WINDOWS\SYSTEM32\ZONELABS\vsmon.exe -service" ["Zone Labs, LLC"]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.
---------- (total run time: 67 seconds, including 5 seconds for message boxes)

[Rackers]

EWIDO Report No1 .. (the one I failed to send with the first set of reports)

ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:40:17 PM 24/07/2006
+ Scan result:

C:\WINDOWS\SYSTEM32\{03563CBA-806F-43D6-BD65-76A1ABA5800C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{03C35AE4-9ED1-4B4E-9EF3-316FC837D454}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{04345954-82F2-4017-8F88-327F3E6B0C98}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{0529A23B-FD11-4324-A566-2F51E1E84C87}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{06F08C92-9975-4217-ACCD-8C79C7D33CCA}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{08AF3BA8-52C4-466E-B42A-521DAFF6B5F2}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{09DAC4A8-CC98-4334-9267-45882C2A1199}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{0C6BF7C1-C8DB-4E43-9353-8940F5D83B18}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{0DB8DBCD-5CE4-466F-AADA-D595040FFC12}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{0EA85B07-919C-41DA-9B46-E55F81350D3B}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{0F64E501-2565-4FEB-A54B-24AF58ABDE1A}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{111EFCE6-BADB-481D-A09C-83606A7CA885}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{1223F1A1-2E97-4025-9465-1E751F924568}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{1336CD7E-25D8-433B-8B7F-F16638A02D1F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{141193E4-6A2F-439D-BFFA-5BD8AD6B7ED4}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{153BBCFA-13F0-402E-BC7F-108B877CF8DE}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{1965B010-1E25-40E4-81A4-ACB79687AE0A}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{1E72B150-4444-4831-B91D-EDEEB08480E6}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{1FCBE4A2-AC25-4E8B-A31F-59E3B2DDA63C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{228A2A46-5A39-4940-AA1C-29CC3167E71A}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{23FDF69B-0789-4D53-A286-838E324EDC65}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{24862387-81D5-4DBF-8F75-EB957FB0996F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{26F3AFE6-1EB8-4C8D-96DD-E14D0FD05147}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{27C8BDDE-3B58-4DE4-B1B8-56B6E48FEFE3}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{2856D14F-5074-426C-99E8-6247FD20DE52}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{2F3A31FD-DC05-40A5-A3D2-3496BA8A868D}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{2FD8C80C-230B-4DCA-8EFE-EF5802D73F07}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{31D37E93-601A-49CE-9AB8-4E973EF1B465}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{31F390F2-0D52-41F5-BBE2-BC47017ABD5A}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{34CD9937-AAF2-4758-88BF-7A1C477C2FD7}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{3522D854-26BC-49D9-A264-01692AE0EC7C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{356D67D9-777F-45F2-8E70-A9C8B18C2855}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{38CFB40D-0D1D-454F-9BF1-94C5D084674E}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{39EFA093-2A5D-484E-865E-B7315ACE39B9}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{3A4E6660-1B40-422A-859D-9B110B36B34D}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{3DE010F1-EFA2-4272-907D-2B5AAA94B9A4}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{3F7EC67A-47DC-43B2-A3E0-342CA8D0C31F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{4014AB50-62E3-4085-966F-B370FFF59318}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{410D0ED4-09E8-413D-BDB4-9F0AF61E89E5}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{418925B7-487E-4C12-8AF8-B97C7BBB9319}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{41B3C967-27CD-443B-A9BE-DF26041ADBCB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{41BD6BE2-27AA-4AD2-965A-9CC157CA2035}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{439CF337-766C-4888-99E4-8C66DB469236}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{4513E599-1892-4ACD-83AB-6F60E4F1FB49}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{4BB10F9C-E951-4376-810F-89C7AACC09F7}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{4E3DD607-AA1F-4CA0-9D83-624A808A51C8}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{4E54041F-BC3F-4FB3-8576-DA63B3216467}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{4FC8242C-2457-4BF8-8036-7CC84EFABF9E}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{5016EEC7-B3F8-4858-99C6-2519F9CB2E91}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{51CCDD7E-2A3E-491D-BF9A-378C20786E02}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