Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account

Please Help! [resolved]

Started by Guest_Johanna_* , Mar 03 2005 01:31 PM

  • This topic is locked This topic is locked

#1
Guest_Johanna_*
Posted 03 March 2005 - 01:31 PM

Guest_Johanna_*
  • Guest
Hi - This is my first posting here so please bear with me if I do anything wrong. I am trying to rid my co-worker's computer of the Elite toolbar. This is the (seemingly) last remaining malware problem after removal of CWS, VX2, among others. I booted into safe mode and tried to remove the elite program using add/remove programs, but to no avail. I think the [antiware] .exe file that shows up in HJT is part of the probelm. I have tried to fix using HJT and Ad-Aware, but it keeps coming back. Can anybody help? I would be so grateful for any advice or instructions you might be able to give. Thanks!!

Logfile of HijackThis v1.99.1
Scan saved at 1:16:11 PM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VISTAVISION\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\winupdt.exe
C:\windows\system32\msnavc32.exe
C:\WINDOWS\system32\ati2dvag.exe
C:\WINDOWS\system\qqchcmrw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\system32\sysmonnt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [App32dll] C:\windows\system32\msnavc32.exe lee0105
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [5881ac371b9b] C:\WINDOWS\system32\ati2dvag.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [antiware] C:\windows\system32\elitejko32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements

#2
Dragon
Posted 03 March 2005 - 02:45 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
well, I hate to say this but you did not kill VX2.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
Guest_Johanna_*
Posted 03 March 2005 - 04:26 PM

Guest_Johanna_*
  • Guest
Hi - Thanks so much for helping me out. Here is the l2mfix log:
BTW, I found and ran an EliteTool killer program and [antiware]....elitejko.exe is not showing up in HJT anymore. But who knows - I thought VX2 was gone and surprise! It's back. I can't thank you enough for responding!

L2MFIX find log 1.02b
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF448F1C-69AD-4096-B946-FD94935A37DD}"=""
"iebar"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{DEE12703-6333-4D4E-8F34-738C4DCC2E04}"="RecordNow! SendToExt"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="DriveLetterAccess"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{69971A88-BE4F-430C-A046-CD9433C489B4}"=""
"{8217E7AD-2ACC-46CD-9932-E276F226B8B4}"=""
"{6145838F-0075-4763-BFE2-A0F60045A47B}"=""

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{69971A88-BE4F-430C-A046-CD9433C489B4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69971A88-BE4F-430C-A046-CD9433C489B4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{69971A88-BE4F-430C-A046-CD9433C489B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{8217E7AD-2ACC-46CD-9932-E276F226B8B4}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8217E7AD-2ACC-46CD-9932-E276F226B8B4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{8217E7AD-2ACC-46CD-9932-E276F226B8B4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{6145838F-0075-4763-BFE2-A0F60045A47B}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6145838F-0075-4763-BFE2-A0F60045A47B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{6145838F-0075-4763-BFE2-A0F60045A47B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
agtapi.dll Wed Mar 2 2005 4:34:58p A.... 232,241 226.80 K
akcore.dll Fri Feb 25 2005 12:33:14p A.... 188,416 184.00 K
aklsp.dll Fri Feb 25 2005 12:33:16p A.... 196,608 192.00 K
akrules.dll Fri Feb 25 2005 12:33:14p A.... 110,592 108.00 K
akupd.dll Fri Feb 25 2005 12:33:06p A.... 155,648 152.00 K
asi2cqag.dll Wed Mar 2 2005 4:13:10p A.... 230,470 225.07 K
aunbho.dll Mon Feb 28 2005 9:46:02a A.... 43,496 42.48 K
aunps.dll Mon Feb 28 2005 9:46:02a A.... 25,600 25.00 K
azauli~1.dll Wed Mar 2 2005 4:19:22p ..S.R 229,337 223.96 K
browseui.dll Thu Jan 27 2005 11:13:16a A.... 1,016,832 993.00 K
cdfview.dll Thu Jan 27 2005 11:13:16a A.... 151,040 147.50 K
ckwflt32.dll Tue Mar 1 2005 10:31:22a ..S.R 228,810 223.45 K
czintf~1.dll Wed Mar 2 2005 9:46:18a ..S.R 230,123 224.73 K
dn2401~1.dll Wed Mar 2 2005 9:34:32a ..S.R 230,123 224.73 K
docore.dll Fri Feb 25 2005 1:35:14p A.... 151,552 148.00 K
dosync.dll Mon Feb 28 2005 12:41:14p A.... 114,688 112.00 K
dumio.dll Mon Feb 28 2005 10:44:04a A.... 99,840 97.50 K
enpsl1~1.dll Wed Mar 2 2005 4:13:10p ..S.R 232,241 226.80 K
f6l02g~1.dll Wed Mar 2 2005 4:18:14p ..S.R 229,218 223.84 K
fn2021~1.dll Wed Mar 2 2005 2:53:26p ..S.R 230,358 224.96 K
fpns03~1.dll Wed Mar 2 2005 10:58:18a ..... 230,123 224.73 K
g4jo0e~1.dll Wed Mar 2 2005 8:04:46a ..S.R 229,124 223.75 K
i8jqli~1.dll Wed Mar 2 2005 9:31:20a ..S.R 228,810 223.45 K
iepeers.dll Thu Jan 27 2005 11:13:16a A.... 249,856 244.00 K
inseng.dll Thu Jan 27 2005 11:13:16a A.... 96,256 94.00 K
j02q0a~1.dll Wed Mar 2 2005 4:34:58p ..S.R 228,460 223.11 K
kt84l7~1.dll Wed Mar 2 2005 8:25:28a ..S.R 230,297 224.90 K
mshtml.dll Thu Jan 27 2005 11:13:18a A.... 3,006,976 2.87 M
ole32.dll Fri Jan 14 2005 2:55:50a A.... 1,285,120 1.22 M
olecli32.dll Fri Jan 14 2005 2:55:50a A.... 74,752 73.00 K
olecnv32.dll Fri Jan 14 2005 2:55:50a A.... 37,888 37.00 K
pndx5016.dll Tue Jan 4 2005 8:06:46a A.... 6,656 6.50 K
pndx5032.dll Tue Jan 4 2005 8:06:46a A.... 5,632 5.50 K
q8nuli~1.dll Wed Mar 2 2005 4:03:32p ..S.R 230,123 224.73 K
qaery.dll Wed Mar 2 2005 4:18:14p A.... 232,241 226.80 K
rmoc3260.dll Tue Jan 4 2005 8:07:14a A.... 176,167 172.04 K
rpcss.dll Fri Jan 14 2005 2:55:50a A.... 395,776 386.50 K
s32evnt1.dll Mon Dec 20 2004 6:58:18p A.... 83,664 81.70 K
shdocvw.dll Thu Jan 27 2005 11:13:18a A.... 1,483,264 1.41 M
shell32.dll Tue Dec 21 2004 2:49:36p A.... 8,450,048 8.06 M
shlwapi.dll Thu Jan 27 2005 11:13:18a A.... 473,600 462.50 K
sivsvc.dll Wed Mar 2 2005 4:11:44p A.... 230,470 225.07 K
spnsapi.dll Wed Mar 2 2005 9:58:44a ..S.R 230,123 224.73 K
sporder.dll Fri Feb 25 2005 12:33:14p A.... 8,464 8.27 K
srvsvc.dll Tue Dec 7 2004 1:32:34p A.... 96,768 94.50 K
symneti.dll Fri Jan 21 2005 10:31:54p A.... 513,752 501.71 K
symredir.dll Fri Jan 21 2005 10:31:52p A.... 141,016 137.71 K
ump10.dll Wed Mar 2 2005 4:19:22p A.... 232,241 226.80 K
urlmon.dll Thu Jan 27 2005 11:13:18a A.... 607,744 593.50 K
wininet.dll Thu Jan 27 2005 11:13:18a A.... 656,896 641.50 K

