55 replies to this topic

[Siggyx]

Click here to run ActiveScan.

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on My Computer to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Paste the contents of the Panda scan report along with a new HijackThis Log in your next reply.

[Michigan Czar]

I keep trying without success, it has 26 spyware and 1 hacking tool and everytime it gets halfway done I get an IE error and it stops. I will keep trying to run Panda unless I hear from you to do something else.

[Michigan Czar]

Of course it works the next time after I post that message, here is the log and the Panda report.

Logfile of HijackThis v1.99.1
Scan saved at 6:32:26 PM, on 5/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 10 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

Incident Status Location

Adware:adware/commad Not disinfected c:\windows\system32\atmtd.dll
Adware:adware/dollarrevenue Not disinfected c:\drsmartload1.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temporary Internet Files\Ssk.log
Adware:adware/pacimedia Not disinfected C:\Documents and Settings\Rhonda\Desktop\Click to Find and Fix Errors.url
Spyware:spyware/new.net Not disinfected c:\windows\NDNuninstall7_22.exe
Potentially unwanted tool:application/winantivirus2006 Not disinfected hkey_local_machine\software\WinAntiVirus Pro 2006
Adware:adware/sqwire Not disinfected Windows Registry
Adware:Adware/CommAd Not disinfected C:\!KillBox\Content\G9RFSTNK\installer[1].exe
Adware:Adware/ISearch Not disinfected C:\!KillBox\Content\H7HM4MUB\MTE3NDI6ODoxNg[1].exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\LocalService\Cookies\system@ad.yieldmanager[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\LocalService\Cookies\system@atdmt[2].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\87U3C56P\Installer[1].exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rhonda\Cookies\rhonda@2o7[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Rhonda\Cookies\rhonda@atwola[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Rhonda\Cookies\rhonda@questionmarket[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Rhonda\Cookies\rhonda@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Rhonda\Cookies\rhonda@zedo[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@2o7[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@888[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@888[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@atwola[1].txt
Spyware:Cookie/Cassava Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@cassava[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@fastclick[2].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@kmpads[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@media.fastclick[1].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Rhonda\Local Settings\Temp\Cookies\rhonda@statcounter[1].txt

[Siggyx]

Please download Look2Me-Destroyer.exe to your desktop.

• Close all windows before continuing.
  
• Double-click Look2Me-Destroyer.exe to run it.
  
• Put a check next to Run this program as a task .
  
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  
• When Look2Me-Destroyer re-opens, click the Scan for L2M button , your desktop icons will disappear, this is normal.
  
• Once it's done scanning, click the Remove L2M button .
  
• You will receive a Done Scanning message, click OK .
  
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK .
  
• Your computer will then shutdown.
  
• Turn your computer back on.
  
• Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339'. please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32. Directory
http://www.ascentive...ib/MSWINSCK.OCX

[Michigan Czar]

Here are the logs. It doesn't appear it found anything.

Logfile of HijackThis v1.99.1
Scan saved at 7:45:51 AM, on 5/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 11 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/26/2006 7:35:15 AM


Attempting to delete infected files...

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

[Siggyx]

Download TheKillbox from here http://www.downloads...org/KillBox.zip Save to your Desktop and double click it to open it up. In the 'Enter Full Path and Filename to Delete' box, copy and paste these entries one by one, clicking 'Find and Kill This File' after each one:

c:\windows\system32\atmtd.dll
c:\drsmartload1.exe
C:\Documents and Settings\Rhonda\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\Rhonda\Desktop\Click to Find and Fix Errors.url
c:\windows\NDNuninstall7_22.exe

Then reboot and a new log please.

[Michigan Czar]

Okay, all those files were deleted. Here is a new log. Thanks again for all the help.

Logfile of HijackThis v1.99.1
Scan saved at 10:19:48 AM, on 5/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 12 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

[Siggyx]

Download http://swandog46.gee...com/avenger.zip by Swandog46, and save it to your Desktop. Extract avenger.exe from the Zip file and save it to your desktop

Run avenger.exe by double-clicking on it.
Check the 'Input script manually' box.
Click on the magnifying glass icon.
Copy everything in the code box below (don't copy the word "CODE in the box header, just the box contents starting at Files to delete) and paste it in the box that opens:

WARNING: This script is not a general fix. If you are not this user, running this script could damage your system

Files to delete:
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe

Now click the 'Done' button.
Click on the traffic light icon and OK the prompt.
You will be prompted to restart, OK the prompt and your PC should reboot, if not, reboot it manually.

