[GregDavid]

heres the active scan logfile.. i will proceed to follow your new instructions




Incident Status Location

Adware:Adware/SaveNow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Spyware:Spyware/BargainBuddy No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\FLEOK
Adware:Adware/MemoryWatcher No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Adware:Adware/PurityScan No disinfected C:\WINDOWS\System32\NDrv.dll
Adware:Adware/Xupiter No disinfected C:\Program Files\Common Files\sq
Adware:Adware/StatBlaster No disinfected C:\Program Files\Media\Media
Adware:Adware/FavoriteMan No disinfected C:\WINDOWS\system32\ATPartners.dll
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Greg\Favorites\Only sex website.url
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\system32\SWRT??.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\SWRT01.dll
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Dpi
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Greg\Application Data\Lycos
Adware:Adware/IEDriver No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/NavHelper No disinfected Windows Registry
Adware:Adware/SearchExe No disinfected C:\Documents and Settings\Greg\Favorites\-Autos-
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInstall.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Greg\Favorites\Sites about\Ab scissor.url
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\1first.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\ANTI16.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\bashwin.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Bind Knob.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Cast Eq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\does owns.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\findbarb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\gram tick.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\gramface.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\info browse.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Long Pop.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\mixbind.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Okaymath.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\seekdumb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Show Film.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Web Start.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\AXIS PLAY.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\BIB FREE.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\soapclose.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Guest\Application Data\error hope\gridflag4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Guest\Application Data\error hope\pure army nurb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Guest\Application Data\error hope\ufyflovm.exe
Adware:Adware/PurityScan No disinfected C:\install-tag001.exe
Adware:Adware/Minibug.A No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd\WinAtServ.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd\WinServSuit.exe
Adware:Adware/EasySearch No disinfected C:\Program Files\ytijg.dll
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00005137.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00005139.del
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00005141.EXE
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00005142.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\Admin Okay Bleh Junk.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\gridflag4.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\pure army nurb.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\zzekhtrf.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/EasySearch No disinfected C:\WINDOWS\gkuig.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\hguxk.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\mserv32.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInstall.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\AhxbI.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\system32\ATPartners.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\biU.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\elpol.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Ezg1p5.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\kuwwd.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\NDrv.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\qpdak.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\qzwac.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\SWRT01.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Ucsw.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\wintsvit.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Yfwz.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\xbexi.dll

Thanks Michelle

Greg:)

[Advertisements]

trash that last activescan log,.. i didn't get your message to run hijack this before.. so i will get to that then run the scan again and save a log for you.. thanks

[GregDavid]

trash that last activescan log,.. i didn't get your message to run hijack this before.. so i will get to that then run the scan again and save a log for you.. thanks

[GregDavid]

yeah, hijack this said that 11Fßä#·ºÄÖ`I was not present in the registry.. i did make sure that there was a space before the first "1" I will go fourth with the new instructions

[Michelle]

After following all of the instructions above for cleaning your system, please run ActiveScan again and paste the new log here (I know it's time consuming and boring, but we have to do it!) and this way we won't be deleting stuff they may have already been deleted from running ad-aware, cleanup, aboutbuster,etc.

We will check on the NT service after this to make sure it is gone

Michelle

[GregDavid]

heres the brand spankin new log, it looks pretty good now.. i think


Logfile of HijackThis v1.99.1
Scan saved at 7:48:18 PM, on 3/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Multimedia\main\LaunchPd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Norton Utilities\SYSDOC32.EXE
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\cba\pds.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\Program Files\Speed Disk\nopdb.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\ams_ii\iao.exe
C:\WINDOWS\system32\cba\xfr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Documents and Settings\Greg\Desktop\POOP\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\\{5372B9A6-6E51-4f90-9B40-E0A3B8475C4E}\hphupd05.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ATI Launchpad] "C:\Program Files\ATI Multimedia\main\LaunchPd.exe"
O4 - Startup: Norton System Doctor.LNK = C:\Program Files\Norton Utilities\SYSDOC32.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\AOL Instant Messenger\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\IEExtension.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Intel Alert Handler - Intel® Corporation - C:\WINDOWS\system32\ams_ii\hndlrsvc.exe
O23 - Service: Intel Alert Originator - Intel® Corporation - C:\WINDOWS\system32\ams_ii\iao.exe
O23 - Service: Intel File Transfer - Intel® Corporation - C:\WINDOWS\system32\cba\xfr.exe
O23 - Service: Intel PDS - Intel® Corporation - C:\WINDOWS\system32\cba\pds.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Speed Disk\nopdb.exe