50 items found: 50 files (13 H/S), 0 directories.
Total of file sizes: 24,479,540 bytes 23.34 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is BCFA-C883

Directory of C:\WINDOWS\System32

03/02/2005 04:34 PM 228,460 j02q0af5ed2.dll
03/02/2005 04:19 PM 229,337 azauli5918.dll
03/02/2005 04:18 PM 229,218 f6l02g3mg6.dll
03/02/2005 04:13 PM 232,241 enpsl1771.dll
03/02/2005 04:03 PM 230,123 q8nuli5918.dll
03/02/2005 02:53 PM 230,358 fn2021fmg.dll
03/02/2005 09:58 AM 230,123 spnsapi.dll
03/02/2005 09:46 AM 230,123 czintf210.dll
03/02/2005 09:34 AM 230,123 dn2401fqe.dll
03/02/2005 09:31 AM 228,810 i8jqli1518.dll
03/02/2005 08:25 AM 230,297 kt84l7lq1.dll
03/02/2005 08:04 AM 229,124 g4jo0e13eh.dll
03/01/2005 10:31 AM 228,810 CKWFLT32.DLL
01/31/2005 04:28 PM <DIR> DLLCACHE
06/14/2004 07:58 PM <DIR> Microsoft
13 File(s) 2,987,147 bytes
2 Dir(s) 28,866,416,640 bytes free
  • 0

#4
Dragon
Posted 03 March 2005 - 04:27 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left. :tazz:

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#5
Guest_Johanna_*
Posted 03 March 2005 - 04:42 PM

Guest_Johanna_*
  • Guest
Okay - First is the l2m and last but not least HJT

L2Mfix 1.02b

Running From:
C:\Documents and Settings\Mike Love\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\Mike Love\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Mike Love\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 128 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\AGTAPI.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\asi2cqag.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\azauli5918.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\CKWFLT32.DLL
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\czintf210.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dn2401fqe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\enpsl1771.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\f6l02g3mg6.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fn2021fmg.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\fpns0357e.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\g4jo0e13eh.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\i8jqli1518.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\j02q0af5ed2.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\kt84l7lq1.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\q8nuli5918.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\qaery.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\sivsvc.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\spnsapi.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\ump10.dll
1 file(s) copied.
deleting: C:\WINDOWS\system32\AGTAPI.DLL
Successfully Deleted: C:\WINDOWS\system32\AGTAPI.DLL
deleting: C:\WINDOWS\system32\asi2cqag.dll
Successfully Deleted: C:\WINDOWS\system32\asi2cqag.dll
deleting: C:\WINDOWS\system32\azauli5918.dll
Successfully Deleted: C:\WINDOWS\system32\azauli5918.dll
deleting: C:\WINDOWS\system32\CKWFLT32.DLL
Successfully Deleted: C:\WINDOWS\system32\CKWFLT32.DLL
deleting: C:\WINDOWS\system32\czintf210.dll
Successfully Deleted: C:\WINDOWS\system32\czintf210.dll
deleting: C:\WINDOWS\system32\dn2401fqe.dll
Successfully Deleted: C:\WINDOWS\system32\dn2401fqe.dll
deleting: C:\WINDOWS\system32\enpsl1771.dll
Successfully Deleted: C:\WINDOWS\system32\enpsl1771.dll
deleting: C:\WINDOWS\system32\f6l02g3mg6.dll
Successfully Deleted: C:\WINDOWS\system32\f6l02g3mg6.dll
deleting: C:\WINDOWS\system32\fn2021fmg.dll
Successfully Deleted: C:\WINDOWS\system32\fn2021fmg.dll
deleting: C:\WINDOWS\system32\fpns0357e.dll
Successfully Deleted: C:\WINDOWS\system32\fpns0357e.dll
deleting: C:\WINDOWS\system32\g4jo0e13eh.dll
Successfully Deleted: C:\WINDOWS\system32\g4jo0e13eh.dll
deleting: C:\WINDOWS\system32\i8jqli1518.dll
Successfully Deleted: C:\WINDOWS\system32\i8jqli1518.dll
deleting: C:\WINDOWS\system32\j02q0af5ed2.dll
Successfully Deleted: C:\WINDOWS\system32\j02q0af5ed2.dll
deleting: C:\WINDOWS\system32\kt84l7lq1.dll
Successfully Deleted: C:\WINDOWS\system32\kt84l7lq1.dll
deleting: C:\WINDOWS\system32\q8nuli5918.dll
Successfully Deleted: C:\WINDOWS\system32\q8nuli5918.dll
deleting: C:\WINDOWS\system32\qaery.dll
Successfully Deleted: C:\WINDOWS\system32\qaery.dll
deleting: C:\WINDOWS\system32\sivsvc.dll
Successfully Deleted: C:\WINDOWS\system32\sivsvc.dll
deleting: C:\WINDOWS\system32\spnsapi.dll
Successfully Deleted: C:\WINDOWS\system32\spnsapi.dll
deleting: C:\WINDOWS\system32\ump10.dll
Successfully Deleted: C:\WINDOWS\system32\ump10.dll