{562246F9-08DF-4545-9E96-3BD53F18C96F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{56D04E99-AC63-43E9-8B7B-E3302A1E76C6}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{57BD0461-245A-4DEA-BF25-D443A242557F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{58765CEE-ECDB-4C43-BB71-72E0BEEE3DE2}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{58D9091B-A2EE-415D-A53F-A3EDACF46EB7}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{5B5D30FF-FA5D-411A-91A3-D5BC1CEC63AB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{5CAD8420-E94B-494D-A79D-9CC9C98BD23E}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{5D3528A0-272C-4EBE-B216-E2570B36A46C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{5E2819C8-5E8F-447F-A900-6E718A81E209}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{5F313B7D-4BDE-4F04-98C6-A71AE6321378}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{5FFBCEFB-2260-4AEB-9636-FFCE43C6DE43}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{61C8E89E-A3F6-4514-975B-831F47DBF8E5}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{61F54A40-50A2-48A1-BDDA-677DCEFD77BE}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{625E8056-1075-4A2D-B666-4E4700AB4E37}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{655DED4F-7E2B-4672-96B2-F97338402F96}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{657826D2-81EC-4332-8F3A-74CAB18E27D6}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{67338925-A44C-4C61-BB5A-2252F3A00330}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{6B9C3463-8D43-42F2-8E3F-81A42CFD808C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{6BB6FBE4-0DB6-432F-96BE-13A1558EC8D0}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{6E3A7BA6-6396-4FCC-B04D-1A53077CBB54}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{70BC189A-4CCA-4887-8499-FBD47B47CD1E}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{718648D1-C3EB-4D31-97EE-BAC50DEA1EBB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{71E4A32E-50DF-4EC8-9AFF-8B60F260BD67}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{7228CF6E-8A62-468D-841A-DFEB271D1437}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{72A38339-172F-4A2D-9F48-137384E40417}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{74A241F3-04AD-4F22-835B-276F27C1BFE1}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{752FDC66-6BB5-4643-963B-AF0054AFCF1A}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{75C563FA-8D98-4971-90F4-9FDBCDDF667F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{75DE9E61-510B-404E-8475-BB0B3CE841B2}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{766DD17A-5EDE-4251-8454-333704991E96}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{77E15C81-B483-4EF8-818C-6EDABEB803CC}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{798622D2-0BF9-4A7E-B9AD-A87B07C26C8F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{7BDB0668-64A5-4609-91EF-2E79E2A00BF0}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{7C7779D2-5366-44FB-AD80-BD5F7DA25874}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{7C77C9AD-70FB-48E3-BACA-BC3A6F437917}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{7DD45B74-ADE9-498B-83D2-87ABBE32D047}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{7FAF9CCB-CE80-44B4-8191-4FE9A6B66F87}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{7FFBE219-078F-4076-91C8-2F7ECA0C9C6F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{80A5ACA8-4FF1-4B45-9014-94F78F30D357}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{8237E434-171C-4821-9CDA-0BEF5E615397}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{84AF5983-8ED2-4E04-BD59-0D2338FD2869}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{8613AD70-8DFC-496E-A80E-C47D0295AECA}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{8878D73A-AF87-4DED-9799-5A8663E428EB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{89194A66-2D06-428E-9431-2C368E0FA9BE}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{894FA549-0B42-48D2-9EC6-F3B91E187073}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{8968A585-E250-4C17-86DF-D43C8DFF11E8}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{8B0F3D1F-BA56-483A-8226-B64D0FBC84E3}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{8C5A1905-681F-4391-91EF-2FED5C51C395}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{8CEBF445-A432-48BE-8DD4-D5E90D05A21E}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{8F74D2E4-9CFE-41E5-A579-100648F468FB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{9250BF2F-E577-4D20-A92E-C726F7E06B3A}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{94BE2B2A-0DFA-413E-9348-48CA750FE878}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{94E60453-025E-4DBD-A5DF-73ACDF327AEA}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{94EDA6DD-236E-4DED-BB94-0F4D42F5994B}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