Greg

[Michelle]

Yes, you are correct! It is looking good!

Now, I need you to go to Start > Run then type "services.msc" (without quotes)

Scroll down and look for a service that will either be called this:

Remote Procedure Call (RPC) Helper

or this

11Fßä#·ºÄÖ`I

*NOTE* Make sure it says HELPER, because there will be a Remote Procedure Call and a Remote Procedure Call Locator - both of these are legit.

Let me know! Thanks!

Michelle

[GregDavid]

The RPC Helper isn't present in services.msc, do you still want me to run active scan?

[Michelle]

Yes, please run Activescan and post a log (your system isn't clean until we kill off old files left on your computer from previous infections!) There is no guarantee that you won't have to run it a couple more times (just so you know!) This is just to make absolutely sure we get your system clean.

Michelle

[GregDavid]

ok i will get right on it!! Thank you michelle!!!!!!!

[Michelle]

I like the name of your HiJackThis folder haha

Michelle

[GregDavid]

heres the activescan log.. and yeah i couldn't think of a better name for the folder.. LOL


Incident Status Location

Adware:Adware/SaveNow No disinfected C:\WINDOWS\Downloaded Program Files\WUInst.inf
Spyware:Spyware/BargainBuddy No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINDOWS\system32\FLEOK
Adware:Adware/MemoryWatcher No disinfected Windows Registry
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Adware:Adware/PurityScan No disinfected C:\WINDOWS\System32\NDrv.dll
Adware:Adware/Xupiter No disinfected C:\Program Files\Common Files\sq
Adware:Adware/StatBlaster No disinfected C:\Program Files\Media\Media
Adware:Adware/FavoriteMan No disinfected C:\WINDOWS\system32\ATPartners.dll
Adware:Adware/WinTools No disinfected Windows Registry
Adware:Adware/AdDestroyer No disinfected C:\WINDOWS\system32\SWRT??.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\SWRT01.dll
Adware:Adware/DelFinMedia No disinfected C:\Program Files\Common Files\Dpi
Adware:Adware/SideSearch No disinfected C:\Documents and Settings\Greg\Application Data\Lycos
Adware:Adware/IEDriver No disinfected Windows Registry
Adware:Adware/IPInsight No disinfected C:\WINDOWS\alchem.???
Adware:Adware/NavHelper No disinfected Windows Registry
Adware:Adware/SearchExe No disinfected C:\Documents and Settings\Greg\Favorites\-Autos-
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInstall.exe
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd
Spyware:Spyware/Whazit No disinfected C:\WINDOWS\system32\kyf.dat
Spyware:Spyware/Petro-Line No disinfected C:\Documents and Settings\Greg\Favorites\Sites about\Ab scissor.url
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\1first.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\ANTI16.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\bashwin.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Bind Knob.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Cast Eq.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\does owns.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\findbarb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\gram tick.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\gramface.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\info browse.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Long Pop.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\mixbind.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Okaymath.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\seekdumb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Show Film.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\amok mapi first army\Web Start.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\AXIS PLAY.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\BIB FREE.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\soapclose.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
Adware:Adware/Apropos No disinfected C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Guest\Application Data\error hope\gridflag4.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Guest\Application Data\error hope\pure army nurb.exe
Adware:Adware/Lop No disinfected C:\Documents and Settings\Guest\Application Data\error hope\ufyflovm.exe
Adware:Adware/PurityScan No disinfected C:\install-tag001.exe
Adware:Adware/Minibug.A No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd\WinAtServ.dll
Adware:Adware/WUpd No disinfected C:\Program Files\Windows ServeAd\WinServSuit.exe
Adware:Adware/EasySearch No disinfected C:\Program Files\ytijg.dll
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00005137.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00005139.del
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00005141.EXE
Adware:Adware/Lop No disinfected C:\RECYCLER\NPROTECT\00005142.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\Admin Okay Bleh Junk.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\gridflag4.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\pure army nurb.exe
Adware:Adware/Lop No disinfected C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\zzekhtrf.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf
Adware:Adware Program No disinfected C:\WINDOWS\Downloaded Program Files\WildApp.inf
Adware:Adware/EasySearch No disinfected C:\WINDOWS\gkuig.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\hguxk.dll
Adware:Adware/IPInsight No disinfected C:\WINDOWS\inf\alchem.inf
Adware:Adware/WUpd No disinfected C:\WINDOWS\mserv32.exe
Adware:Adware/Look2Me No disinfected C:\WINDOWS\system\UpdInstall.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\AhxbI.exe
Adware:Adware/NetPals No disinfected C:\WINDOWS\system32\ATPartners.dll
Spyware:Spyware/BetterInet No disinfected C:\WINDOWS\system32\biU.exe
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Ezg1p5.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\kuwwd.dll
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\NDrv.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\qpdak.dll
Adware:Adware/EasySearch No disinfected C:\WINDOWS\system32\qzwac.dll
Adware:Adware/VirtualBouncer No disinfected C:\WINDOWS\system32\SWRT01.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Ucsw.exe
Adware:Adware/PurityScan No disinfected C:\WINDOWS\system32\wintsvit.exe
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmlparse.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\xmltok.dll
Adware:Adware/MemoryWatcher No disinfected C:\WINDOWS\system32\Yfwz.exe
Adware:Adware/EasySearch No disinfected C:\WINDOWS\xbexi.dll