Desktop.ini sucessfully removed

Zipping up files for submission:
adding: AGTAPI.DLL (164 bytes security) (deflated 6%)
adding: asi2cqag.dll (164 bytes security) (deflated 5%)
adding: azauli5918.dll (164 bytes security) (deflated 5%)
adding: CKWFLT32.DLL (164 bytes security) (deflated 4%)
adding: czintf210.dll (164 bytes security) (deflated 5%)
adding: dn2401fqe.dll (164 bytes security) (deflated 5%)
adding: enpsl1771.dll (164 bytes security) (deflated 6%)
adding: f6l02g3mg6.dll (164 bytes security) (deflated 5%)
adding: fn2021fmg.dll (164 bytes security) (deflated 5%)
adding: fpns0357e.dll (164 bytes security) (deflated 5%)
adding: g4jo0e13eh.dll (164 bytes security) (deflated 5%)
adding: i8jqli1518.dll (164 bytes security) (deflated 4%)
adding: j02q0af5ed2.dll (164 bytes security) (deflated 4%)
adding: kt84l7lq1.dll (164 bytes security) (deflated 5%)
adding: q8nuli5918.dll (164 bytes security) (deflated 5%)
adding: qaery.dll (164 bytes security) (deflated 6%)
adding: sivsvc.dll (164 bytes security) (deflated 5%)
adding: spnsapi.dll (164 bytes security) (deflated 5%)
adding: ump10.dll (164 bytes security) (deflated 6%)
adding: clear.reg (164 bytes security) (deflated 46%)
adding: echo.reg (164 bytes security) (deflated 9%)
adding: desktop.ini (164 bytes security) (deflated 14%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 82%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 76%)
adding: test2.txt (164 bytes security) (deflated 27%)
adding: test3.txt (164 bytes security) (deflated 27%)
adding: test5.txt (164 bytes security) (deflated 27%)
adding: xfind.txt (164 bytes security) (deflated 70%)
adding: backregs/6145838F-0075-4763-BFE2-A0F60045A47B.reg (164 bytes security) (deflated 69%)
adding: backregs/69971A88-BE4F-430C-A046-CD9433C489B4.reg (164 bytes security) (deflated 69%)
adding: backregs/8217E7AD-2ACC-46CD-9932-E276F226B8B4.reg (164 bytes security) (deflated 69%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for really "Everyone"


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: AGTAPI.DLL
deleting local copy: asi2cqag.dll
deleting local copy: azauli5918.dll
deleting local copy: CKWFLT32.DLL
deleting local copy: czintf210.dll
deleting local copy: dn2401fqe.dll
deleting local copy: enpsl1771.dll
deleting local copy: f6l02g3mg6.dll
deleting local copy: fn2021fmg.dll
deleting local copy: fpns0357e.dll
deleting local copy: g4jo0e13eh.dll
deleting local copy: i8jqli1518.dll
deleting local copy: j02q0af5ed2.dll
deleting local copy: kt84l7lq1.dll
deleting local copy: q8nuli5918.dll
deleting local copy: qaery.dll
deleting local copy: sivsvc.dll
deleting local copy: spnsapi.dll
deleting local copy: ump10.dll

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************
C:\WINDOWS\system32\AGTAPI.DLL
C:\WINDOWS\system32\asi2cqag.dll
C:\WINDOWS\system32\azauli5918.dll
C:\WINDOWS\system32\CKWFLT32.DLL
C:\WINDOWS\system32\czintf210.dll
C:\WINDOWS\system32\dn2401fqe.dll
C:\WINDOWS\system32\enpsl1771.dll
C:\WINDOWS\system32\f6l02g3mg6.dll
C:\WINDOWS\system32\fn2021fmg.dll
C:\WINDOWS\system32\fpns0357e.dll
C:\WINDOWS\system32\g4jo0e13eh.dll
C:\WINDOWS\system32\i8jqli1518.dll
C:\WINDOWS\system32\j02q0af5ed2.dll
C:\WINDOWS\system32\kt84l7lq1.dll
C:\WINDOWS\system32\q8nuli5918.dll
C:\WINDOWS\system32\qaery.dll
C:\WINDOWS\system32\sivsvc.dll
C:\WINDOWS\system32\spnsapi.dll
C:\WINDOWS\system32\ump10.dll

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{69971A88-BE4F-430C-A046-CD9433C489B4}"=-
"{8217E7AD-2ACC-46CD-9932-E276F226B8B4}"=-
"{6145838F-0075-4763-BFE2-A0F60045A47B}"=-
[-HKEY_CLASSES_ROOT\CLSID\{69971A88-BE4F-430C-A046-CD9433C489B4}]
[-HKEY_CLASSES_ROOT\CLSID\{8217E7AD-2ACC-46CD-9932-E276F226B8B4}]
[-HKEY_CLASSES_ROOT\CLSID\{6145838F-0075-4763-BFE2-A0F60045A47B}]
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{FF448F1C-69AD-4096-B946-FD94935A37DD}"=-
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
<IDone>{FF448F1C-69AD-4096-B946-FD94935A37DD}</IDone>
<IDtwo>DS3</IDtwo>
<VERSION>200</VERSION>
****************************************************************************