{963DE475-6201-4378-A91F-255CE05375B2}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{98230130-DC3B-4711-B46B-D5E4B6DBDCD8}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{9A1699A0-29B8-40B4-82F2-366111DC8083}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{9BA9D7E6-63E0-4455-9509-D94921815BC3}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{9F1AA494-BFBA-4EFF-A439-2E4D66AEB940}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{A384FE54-4C95-4D47-83D6-02BD8C136237}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{A4031D40-28C0-4679-9099-01D2C3F22077}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{A4095561-431B-4AB0-B295-655C812900F5}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{A497FB2A-1B9E-4B71-848C-D2CC6C8CB7F8}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{A63043EE-F027-4E7B-BE16-DF32A3C30CF9}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{A6319056-B5DD-47C8-8083-0BE0195F3ABC}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{AC3C72D0-39CF-477B-8FF5-14B7FC8E8F21}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{AC8790EC-B638-47C4-9E6B-8D8215EF6F6D}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{AD4FCAE9-BFCC-4755-877B-385DB2A337B0}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{AE6CDD93-9886-45F9-8DE4-75142BB6BDF4}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{B0C8FD71-17E3-45AA-BF7A-E4FB1C655EFB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{B14D72D3-E250-473B-BA68-17C6BF2BE18E}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{B575613A-1540-44C6-B913-0B0708F7A208}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{B8231AF5-232C-49D9-A5B8-6E3FF39CCE08}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{B871DEDE-D150-40CB-981D-21AD1A83FC34}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{BB80B06E-F3B6-4F67-BFF7-F7953D3C4960}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{BCB19717-24EF-4473-8C9A-B66910CF8667}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{C5A4C073-BD9E-4018-ADCB-46E13C071E1A}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{C7AB0A6B-DEC9-4736-ADE0-772A8AF71A6F}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{CE8F2BF6-BB50-4B0E-91AC-FF4DFE21B98E}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{CE94DE1F-8BD7-41DE-B957-765E1A3F6212}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{CEADDCFE-4ECE-4BC4-AFD6-D85EC41D09BF}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{D1CF2BE6-2D6C-4C22-A93B-9D6C261762EF}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{D2CF3556-01F2-48A1-80D8-A9EBCAA251BE}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{D3A28BDB-5EBA-4617-B71F-45E02C423EB9}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{D4CF116E-C7EB-4921-B33D-2DCBC5D74260}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{D607704E-E04E-4853-826C-F7D00D5F3174}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{D6ED64F5-61C2-454A-9663-92720646CFE6}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{DA079C8E-AE56-4C9A-B878-E737DC546772}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{DB6E0BF8-9750-4B74-9C74-AB21DDB3BD87}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{DC9A3F37-4298-4A0D-9B66-A9A64372057D}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{DCD8CB0D-AEC9-49E2-A2AA-0F938AE47371}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{DD45A170-0F2B-4352-BA47-A772DB3FB31A}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{DE4C9AC5-703C-4C1C-A732-CA74C807352C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{E08D86DC-80EF-44BA-8A6F-CF3E8F1814E5}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{E33A7CFD-EBEE-4936-A5F0-064405145256}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{E45580FC-6E9B-46E6-AAF8-D739E7558DBC}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{E5F2E888-6765-4346-82EE-A0926C3A344B}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{E6551328-5A77-4500-8A4A-78A28155D2BB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{EA48CF81-94CF-4DEC-8769-E07392DF4B06}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{EDDA359F-D927-4137-BF7A-A85F310FAB3B}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{EF781D24-1CF5-4499-9CB5-386DAD2D254B}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{F0210A9B-A3CF-4D1F-B4BB-81B138BEECDF}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{F1697765-954D-47F4-8BC2-556F0C5B59DB}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{F43B6703-7B7B-400B-980E-569A06B239B2}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{F5777A69-888C-4004-AEF4-DF642EC6B7B5}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{F76DF8C1-0E2C-4A59-B920-8B55DA9CB639}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{F7F18E09-D13A-4A8F-B029-5AFBC444C4AA}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{F8DB9CF1-3F41-4036-8650-400E3FAF54FF}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).