Please post a new HijackThis log and the log file from Avenger at C:\avenger.txt

[Michigan Czar]

Here you go.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wtsimvki

*******************

Script file located at: \??\C:\WINDOWS\dlvjsitm.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open file C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe for deletion
Deletion of file C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe failed!

Could not process line:
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 9:55:48 PM, on 5/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 13 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

[Siggyx]

Try anvenger again with this

Folders to delete:
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB

Then a new hijackthis ;og please.

[Michigan Czar]

This file is a real pain to try and get rid of!

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\itsarmcr

*******************

Script file located at: \??\C:\WINDOWS\tfapoecx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Could not open folder C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB for deletion
Deletion of folder C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB failed!

Could not process line:
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB
Status: 0xc000003a


Completed script processing.

*******************

Finished! Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 8:33:59 AM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 14 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

[Michigan Czar]

I am not sure if this helps but virus scan just found this; hpconf.pif sysload.pif iN FOLDER C: detected as dollar revenue, trojan, deleted, in explorer.exe

[Siggyx]

Go to Start - Control Panel - Add-Remove Programs
Remove the following if found or any variation:

WinAntiVirus Pro

NEXT

Download CleanUp! http://cleanup.stevengould.org/ and install it. Don't run it yet.

NEXT

Using killbox remove this file

C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe

NEXT

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"NI.UWA6P_0001_N73M1004"=-

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

If you get a PendingOperations message, just close it and restart your computer manually.

NEXT

Restart your computer and boot into Safe Mode

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner.
* Click on 'Complete System Scan' and the scan will begin.
* While the scan is in progress you will be prompted to clean the first infected file it finds. Choose 'Remove', then put a check next to 'Perform action on all infections' in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.
Exit Ewido when it's done.
* Once the scan has completed, there will be a button located on the bottom of the screen named 'Save report'.
* Click 'Save report'.
* Save the report to your desktop.

Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag

Restart your computer to get back to Normal Mode. Post the Ewido report and a new HijackThis log here.

Edited by Siggyx, 29 May 2006 - 12:31 PM.

[Michigan Czar]

Here you go.

Logfile of HijackThis v1.99.1
Scan saved at 3:21:48 PM, on 5/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\a-squared\a2guard.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\NETWOR~1\COMMON~1\naPrdMgr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Directory 2 for hijackthis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dial
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dial
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: ["C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NI.UWA6P_0001_N73M1004] "C:\DOCUME~1\Rhonda\LOCALS~1\Temp\Temporary Internet Files\Content.IE5\H7HM4MUB\WinAntiVirusPro2006FreeInstall[1].exe" -nag
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [a-squared] "C:\Program Files\a-squared\a2guard.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C432C4BD-3566-411C-8F3C-E5E0D3AE5D33} (CBrowser Class) - http://viewers.strea...MINIBrowser.CAB
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: Userinit Logon Verification (UsrInitVerif) - Unknown owner - C:\WINDOWS\userinit.exe (file missing)

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:14:01 PM, 5/29/2006
+ Report-Checksum: F840787F

+ Scan result:

HKLM\SOFTWARE\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\.DEFAULT\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1417001333-1993962763-842925246-1003\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-21-1417001333-1993962763-842925246-1003\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3 -> Adware.SurfSide : Cleaned with backup
HKU\S-1-5-18\Software\SurfSideKick3\Internet Explorer -> Adware.SurfSide : Cleaned with backup
C:\!KillBox\Content\H7HM4MUB\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup
C:\!KillBox\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\Installer.exe -> Adware.Look2Me : Cleaned with backup
C:\WINDOWS\MTE3NDI6ODoxNg.exe -> Downloader.Small.buy : Cleaned with backup


::Report End

[Siggyx]

Do you have ewido guard running?