Logfile of HijackThis v1.99.1
Scan saved at 4:36:35 PM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VISTAVISION\Binn\sqlservr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\ati2dvag.exe
C:\WINDOWS\isrvs\desktop.exe
C:\WINDOWS\system\qqchcmrw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\isrvs\ceres.dll
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [5881ac371b9b] C:\WINDOWS\system32\ati2dvag.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
Dragon
Posted 03 March 2005 - 04:58 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
Please look over the Following Entries I have listed, run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\WINDOWS\isrvs\ceres.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\system32\winupdt.exe
O4 - HKLM\..\Run: [5881ac371b9b] C:\WINDOWS\system32\ati2dvag.exe
O4 - HKLM\..\Run: [SystemCheck] C:\WINDOWS\SysCheckBop32
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKCU\..\Run: [sysmonnt] C:\WINDOWS\system32\sysmonnt
O15 - Trusted Zone: *.musicmatch.com
O15 - Trusted Zone: *.musicmatch.com (HKLM)
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


After this, Reboot and Delete the following files:

C:\WINDOWS\isrvs\ceres.dll
C:\WINDOWS\UpdReg.EXE
C:\WINDOWS\system32\winupdt.exe
C:\WINDOWS\system32\ati2dvag.exe
C:\WINDOWS\SysCheckBop32
C:\WINDOWS\isrvs
C:\WINDOWS\farmmext.exe
C:\WINDOWS\system32\sysmonnt
C:\WINDOWS\isrvs\mfiltis.dll

Note: Make sure you have Set Windows to show Hidden Files & Folders before you Start Sending Them to us For Analysis, or you're deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.n...1916458,00.html

To Delete These Files/Folders, You Will need to Boot into Safe Mode. This can be done by tapping F8 while your machine restarts.

Reboot and post a fresh Hijack This log
  • 0

#7
Guest_Johanna_*
Posted 03 March 2005 - 05:17 PM

Guest_Johanna_*
  • Guest
Eeeww - looks like some of the nastiness is still there

Logfile of HijackThis v1.99.1
Scan saved at 5:14:45 PM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VISTAVISION\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\system\qqchcmrw.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HJT\HijackThis.exe
C:\WINDOWS\System32\imapi.exe

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#8
Guest_Johanna_*
Posted 03 March 2005 - 05:19 PM

Guest_Johanna_*
  • Guest
Efwis - Thanks for all your help so far. The computer I'm fixing is at work and I am about to go home, so hopefully I'll hear from you tomorrow.
  • 0

#9
Dragon
Posted 03 March 2005 - 05:25 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
no problem, i will have the next step up by morning, that last one is a hard one to kill
  • 0

#10
Dragon
Posted 03 March 2005 - 05:47 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
please follow this link http://castlecops.com/post106277.html and do as exactly as it says
  • 0

Advertisements

#11
Guest_Johanna_*
Posted 04 March 2005 - 10:42 AM

Guest_Johanna_*
  • Guest
Good morning! I followed the instructions to a T from the Castle Cops. It seems the Kaspersky was more effective than anything else, but that isvrs thing is still there. I will post the new HJT first and then the log from Kaspersky.

Logfile of HijackThis v1.99.1
Scan saved at 10:27:57 AM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$VISTAVISION\Binn\sqlservr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\SYMNET~1\SNDMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe
C:\WINDOWS\System32\MsiExec.exe

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Statistics:
Task start time: 3/4/2005 8:49:21 AM
Task completion time: 3/4/2005 10:12:34 AM
Objects scanned: 195618
Viruses detected: 426
Viruses disinfected: 1
Objects deleted: 428
Objects quarantined: 3

Settings:
Objects to be scanned:
My Computer
If an infected object is found:
Prompt user for action
Scan level:
Maximum Protection
Objects to be excluded from the scan scope:
Option not used