There it is.. thanks Michelle

[Michelle]

Definitely print these instructions out before continuing!
On the instructions you print out, I recommend putting a checkmark next to each one to make sure you get them all

This may take a little bit! Be sure to get all the files!

Click Here to download Killbox.
*Extract the program to your desktop and double-click on its folder, then double-click on Killbox.exe to start the program.
*In the killbox program, select the Delete on Reboot option.
*In the field labeled Full Path of File to Delete enter the items listed below ONE AT A TIME (EXACTLY as it appears, please double check to make sure! I would just copy each file path and paste it in the field):

C:\WINDOWS\Downloaded Program Files\WUInst.inf
C:\WINDOWS\System32\NDrv.dll
C:\WINDOWS\system32\ATPartners.dll
C:\WINDOWS\system32\SWRT??.dll
C:\WINDOWS\system32\SWRT01.dll
C:\WINDOWS\alchem.???
C:\WINDOWS\system\UpdInstall.exe
C:\WINDOWS\system32\kyf.dat
C:\Documents and Settings\All Users\Application Data\amok mapi first army\1first.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\ANTI16.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\bashwin.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\Bind Knob.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\Cast Eq.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\does owns.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\findbarb.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\gram tick.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\gramface.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\info browse.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\Long Pop.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\mixbind.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\Okaymath.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\seekdumb.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\Show Film.exe
C:\Documents and Settings\All Users\Application Data\amok mapi first army\Web Start.exe
C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\AXIS PLAY.exe
C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\BIB FREE.exe
C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT\soapclose.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
C:\Documents and Settings\Guest\Application Data\error hope\gridflag4.exe
C:\Documents and Settings\Guest\Application Data\error hope\pure army nurb.exe
C:\Documents and Settings\Guest\Application Data\error hope\ufyflovm.exe
C:\install-tag001.exe
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
C:\Program Files\Windows ServeAd\WinAtServ.dll
C:\Program Files\Windows ServeAd\WinServSuit.exe
C:\Program Files\ytijg.dll
C:\RECYCLER\NPROTECT\00005137.exe
C:\RECYCLER\NPROTECT\00005139.del
C:\RECYCLER\NPROTECT\00005141.EXE
C:\RECYCLER\NPROTECT\00005142.exe
C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\Admin Okay Bleh Junk.exe
C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\gridflag4.exe
C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\pure army nurb.exe