[Rackers]

C:\WINDOWS\SYSTEM32\{F9AFC044-8EA1-4597-B84D-5FED58AB1492}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{FA382D64-06D0-4AA1-A73D-BC421991AA91}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{FA9C8DCB-3DE4-4D24-AFA5-05E5AEAD156C}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{FB398F6D-9B11-4F6F-907D-00DF702CB064}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{FC0104EC-1540-4C67-93D8-9D8A13F492E2}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{FC8536F8-69D8-4531-B52E-DF34EC5A5390}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{FDF70934-2A41-4303-A05E-45B43B642033}.exe -> Adware.FindSpy : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{DB42F25E-83E6-4E82-81EE-6C4CAD04E614}.exe -> Adware.Msnagent : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{D9C55909-9C1C-4E5C-BF80-7190B2BD574E}.dll -> Adware.SBSoft : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\csyxs.exe -> Downloader.Agent.uj : Cleaned with backup (quarantined).
C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@112.2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@adtech[2].txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@cz7.cli ckzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup (quarantined).
C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@doublec lick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@e-2dj6wgmiwic5mfq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@image.m asterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\Eddi.024DC205C909463\Application Data\Phoenix\Profiles\default\hmuz22bh.slt\cookies .txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\Eddi.024DC205C909463\Application Data\Phoenix\Profiles\default\hmuz22bh.slt\cookies .txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\Eddi.024DC205C909463\Application Data\Phoenix\Profiles\default\hmuz22bh.slt\cookies .txt -> TrackingCookie.Web-stat : Cleaned with backup (quarantined).
C:\RECYCLED\Dc4.exe -> Trojan.DNSChanger.ef : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{519BB8FD-BA1F-47DF-B382-9BF670BC0F0C}.exe -> Trojan.Puper.bx : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dmbye.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\{54F4ABE3-935E-499D-87C1-61ECCEE1F7A0}.exe -> Trojan.Small.gq : Cleaned with backup (quarantined).

::Report end

EWIDO Report No2..
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:45:51 PM 24/07/2006
+ Scan result:

:mozilla.139:C:\Documents and Settings\Eddi.024DC205C909463\Application Data\Phoenix\Profiles\default\hmuz22bh.slt\cookies .txt -> TrackingCookie.Web-stat : No action taken.
:mozilla.140:C:\Documents and Settings\Eddi.024DC205C909463\Application Data\Phoenix\Profiles\default\hmuz22bh.slt\cookies .txt -> TrackingCookie.Web-stat : No action taken.
:mozilla.141:C:\Documents and Settings\Eddi.024DC205C909463\Application Data\Phoenix\Profiles\default\hmuz22bh.slt\cookies .txt -> TrackingCookie.Web-stat : No action taken.

::Report end

[AnnMarie]

Great and looking much better. Just to be sure that we got it all, go here and download ATF cleaner. Use it to remove all Temp Files, Cookies and Temp Internet Files, Java Cache and any others that you would like to remove. If you also use Opera or Firefox, also click on the cleaning options for each browser.

When you have done this, please go here and run the Panda scanner and post back the report. It can take quite a while to complete so please be patient.

[Rackers]

Sorry about the delay.


PANDA REPORT ..

Incident Status Location
Adware:adware/cws Not disinfected c:\documents and settings\all users.windows\favorites\Stop PopUps On Your Computer.url
Adware:adware/navhelper Not disinfected c:\program files\NavExcel
Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\SYSTEM32\{B07D63EF-89CA-48CC-9E69-14FFF8B7CA38}.exe[KillAndClean.exe]
Potentially unwanted tool:Application/Kill&Clean Not disinfected C:\WINDOWS\SYSTEM32\{B07D63EF-89CA-48CC-9E69-14FFF8B7CA38}.exe[KillAndCleanUpdate.exe]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@tribalf usion[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@ad.sens ismediasmart.com[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Eddi.024DC205C909463\Cookies\eddi@ad.sens ismediasmart.com[1].txt

[AnnMarie]

Go here and download Pocket Killbox and unzip it but dont do anything else with it yet.

When you have done this, boot into Safe Mode again and run Killbox now. Click on Options and make sure that Remove Directories is checked and Remove Duplicates is unchecked. Next select each the below files (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose Paste. The file and full filepath should now appear in the box. Click on Delete on Reboot and click on the Red X Icon. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot only after you have entered all the files.

c:\documents and settings\all users.windows\favorites\Stop PopUps On Your Computer.url
c:\program files\NavExcel
C:\WINDOWS\SYSTEM32\{B07D63EF-89CA-48CC-9E69-14FFF8B7CA38}.exe

When you have rebooted, if you have no further problems, you are good to go.

[Rackers]

AnnMarie,

Before I complete your instructions, I have a question. The 'Kill and Clean' references in that last report worry me a bit. This is not software I have deliberately loaded myself, so I am suspicious of it. Can I include any of the references to it in the 'Killbox' instructions as well? Thanks