Report:
C:\WINDOWS\SYSTEM32\DRIVERS\DELPROT.SYS is a Trojan Trojan.Win32.Delprot.a 3/4/2005 8:49:25 AM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot [ImagePath=%SystemRoot%\system32\drivers\delprot.sys] is infected with a virus Service: startUp link to C:\WINDOWS\SYSTEM32\DRIVERS\DELPROT.SYS object with "Infected" verdict 3/4/2005 8:49:25 AM
C:\WINDOWS\SYSTEM32\DRIVERS\DELPROT.SYS moved to the backup storage 3/4/2005 8:49:57 AM
C:\WINDOWS\SYSTEM32\DRIVERS\DELPROT.SYS deleted 3/4/2005 8:49:57 AM
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\delprot [ImagePath=%SystemRoot%\system32\drivers\delprot.sys] deleted 3/4/2005 8:49:58 AM
C:\Documents and Settings\All Users\Application Data\msw\msw_uninstall.exe/WISE0007.BIN is infected with a virus not-a-virus:RiskWare.Tool.PsKill.a 3/4/2005 8:51:34 AM
C:\Documents and Settings\All Users\Application Data\msw\msw_uninstall.exe moved to the backup storage 3/4/2005 8:51:50 AM
C:\Documents and Settings\All Users\Application Data\msw\msw_uninstall.exe deleted 3/4/2005 8:51:50 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\AGTAPI.DLL is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:10 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip moved to the backup storage 3/4/2005 8:53:20 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\AGTAPI.DLL deleted 3/4/2005 8:53:20 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\asi2cqag.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:20 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\asi2cqag.dll deleted 3/4/2005 8:53:28 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\azauli5918.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:28 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\azauli5918.dll deleted 3/4/2005 8:53:32 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\CKWFLT32.DLL is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:32 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\CKWFLT32.DLL deleted 3/4/2005 8:53:35 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\czintf210.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:35 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\czintf210.dll deleted 3/4/2005 8:53:40 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\dn2401fqe.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:40 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\dn2401fqe.dll deleted 3/4/2005 8:53:42 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\enpsl1771.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:42 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\enpsl1771.dll deleted 3/4/2005 8:53:43 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\f6l02g3mg6.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:43 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\f6l02g3mg6.dll deleted 3/4/2005 8:53:44 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\fn2021fmg.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:44 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\fn2021fmg.dll deleted 3/4/2005 8:53:44 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\fpns0357e.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:45 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\fpns0357e.dll deleted 3/4/2005 8:53:45 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\g4jo0e13eh.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:45 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\g4jo0e13eh.dll deleted 3/4/2005 8:53:46 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\i8jqli1518.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:46 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\i8jqli1518.dll deleted 3/4/2005 8:53:46 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\j02q0af5ed2.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:46 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\j02q0af5ed2.dll deleted 3/4/2005 8:53:47 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\kt84l7lq1.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:47 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\kt84l7lq1.dll deleted 3/4/2005 8:53:48 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\q8nuli5918.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:48 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\q8nuli5918.dll deleted 3/4/2005 8:53:49 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\qaery.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:49 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\qaery.dll deleted 3/4/2005 8:53:50 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\sivsvc.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:50 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\sivsvc.dll deleted 3/4/2005 8:53:50 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\spnsapi.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:50 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\spnsapi.dll deleted 3/4/2005 8:53:51 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\ump10.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 8:53:51 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\backup.zip\ump10.dll deleted 3/4/2005 8:53:51 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\Process.exe is infected with a virus not-a-virus:RiskWare.Tool.Processor.20 3/4/2005 8:53:52 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\Process.exe moved to the backup storage 3/4/2005 8:53:58 AM
C:\Documents and Settings\Mike Love\Desktop\l2mfix\Process.exe deleted 3/4/2005 8:53:58 AM
C:\Documents and Settings\Mike Love\Local Settings\Temp\B190883346\build2.exe/data0002 is infected with a virus not-a-virus:AdWare.ToolBar.ISearch.d 3/4/2005 8:54:49 AM
C:\Documents and Settings\Mike Love\Local Settings\Temp\B190883346\build2.exe moved to the backup storage 3/4/2005 8:54:49 AM
C:\Documents and Settings\Mike Love\Local Settings\Temp\B190883346\build2.exe is infected with a virus not-a-virus:AdWare.ToolBar.ISearch.d 3/4/2005 8:54:50 AM
C:\Documents and Settings\Mike Love\Local Settings\Temp\B190883346\build2.exe deleted 3/4/2005 8:54:50 AM
C:\Documents and Settings\Mike Love\Local Settings\Temp\THI2D13.tmp\farmmext.cab\farmmext.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/4/2005 8:54:50 AM
C:\Documents and Settings\Mike Love\Local Settings\Temp\THI2D13.tmp\farmmext.cab moved to the backup storage 3/4/2005 8:54:54 AM
C:\Documents and Settings\Mike Love\Local Settings\Temp\THI2D13.tmp\farmmext.cab\farmmext.exe deleted 3/4/2005 8:54:54 AM
C:\Documents and Settings\Mike Love\Local Settings\Temporary Internet Files\Content.IE5\SX2ROHQN\45[1].bin is infected with a virus not-a-virus:AdWare.ToolBar.ISearch.d 3/4/2005 8:55:16 AM
C:\Documents and Settings\Mike Love\Local Settings\Temporary Internet Files\Content.IE5\SX2ROHQN\45[1].bin moved to the backup storage 3/4/2005 8:55:29 AM
C:\Documents and Settings\Mike Love\Local Settings\Temporary Internet Files\Content.IE5\SX2ROHQN\45[1].bin deleted 3/4/2005 8:55:29 AM
C:\Documents and Settings\Mike Love\Local Settings\Temporary Internet Files\Content.IE5\SX2ROHQN\stats2[1].htm is infected with a virus Exploit.HTML.Mht 3/4/2005 8:55:34 AM
C:\Documents and Settings\Mike Love\Local Settings\Temporary Internet Files\Content.IE5\SX2ROHQN\stats2[1].htm moved to the backup storage 3/4/2005 8:55:37 AM
C:\Documents and Settings\Mike Love\Local Settings\Temporary Internet Files\Content.IE5\SX2ROHQN\stats2[1].htm deleted 3/4/2005 8:55:37 AM
C:\Program Files\AWS\WeatherBug\Install\MiniBug.exe is infected with a virus not-a-virus:AdWare.MiniBug 3/4/2005 9:07:40 AM
C:\Program Files\AWS\WeatherBug\Install\MiniBug.exe moved to the backup storage 3/4/2005 9:07:46 AM
C:\Program Files\AWS\WeatherBug\Install\MiniBug.exe deleted 3/4/2005 9:07:47 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck2.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\default.skn password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\tab1.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\tab2.bmp password protected, has not been processed 3/4/2005 9:14:26 AM
C:\Program Files\zgp3thlk\zgp3thlk.exe is a backdoor Backdoor.Win32.Ruledor.f 3/4/2005 9:24:04 AM
C:\Program Files\zgp3thlk\zgp3thlk.exe moved to the backup storage 3/4/2005 9:29:24 AM
C:\Program Files\zgp3thlk\zgp3thlk.exe deleted 3/4/2005 9:29:24 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc3.exe is infected with a virus Trojan-Downloader.Win32.Agent.jq 3/4/2005 9:29:48 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc3.exe moved to the backup storage 3/4/2005 9:31:32 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc3.exe deleted 3/4/2005 9:31:32 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc5.exe is a Trojan Trojan.Win32.VB.tg 3/4/2005 9:31:32 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc5.exe moved to the backup storage 3/4/2005 9:31:35 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc5.exe deleted 3/4/2005 9:31:36 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc8.exe is a backdoor Backdoor.Win32.VB.aat 3/4/2005 9:31:36 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc8.exe moved to the backup storage 3/4/2005 9:31:37 AM
C:\RECYCLER\S-1-5-21-962957866-4098736209-3372358819-1007\Dc8.exe deleted 3/4/2005 9:31:37 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019775.exe is infected with a virus Trojan-Downloader.Win32.Small.aco 3/4/2005 9:37:34 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019775.exe moved to the backup storage 3/4/2005 9:39:38 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019775.exe deleted 3/4/2005 9:39:38 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019776.exe is infected with a virus not-a-virus:AdWare.EZula.ar 3/4/2005 9:39:38 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019776.exe moved to the backup storage 3/4/2005 9:39:47 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019776.exe deleted 3/4/2005 9:39:47 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019778.exe is infected with a virus not-a-virus:AdWare.EZula.ah 3/4/2005 9:39:48 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019778.exe moved to the backup storage 3/4/2005 9:39:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019778.exe deleted 3/4/2005 9:39:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019779.exe/data0002 is infected with a virus not-a-virus:AdWare.MetaDirect.a 3/4/2005 9:39:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019779.exe moved to the backup storage 3/4/2005 9:39:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019779.exe deleted 3/4/2005 9:39:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019780.exe is infected with a virus Trojan-Dropper.Win32.Small.kz 3/4/2005 9:39:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019780.exe moved to the backup storage 3/4/2005 9:39:55 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019780.exe deleted 3/4/2005 9:39:55 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019782.exe is infected with a virus not-a-virus:AdWare.VirtualBouncer.i 3/4/2005 9:39:56 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019782.exe moved to the backup storage 3/4/2005 9:39:57 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019782.exe deleted 3/4/2005 9:39:58 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019794.exe is infected with a virus not-a-virus:AdWare.AdURL.c 3/4/2005 9:39:58 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019794.exe moved to the backup storage 3/4/2005 9:39:59 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP207\A0019794.exe deleted 3/4/2005 9:39:59 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0019825.exe is infected with a virus Trojan-Downloader.Win32.Small.aco 3/4/2005 9:40:03 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0019825.exe moved to the backup storage 3/4/2005 9:40:05 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0019825.exe deleted 3/4/2005 9:40:05 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0019826.exe is infected with a virus Trojan-Dropper.Win32.Small.fl 3/4/2005 9:40:05 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0019826.exe moved to the backup storage 3/4/2005 9:40:08 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0019826.exe deleted 3/4/2005 9:40:08 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021120.exe is infected with a virus not-a-virus:AdWare.ToolBar.MyWay.j 3/4/2005 9:40:18 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021120.exe moved to the backup storage 3/4/2005 9:40:22 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021120.exe deleted 3/4/2005 9:40:22 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021121.