C:\RECYCLER\S-1-5-21-3403473811-1582333133-359561344-1008\Dc13\zzekhtrf.exe
C:\WINDOWS\Downloaded Program Files\ATPartners.inf
C:\WINDOWS\Downloaded Program Files\WildApp.inf
C:\WINDOWS\gkuig.dll
C:\WINDOWS\hguxk.dll
C:\WINDOWS\inf\alchem.inf
C:\WINDOWS\mserv32.exe
C:\WINDOWS\system\UpdInstall.exe
C:\WINDOWS\system32\AhxbI.exe
C:\WINDOWS\system32\ATPartners.dll
C:\WINDOWS\system32\biU.exe
C:\WINDOWS\system32\Ezg1p5.exe
C:\WINDOWS\system32\kuwwd.dll
C:\WINDOWS\system32\NDrv.exe
C:\WINDOWS\system32\qpdak.dll
C:\WINDOWS\system32\qzwac.dll
C:\WINDOWS\system32\SWRT01.dll
C:\WINDOWS\system32\Ucsw.exe
C:\WINDOWS\system32\wintsvit.exe
C:\WINDOWS\system32\xmlparse.dll
C:\WINDOWS\system32\xmltok.dll
C:\WINDOWS\system32\Yfwz.exe
C:\WINDOWS\xbexi.dll

Press the button that looks like a red circle with a white X in it after each one. When it asks if you would like to delete on reboot, press the YES button, when it asks if you want to reboot now, press the NO button. Do this after each one until you have entered the LAST file path I have listed above. After that LAST file path (C:\WINDOWS\xbexi.dll) has been entered press the YES button at both prompts so that your computer restarts.

While it's restarting tap the F8 key continually until a menu appears, use your up arrow key to highlight Safe Mode then hit enter.

Using Windows Explorer, delete the following files/folders (in bold):

C:\Documents and Settings\Greg\Favorites\-Autos-
C:\Program Files\Common Files\Totem Shared
C:\WINDOWS\system32\FLEOK
C:\Program Files\Common Files\sq
C:\Program Files\Media\Media
C:\Program Files\Common Files\Dpi
C:\Documents and Settings\Greg\Application Data\Lycos
C:\Program Files\Windows ServeAd
C:\Documents and Settings\Greg\Favorites\Sites about\Ab scissor.url
C:\Documents and Settings\All Users\Application Data\amok mapi first army
C:\Documents and Settings\All Users\Application Data\BATISOARMYDEFAULT
C:\Documents and Settings\Default User\My Documents\Data\Data
C:\Documents and Settings\Guest\Application Data\error hope
C:\Program Files\AWS\WeatherBug

After that is done, please run ActiveScan again and paste a new log to see if anything is left!

Michelle

[GregDavid]

after entering all the files in killbox, and hitting yes to both prompts at the last one, i get a message saying "PendingFileRenameOperations Registry Data has been removed by external process" should i still restart or should i load killbox again and try again or should i just manually restart?

p.s. would it matter if i accidentally entered a few in twice?

Greg:)

[Michelle]

That's fine - nothing to worry about. Go ahead and restart your computer into safe mode and delete the folders I have listed. Then reboot into normal mode and run ActiveScan again and post a new log to see what we have left to get rid of (if anything)!

Michelle

Edited by bananafanafo, 30 March 2005 - 11:35 AM.

[GregDavid]

ummm... im not getting activescan to show in IE.. it says that its done, but theres just a blank window.. even the link from the website is giving me the same thing.. should i restert my computer or will that effect the results of cleaning?