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:40:23 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021121.dll moved to the backup storage 3/4/2005 9:40:24 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021121.dll deleted 3/4/2005 9:40:24 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021136.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:40:24 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021136.dll moved to the backup storage 3/4/2005 9:40:26 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021136.dll deleted 3/4/2005 9:40:26 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021144.exe is infected with a virus not-a-virus:AdWare.EZula.ap 3/4/2005 9:40:27 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021144.exe moved to the backup storage 3/4/2005 9:40:28 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021144.exe deleted 3/4/2005 9:40:28 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021145.exe/WISE0001.BIN is infected with a virus not-a-virus:AdWare.EZula.ak 3/4/2005 9:40:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021145.exe moved to the backup storage 3/4/2005 9:40:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021145.exe deleted 3/4/2005 9:40:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021146.exe/WISE0001.BIN is infected with a virus not-a-virus:AdWare.EZula.ak 3/4/2005 9:40:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021146.exe moved to the backup storage 3/4/2005 9:40:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021146.exe deleted 3/4/2005 9:40:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021186.DLL is infected with a virus not-a-virus:AdWare.ToolBar.MyWay.j 3/4/2005 9:40:41 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021186.DLL moved to the backup storage 3/4/2005 9:40:44 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021186.DLL deleted 3/4/2005 9:40:44 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021187.EXE is infected with a virus not-a-virus:AdWare.ToolBar.MyWay.j 3/4/2005 9:40:44 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021187.EXE moved to the backup storage 3/4/2005 9:40:45 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021187.EXE deleted 3/4/2005 9:40:45 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021194.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:40:49 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021194.dll moved to the backup storage 3/4/2005 9:40:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021194.dll deleted 3/4/2005 9:40:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021195.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:40:52 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021195.dll moved to the backup storage 3/4/2005 9:40:53 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021195.dll deleted 3/4/2005 9:40:53 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021196.dll is infected with a virus not-a-virus:AdWare.Apropos.e 3/4/2005 9:40:53 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021196.dll moved to the backup storage 3/4/2005 9:40:54 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021196.dll deleted 3/4/2005 9:40:54 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021197.exe is infected with a virus not-a-virus:AdWare.Apropos.f 3/4/2005 9:40:54 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021197.exe moved to the backup storage 3/4/2005 9:40:58 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021197.exe deleted 3/4/2005 9:40:58 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021198.exe is infected with a virus Trojan-Downloader.Win32.Apropo.r 3/4/2005 9:40:58 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021198.exe moved to the backup storage 3/4/2005 9:40:59 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021198.exe deleted 3/4/2005 9:40:59 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021199.exe is infected with a virus Trojan-Downloader.Win32.Stubby.c 3/4/2005 9:40:59 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021199.exe moved to the backup storage 3/4/2005 9:41:01 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021199.exe deleted 3/4/2005 9:41:01 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021200.dll is infected with a virus Trojan-Clicker.Win32.Delf.r 3/4/2005 9:41:01 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021200.dll moved to the backup storage 3/4/2005 9:41:03 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021200.dll deleted 3/4/2005 9:41:03 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021203.exe is infected with a virus not-a-virus:AdWare.BetterInternet 3/4/2005 9:41:05 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021203.exe moved to the backup storage 3/4/2005 9:41:06 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021203.exe deleted 3/4/2005 9:41:06 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021204.EXE is infected with a virus Trojan-Dropper.Win32.Small.ht 3/4/2005 9:41:06 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021204.EXE moved to the backup storage 3/4/2005 9:41:07 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP209\A0021204.EXE deleted 3/4/2005 9:41:07 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022120.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:41:10 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022120.dll moved to the backup storage 3/4/2005 9:41:12 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022120.dll deleted 3/4/2005 9:41:12 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022121.exe is infected with a virus Trojan-Downloader.Win32.Small.aco 3/4/2005 9:41:12 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022121.exe moved to the backup storage 3/4/2005 9:41:13 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022121.exe deleted 3/4/2005 9:41:13 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022122.exe is infected with a virus not-a-virus:AdWare.EZula.ar 3/4/2005 9:41:13 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022122.exe moved to the backup storage 3/4/2005 9:41:15 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022122.exe deleted 3/4/2005 9:41:15 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022123.exe/data0002 is infected with a virus not-a-virus:AdWare.MetaDirect.a 3/4/2005 9:41:15 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022123.exe moved to the backup storage 3/4/2005 9:41:15 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022123.exe deleted 3/4/2005 9:41:15 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022124.DLL is infected with a virus not-a-virus:AdWare.ToolBar.MyWay.j 3/4/2005 9:41:15 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022124.DLL moved to the backup storage 3/4/2005 9:41:16 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022124.DLL deleted 3/4/2005 9:41:16 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022125.exe is infected with a virus Trojan-Downloader.Win32.Wintool.e 3/4/2005 9:41:16 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022125.exe moved to the backup storage 3/4/2005 9:41:17 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022125.exe deleted 3/4/2005 9:41:17 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022126.exe is infected with a virus not-a-virus:AdWare.EZula.ah 3/4/2005 9:41:18 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022126.exe moved to the backup storage 3/4/2005 9:41:19 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022126.exe deleted 3/4/2005 9:41:19 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022127.dll is infected with a virus not-a-virus:AdWare.ToolBar.BHO.l 3/4/2005 9:41:19 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022127.dll moved to the backup storage 3/4/2005 9:41:20 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022127.dll deleted 3/4/2005 9:41:20 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022132.exe is infected with a virus not-a-virus:AdWare.WebSearch.n 3/4/2005 9:41:20 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022132.exe moved to the backup storage 3/4/2005 9:41:22 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022132.exe deleted 3/4/2005 9:41:22 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022133.exe is infected with a virus not-a-virus:AdWare.Wintol.t 3/4/2005 9:41:22 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022133.exe moved to the backup storage 3/4/2005 9:41:23 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022133.exe deleted 3/4/2005 9:41:23 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022137.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:41:23 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022137.dll moved to the backup storage 3/4/2005 9:41:24 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022137.dll deleted 3/4/2005 9:41:24 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022142.exe is infected with a virus Trojan-Downloader.Win32.Qoologic.d 3/4/2005 9:41:24 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022142.exe moved to the backup storage 3/4/2005 9:41:25 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022142.exe deleted 3/4/2005 9:41:25 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022143.dll is infected with a virus not-a-virus:AdWare.Couponage.a 3/4/2005 9:41:25 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022143.dll moved to the backup storage 3/4/2005 9:41:27 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022143.dll deleted 3/4/2005 9:41:27 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022144.exe is infected with a virus not-a-virus:AdWare.Zestyfind 3/4/2005 9:41:27 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022144.exe moved to the backup storage 3/4/2005 9:41:28 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022144.exe deleted 3/4/2005 9:41:28 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022147.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:41:28 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022147.dll moved to the backup storage 3/4/2005 9:41:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0022147.dll deleted 3/4/2005 9:41:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023120.exe is infected with a virus Trojan-Dropper.Win32.Small.kz 3/4/2005 9:41:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023120.exe moved to the backup storage 3/4/2005 9:41:31 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023120.exe deleted 3/4/2005 9:41:31 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023122.exe is infected with a virus Trojan-Dropper.Win32.Small.fl 3/4/2005 9:41:31 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023122.exe moved to the backup storage 3/4/2005 9:41:33 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023122.exe deleted 3/4/2005 9:41:33 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023123.DLL is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:41:34 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023123.DLL moved to the backup storage 3/4/2005 9:41:35 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023123.DLL deleted 3/4/2005 9:41:35 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023130.exe is infected with a virus not-a-virus:AdWare.WebSearch.n 3/4/2005 9:41:35 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023130.exe moved to the backup storage 3/4/2005 9:41:37 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023130.exe deleted 3/4/2005 9:41:37 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023131.exe is infected with a virus not-a-virus:AdWare.Wintol.t 3/4/2005 9:41:37 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023131.exe moved to the backup storage 3/4/2005 9:41:38 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023131.exe deleted 3/4/2005 9:41:38 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023135.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:41:38 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023135.dll moved to the backup storage 3/4/2005 9:41:40 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023135.dll deleted 3/4/2005 9:41:40 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023138.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:41:40 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023138.dll moved to the backup storage 3/4/2005 9:41:41 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023138.dll deleted 3/4/2005 9:41:41 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023159.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:41:45 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023159.dll moved to the backup storage 3/4/2005 9:41:46 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023159.dll deleted 3/4/2005 9:41:46 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023160.exe is infected with a virus not-a-virus:AdWare.VirtualBouncer.i 3/4/2005 9:41:46 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023160.exe moved to the backup storage 3/4/2005 9:41:47 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023160.exe deleted 3/4/2005 9:41:47 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023161.dll is infected with a virus not-a-virus:AdWare.ToolBar.BHO.l 3/4/2005 9:41:47 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023161.dll moved to the backup storage 3/4/2005 9:41:48 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023161.dll deleted 3/4/2005 9:41:48 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023162.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:41:50 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023162.dll moved to the backup storage 3/4/2005 9:41:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023162.dll deleted 3/4/2005 9:41:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023171.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:41:51 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023171.dll moved to the backup storage 3/4/2005 9:41:52 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023171.dll deleted 3/4/2005 9:41:52 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023174.exe is infected with a virus not-a-virus:AdWare.WebSearch.n 3/4/2005 9:41:52 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023174.exe moved to the backup storage 3/4/2005 9:41:54 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023174.exe deleted 3/4/2005 9:41:54 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023175.exe is infected with a virus not-a-virus:AdWare.Wintol.t 3/4/2005 9:41:54 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023175.exe moved to the backup storage 3/4/2005 9:41:55 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023175.exe deleted 3/4/2005 9:41:55 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023180.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:41:55 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023180.dll moved to the backup storage 3/4/2005 9:41:57 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023180.dll deleted 3/4/2005 9:41:57 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023183.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:41:58 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023183.dll moved to the backup storage 3/4/2005 9:41:59 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023183.dll deleted 3/4/2005 9:41:59 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023190.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:41:59 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023190.dll moved to the backup storage 3/4/2005 9:42:00 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023190.dll deleted 3/4/2005 9:42:00 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023193.exe is infected with a virus not-a-virus:AdWare.WebSearch.n 3/4/2005 9:42:01 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023193.exe moved to the backup storage 3/4/2005 9:42:02 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023193.exe deleted 3/4/2005 9:42:02 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023194.exe is infected with a virus not-a-virus:AdWare.Wintol.t 3/4/2005 9:42:02 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023194.exe moved to the backup storage 3/4/2005 9:42:04 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023194.exe deleted 3/4/2005 9:42:04 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023197.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:42:04 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023197.dll moved to the backup storage 3/4/2005 9:42:05 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023197.dll deleted 3/4/2005 9:42:05 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023201.exe is infected with a virus not-a-virus:AdWare.AdURL.c 3/4/2005 9:42:05 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023201.exe moved to the backup storage 3/4/2005 9:42:06 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023201.exe deleted 3/4/2005 9:42:06 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023210.exe is infected with a virus not-a-virus:AdWare.WebRebates.c 3/4/2005 9:42:07 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023210.exe moved to the backup storage 3/4/2005 9:42:08 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023210.exe deleted 3/4/2005 9:42:08 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023211.exe is infected with a virus not-a-virus:AdWare.WebRebates.d 3/4/2005 9:42:08 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023211.exe moved to the backup storage 3/4/2005 9:42:09 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023211.exe deleted 3/4/2005 9:42:09 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023212.exe is infected with a virus not-a-virus:AdWare.WebRebates.d 3/4/2005 9:42:09 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023212.exe moved to the backup storage 3/4/2005 9:42:11 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023212.exe deleted 3/4/2005 9:42:11 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023213.dll is infected with a virus not-a-virus:AdWare.WebSearch.o 3/4/2005 9:42:11 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023213.dll moved to the backup storage 3/4/2005 9:42:12 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023213.dll deleted 3/4/2005 9:42:12 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023214.exe is infected with a virus not-a-virus:AdWare.WebSearch.f 3/4/2005 9:42:12 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023214.exe moved to the backup storage 3/4/2005 9:42:13 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023214.exe deleted 3/4/2005 9:42:13 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023215.exe is infected with a virus not-a-virus:AdWare.WebSearch.n 3/4/2005 9:42:14 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023215.exe moved to the backup storage 3/4/2005 9:42:15 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023215.exe deleted 3/4/2005 9:42:15 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023216.dll is infected with a modification of a virus not-a-virus:AdWare.WebSearch.l 3/4/2005 9:42:16 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023216.dll quarantined 3/4/2005 9:42:21 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023216.dll deleted 3/4/2005 9:42:21 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023219.exe is infected with a virus not-a-virus:AdWare.180Solutions 3/4/2005 9:42:22 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023219.exe moved to the backup storage 3/4/2005 9:42:23 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023219.exe deleted 3/4/2005 9:42:23 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023221.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:42:25 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023221.dll moved to the backup storage 3/4/2005 9:42:26 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023221.dll deleted 3/4/2005 9:42:26 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023222.exe is infected with a virus not-a-virus:AdWare.Wintol.t 3/4/2005 9:42:26 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023222.exe moved to the backup storage 3/4/2005 9:42:28 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023222.exe deleted 3/4/2005 9:42:28 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023223.dll is infected with a virus not-a-virus:AdWare.Wintol.t 3/4/2005 9:42:28 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023223.dll moved to the backup storage 3/4/2005 9:42:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023223.dll deleted 3/4/2005 9:42:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023224.exe is infected with a virus not-a-virus:AdWare.WebSearch.n 3/4/2005 9:42:29 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023224.exe moved to the backup storage 3/4/2005 9:42:31 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023224.exe deleted 3/4/2005 9:42:31 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023225.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:42:32 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023225.dll moved to the backup storage 3/4/2005 9:42:33 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023225.dll deleted 3/4/2005 9:42:33 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023233.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:42:34 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023233.dll moved to the backup storage 3/4/2005 9:42:35 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023233.dll deleted 3/4/2005 9:42:35 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023235.dll is infected with a virus not-a-virus:AdWare.BiSpy.t 3/4/2005 9:42:35 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023235.dll moved to the backup storage 3/4/2005 9:42:36 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023235.dll deleted 3/4/2005 9:42:36 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023247.dll is infected with a virus not-a-virus:AdWare.Look2Me.u 3/4/2005 9:42:38 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023247.dll moved to the backup storage 3/4/2005 9:42:39 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023247.dll deleted 3/4/2005 9:42:39 AM
C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP210\A0023248.dll
  • 0

#12
Dragon
Posted 04 March 2005 - 10:55 AM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
now lets see if we can remove those files with Hijack this, only we will do it in safe mode from the start

run Hijack This again and check them and then, making sure you have No Internet Explorer Windows open, including this one, Press the "Fix Checked" Button with HijackThis.

Reboot If I have specified below, and Post a Fresh HijackThis log.

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

After this, Reboot and Delete the following files:

C:\WINDOWS\isrvs

Note: Make sure you have Set Windows to show Hidden Files & Folders before you Start Sending Them to us For Analysis, or you're deleting them. This can be done by looking at the instructions at This Webpage http://www.xtra.co.n...1916458,00.html

To Delete These Files/Folders, You Will need to Boot into Safe Mode. This can be done by tapping F8 while your machine restarts.

Edited by Efwis, 04 March 2005 - 10:56 AM.

  • 0

#13
Guest_Johanna_*
Posted 04 March 2005 - 11:51 AM

Guest_Johanna_*
  • Guest
Oooooo - I think this may have done it :tazz: BTW, I could not delete the WINDOWS/isrvs file/folder because there was nothing there by that name. Here's the log:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:21 AM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
  • 0

#14
Dragon
Posted 04 March 2005 - 12:13 PM

Dragon

    All Around Computer Nut

  • Retired Staff
  • 2,682 posts
Your Log is Clean :tazz:

For Future Protection
Download and install:

SpywareBlaster will block bad ActiveX and malevolent cookies. http://www.javacools...areblaster.html

IE-SPYAD puts over 4000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
https://netfiles.uiu...rce.htm#IESPYAD

Both are very small free programs that you run once, and then just occasionally to check for updates.

And also see
So how did I get infected in the first place?
  • 0

#15
Guest_Johanna_*
Posted 04 March 2005 - 12:26 PM

Guest_Johanna_*
  • Guest
You are awesome!! Thank you, thank you so much!
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP