Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

wininet.dll infected with W32.Desktophijack virus [RESOLVED]


  • This topic is locked This topic is locked

#1
justsumguru

justsumguru

    Member

  • Member
  • PipPip
  • 20 posts
MOVED POST FROM ANOTHER PERSON'S THREAD

_____________________________________________________________
Windows XP Home
Symantec Antivirus is picking up that the wininet.dll is infected with W32.Desktophijack.

A bit of history.

I managed to get rid of intell32.exe and ps guard and a host of other spy ware.

Spy sweeper found 225 things.
I just installed Adaware SE Pro. Should I run that?

This thing is pain. And it's not even my computer.

Thanks

BTW: I have posted my wininet.dll file in the forum where you said to post it and pointed back to this thread.

Edit to my post.
I'm pretty comfortable editing .dll's and the registry. Can't I just remove the NUL-C:\program files\mywebssearch\bar\1.bin\mwsoestb.dll and mwsoemon.exe code lines?
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

We recommend not removing anything yet. Let's try to get them altogether :tazz:

Please read this topic and follow the steps outlined there.
  • 0

#3
justsumguru

justsumguru

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
No luck in completing Step One.

I was able to run Clean up with no problem...1.5 GB of stuff cleaned
I'm trying to run Adaware right now and a popup comes up (BTW popuper.exe is back) during the scan of C:\windows\options\cabs\base2.cab.

Once the popup comes, Adware stops responding. :tazz:

CPU usuage for Adware is 95%

Now what? ;)
  • 0

#4
justsumguru

justsumguru

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I left it alone while I was busy looking around the net on this computer and found Adaware still running.

Finally completed a scan using Adaware - 1785 objects found
Ran CWS
Ran Spybot

No luck. The same threat is present and a few more such as popuper.exe

What should I do now? Thanks for your help to date.

JSG

Edited by justsumguru, 02 August 2005 - 12:40 AM.

  • 0

#5
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Please follow all the steps outlined in that topic link I gave you.

At the end, I want you to post a HijackThis log. That's where the real action sets in :tazz:

I will ask a Moderator to move this topic to the Malware Forums since you posted in the wrong forum. You don't need to do anything, they will move it for us shortly ;)
  • 0

#6
justsumguru

justsumguru

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Thanks for checking up on my post greyknight17. I ran all the utils in the topic thread except the Antivirus because I noted that it said not to install more than one Antivirus program.

I ran the utils both in safe mode and normal mode. I can't seem to get rid of the thing no matter what I run (CWS, Clean Up, Spybot, Adaware, Spy Sweeper, NAV CE)

Hijack Log

Logfile of HijackThis v1.99.1
Scan saved at 8:02:05 AM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msole32.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ABK\abk.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\MySoftware\InterCom.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.co...earch_frame.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://google.icq.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe -Show
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Meca] C:\Program Files\Meca\\Meca.exe
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ABK] C:\Program Files\ABK\abk.exe /q
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Hijackthis\HijackThis.exe /startupscan
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll
O16 - DPF: {72FF22A1-8BF1-11D5-9A3D-000021506A27} (ShClass Class) - http://216.226.129.108/short.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {855F3B16-6D32-4FE6-8A56-BBB695989046} - http://www.icq.com/c...ar/toolbaru.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...bio4_0_2_10.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv3fd.pav3.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

Edited by justsumguru, 02 August 2005 - 07:09 AM.

  • 0

#7
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
We didn't expect these programs to remove it :tazz: It just cleans out the other junk for us first so we can fix it with less junk in the way.

OK, do you know what this program is for?

C:\Program Files\Common Files\MySoftware\InterCom.exe

Download smitRem.zip at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.
Unzip the file to it's own folder on the desktop.

Please download the trial version of Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O4 - HKLM\..\Run: [RegSvr32] C:\WINDOWS\system32\msmsgs.exe
O4 - HKCU\..\Run: [ABK] C:\Program Files\ABK\abk.exe /q - unless you know what this is for, fix it and uninstall it
O4 - Global Startup: PowerReg Scheduler.exe
O4 - Global Startup: MySoftware InterCom.lnk = C:\Program Files\Common Files\MySoftware\InterCom.exe
O9 - Extra button: (no name) - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: &Find Pages Linking to this URL - {06FE5D02-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: Find Other Pages on this &Host - {06FE5D03-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: (no name) - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV Live - {06FE5D04-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra 'Tools' menuitem: AV &Translate - {06FE5D05-8F11-11d2-804F-00105A133818} - http://search.presar...&c=3c00&LC=0409 (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup.../bridge-c11.cab


Open the smitRem folder and double click on the RunThis.bat file to start the tool. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

Delete these if found:

C:\WINDOWS\system32\msole32.exe
C:\Program Files\Ebates_MoeMoneyMaker\
C:\WINDOWS\system32\msmsgs.exe
C:\Program Files\ABK\


The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop->Customize Desktop->Web-> Uncheck 'Security Info' if present.

Reboot back into Windows and go to http://www.pandasoft...n_principal.htm to do a full system scan. Make sure the autoclean box is checked. Save the scan log and post it along with a new HijackThis log, the contents of the smitfiles.txt log and the Ewido log (if you ran it).
  • 0

#8
justsumguru

justsumguru

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
Panda still picked up some spyware it could not disinfect. All requested logs are posted below.

Oh yes and ABK is a program called Anti-Boss Key.

Logfile of HijackThis v1.99.1
Scan saved at 11:47:23 PM, on 8/2/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\ABK\abk.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\YPAGER.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe -Show
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ABK] C:\Program Files\ABK\abk.exe /q
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Hijackthis\HijackThis.exe /startupscan
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll
O16 - DPF: {72FF22A1-8BF1-11D5-9A3D-000021506A27} (ShClass Class) - http://216.226.129.108/short.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {855F3B16-6D32-4FE6-8A56-BBB695989046} - http://www.icq.com/c...ar/toolbaru.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...bio4_0_2_10.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv3fd.pav3.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe





Incident Status Location

Spyware:spyware/betterinet No disinfected C:\WINDOWS\SYSTEM32\in10b6s.dll
Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\kyf.dat
Adware:adware/searchaid No disinfected C:\DOCUMENTS AND SETTINGS\STORM46\FAVORITES\Search the Web.url
Adware:adware/imgiant No disinfected C:\DOCUMENTS AND SETTINGS\STORM46\DESKTOP\Download Movies.url
Dialer:dialer generic No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\dialer.exe
Adware:adware/funweb No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.5.inf
Adware:adware/sahagent No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\sporder_.dll
Adware:adware/keenvalue No disinfected C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.inf
Dialer:dialer.bny No disinfected C:\WINDOWS\pcconfig.dat
Adware:adware/twain-tech No disinfected C:\WINDOWS\smdat32a.sys
Spyware:spyware/new.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe
Adware:adware/downloadware No disinfected C:\PROGRAM FILES\MedCh
Adware:adware/powerscan No disinfected C:\PROGRAM FILES\Intrigue Learning
Adware:adware/p2pnetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking
Spyware:spyware/cydoor No disinfected C:\WINDOWS\SYSTEM\AdCache
Adware:adware/mywebsearch No disinfected Windows Registry
Adware:Adware/KeenValue No disinfected C:\WINDOWS\SYSTEM32\in10b6s.dll
Adware:Adware/SAHAgent No disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl.disabled
Adware:Adware/P2PNetworking No disinfected C:\WINDOWS\SYSTEM32\P2P Networking\MARSHAL2.DLL
Dialer:Dialer.Gen No disinfected C:\WINDOWS\Downloaded Program Files\webcam.exe
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.5.inf
Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall4_88.exe
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE[rundll16.exe]
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE[rundll16.dll]
Adware:Adware/PortalScan No disinfected C:\Documents and Settings.000\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ABI123\fsc2k[1].htm
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\OPTIMIZE.EXE
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\bundleinstall.exe
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE[msiefr40.dll]
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE[install.dll]
Adware:Adware/FunWeb No disinfected C:\Hijackthis\backups\backup-20050802-030155-721.inf
Adware:Adware/KeenValue No disinfected I:\WINDOWS\SYSTEM32\in10b6s.dll
Adware:Adware/SAHAgent No disinfected I:\WINDOWS\SYSTEM32\xmltok.dll
Adware:Adware/P2PNetworking No disinfected I:\WINDOWS\SYSTEM32\P2P Networking v124.cpl.disabled
Adware:Adware/P2PNetworking No disinfected I:\WINDOWS\SYSTEM32\P2P Networking\MARSHAL2.DLL
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsiE7.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsiB9.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi125.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi13F.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi128.exe
Adware:Adware/IESearchBar No disinfected I:\WINDOWS\TEMP\temp.cab[stoolbar.dll]
Adware:Adware/MSView No disinfected I:\WINDOWS\TEMP\msiein\CAB37729.8103454861\MSView.inf
Dialer:Dialer.Gen No disinfected I:\WINDOWS\Downloaded Program Files\webcam.exe
Adware:Adware/FunWeb No disinfected I:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.5.inf
Adware:Adware/SAHAgent No disinfected I:\WINDOWS\Downloaded Program Files\xmltok_.dll
Spyware:Spyware/New.net No disinfected I:\WINDOWS\NDNuninstall4_88.exe
Adware:Adware/FunWeb No disinfected I:\Program Files\FunWebProducts\Installr\1.bin\F3EZSETP.DLL
Adware:Adware/FunWeb No disinfected I:\Program Files\FunWebProducts\Installr\f3Setup1.exe
Adware:Adware/FunWeb No disinfected I:\Program Files\MyWebSearch\bar\3.bin\F3POPSWT.DLL
Adware:Adware/MyWebSearch No disinfected I:\Program Files\MyWebSearch\bar\3.bin\M3OUTLCN.DLL
Adware:Adware/TVMedia No disinfected I:\Documents and Settings\LTRAIN69\Local Settings\Temp\Tvm.upd
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE[rundll16.exe]
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE[rundll16.dll]
Adware:Adware/PortalScan No disinfected I:\Documents and Settings.000\Owner\Local Settings\Temporary Internet Files\Content.IE5\89ABI123\fsc2k[1].htm
Spyware:Spyware/Dyfuca No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\OPTIMIZE.EXE
Spyware:Spyware/BargainBuddy No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\bundleinstall.exe
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE[msiefr40.dll]
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE[install.dll]


smitRem log file
version 2.3

by noahdfear

The current date is: Tue 08/02/2005
The current time is: 13:38:51.86

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ShudderLTD key present! Running LTDFix!

ShudderLTD key was successfully removed! :tazz:


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~

quick launch PSGuard spyware remover.lnk


~~~ Favorites ~~~

cars
sexual life
shopping
job search.url
poker.url
Black Jack Online.url
Black Jack Online.url
Home Loan.url
Network Security.url
Online Pharmacy.url
Remove Spyware.url
Spam Filters.url
Take It Here - Free * TGP.url
Web Detective.url
Online Gambling folder


~~~ system32 folder ~~~

intell32.exe
oleext.dll
ole32vbs.exe
msole32.exe
shnlog.exe
intmon.exe
hhk.dll
logfiles


~~~ Icons in System32 ~~~

viagra


~~~ Windows directory ~~~

sites.ini
popuper.exe


~~~ Drive root ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~

shopping


~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Wininet.dll ~~~

CLEAN! ;)



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:16:47 PM, 8/2/2005
+ Report-Checksum: ED415580

+ Scan result:

C:\WINDOWS\SYSTEM32\EGDHTML_1023.dll -> TrojanDownloader.Wintrim.h : Cleaned with backup
C:\WINDOWS\SYSTEM32\Amcis2.dll -> Spyware.Aureate : Cleaned with backup
C:\WINDOWS\SYSTEM32\SHAgentNew.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\celebxx2.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller : Cleaned with backup
C:\WINDOWS\PCTPTT.EXE -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\NDNuninstall4_80.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\clipg.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\WINDOWS\dr_uninstall.exe -> Trojan.Imiserv.c : Cleaned with backup
C:\Program Files\Netscape\Communicator\Program\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\Match It\Amcis2.dll -> Spyware.Aureate : Cleaned with backup
C:\Program Files\Match It\IPCClient.dll -> Spyware.Aureate : Cleaned with backup
C:\Program Files\Uninstall My Web Search.dll -> Spyware.MyWebSearch : Cleaned with backup
C:\cpmenu.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings.000\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings.000\Owner\Cookies\owner@mysearch[2].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings.000\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings.000\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Enigmasoftwaregroup : Cleaned with backup
C:\Documents and Settings.000\Owner\Cookies\owner@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\Cookies\ltrain69@mysearch[1].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\LYCOS_SS.EXE -> Spyware.Sidesearch.a : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@mysearch[1].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@mysearch[4].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@mysearch[2].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@oxcash[1].txt -> Spyware.Cookie.Oxcash : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Bpath : Cleaned with backup
C:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
I:\WINDOWS\SYSTEM32\IPCClient.dll -> Spyware.Aureate : Cleaned with backup
I:\WINDOWS\SYSTEM32\EGDHTML_1023.dll -> TrojanDownloader.Wintrim.h : Cleaned with backup
I:\WINDOWS\SYSTEM32\Amcis2.dll -> Spyware.Aureate : Cleaned with backup
I:\WINDOWS\SYSTEM32\SHAgentNew.dll -> Spyware.BargainBuddy : Cleaned with backup
I:\WINDOWS\SYSTEM32\sahagent1013.exe -> Adware.SAHA : Cleaned with backup
I:\WINDOWS\Downloaded Program Files\celebxx2.exe -> Dialer.Generic : Cleaned with backup
I:\WINDOWS\Downloaded Program Files\WebP2PInstaller.dll -> TrojanDownloader.WebP2PInstaller : Cleaned with backup
I:\WINDOWS\PCTPTT.EXE -> Dialer.Generic : Cleaned with backup
I:\WINDOWS\newdotnet3_36.dll -> Spyware.NewDotNet : Cleaned with backup
I:\WINDOWS\NDNuninstall4_50.exe -> Spyware.NewDotNet : Cleaned with backup
I:\WINDOWS\NDNuninstall4_80.exe -> Spyware.NewDotNet : Cleaned with backup
I:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
I:\WINDOWS\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
I:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
I:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
I:\WINDOWS\clipg.exe -> Trojan.Imiserv.c : Cleaned with backup
I:\WINDOWS\salmbundle.exe -> Trojan.Imiserv.c : Cleaned with backup
I:\WINDOWS\dr_uninstall.exe -> Trojan.Imiserv.c : Cleaned with backup
I:\Program Files\Netscape\Communicator\Program\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
I:\Program Files\Match It\Amcis2.dll -> Spyware.Aureate : Cleaned with backup
I:\Program Files\Match It\IPCClient.dll -> Spyware.Aureate : Cleaned with backup
I:\Program Files\MySearch\bar\1.bin\NPMYSRCH.DLL -> Spyware.MyWay : Cleaned with backup
I:\Program Files\MySearch\bar\1.bin\S42NS.EXE -> Spyware.MyWay : Cleaned with backup
I:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE -> Spyware.MyWebSearch : Cleaned with backup
I:\Program Files\MyWebSearch\bar\3.bin\MWSOEPLG.DLL -> Spyware.MyWebSearch : Cleaned with backup
I:\cpmenu.exe -> Dialer.Generic : Cleaned with backup
I:\Documents and Settings\storm46\Local Settings\Temp\H4.dll -> Adware.MidADle : Cleaned with backup
I:\Documents and Settings\storm46\Local Settings\Temp\7RJnqMjW.dll -> Adware.MidADle : Cleaned with backup
I:\Documents and Settings\storm46\Cookies\storm46@2o7[2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
I:\Documents and Settings\storm46\Cookies\[email protected][2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
I:\Documents and Settings\storm46\Cookies\[email protected][2].txt -> Spyware.Cookie.Euniverseads : Cleaned with backup
I:\Documents and Settings\storm46\Cookies\[email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
I:\Documents and Settings\storm46\Cookies\storm46@burstnet[2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
I:\Documents and Settings\Owner\Cookies\owner@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Local Settings\Temp\6AaTem.dll -> Adware.MidADle : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\ltrain69@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmiancjefpwidj6x9ny-1seq-2-2.stats.esomniture[2].txt -> Spyware.Cookie.Esomniture : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\ltrain69@hypertracker[1].txt -> Spyware.Cookie.Hypertracker : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\ltrain69@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
I:\Documents and Settings\LTRAIN69\Cookies\ltrain69@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
I:\Documents and Settings\SWEETIE\Local Settings\Temp\LoDbqsa.dll -> Adware.MidADle : Cleaned with backup
I:\Documents and Settings\SWEETIE\Local Settings\Temp\LR01UW2.dll -> Adware.MidADle : Cleaned with backup
I:\Documents and Settings\SWEETIE\Local Settings\Temp\8T8l.dll -> Adware.MidADle : Cleaned with backup
I:\Documents and Settings\SWEETIE\Local Settings\Temp\mynut2.exe/enhupdt.exe -> TrojanDownloader.OneClickNetSearch.h : Cleaned with backup
I:\Documents and Settings\SWEETIE\Local Settings\Temp\0GY.dll -> Adware.MidADle : Cleaned with backup
I:\Documents and Settings\SWEETIE\Local Settings\Temp\w2RL2zB0z.dll -> Adware.MidADle : Cleaned with backup
I:\Documents and Settings\SWEETIE\Cookies\[email protected][1].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
I:\Documents and Settings\SWEETIE\Cookies\sweetie@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
I:\Documents and Settings\SWEETIE\Cookies\[email protected][1].txt -> Spyware.Cookie.Hitbox : Cleaned with backup
I:\Documents and Settings\SWEETIE\Cookies\sweetie@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
I:\Documents and Settings\SWEETIE\Cookies\sweetie@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
I:\Documents and Settings.000\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
I:\Documents and Settings.000\Owner\Cookies\owner@mysearch[2].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
I:\Documents and Settings.000\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Bpath : Cleaned with backup
I:\Documents and Settings.000\Owner\Cookies\[email protected][1].txt -> Spyware.Cookie.Enigmasoftwaregroup : Cleaned with backup
I:\Documents and Settings.000\Owner\Cookies\owner@abetterinternet[2].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\Cookies\ltrain69@mysearch[1].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\LYCOS_SS.EXE -> Spyware.Sidesearch.a : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@mysearch[1].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@mysearch[4].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@mysearch[2].txt -> Spyware.Cookie.Mysearch : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\ltrain69@oxcash[1].txt -> Spyware.Cookie.Oxcash : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Wegcash : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][2].txt -> Spyware.Cookie.Bpath : Cleaned with backup
I:\Documents and Settings.000\LTRAIN69\Cookies\[email protected][1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup


::Report End

Edited by justsumguru, 02 August 2005 - 10:59 PM.

  • 0

#9
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Uninstall MyWebSearch, FunWebProducts and P2P Networking via the Add/Remove Panel.

Delete these if found:

C:\DOCUMENTS AND SETTINGS\STORM46\DESKTOP\Download Movies.url
C:\DOCUMENTS AND SETTINGS\STORM46\FAVORITES\Search the Web.url
C:\DOCUMENTS AND SETTINGS\STORM46\FAVORITES\shopping
C:\Hijackthis\backups\backup-20050802-030155-721.inf
C:\PROGRAM FILES\Intrigue Learning
C:\PROGRAM FILES\MedCh
C:\WINDOWS\DOWNLOADED PROGRAM FILES\dialer.exe
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.5.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.5.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\sporder_.dll
C:\WINDOWS\Downloaded Program Files\webcam.exe
C:\WINDOWS\INF\dm.inf
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\NDNuninstall4_88.exe
C:\WINDOWS\pcconfig.dat
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\SYSTEM\AdCache
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bho
C:\WINDOWS\SYSTEM32\in10b6s.dll
C:\WINDOWS\SYSTEM32\in10b6s.dll
C:\WINDOWS\SYSTEM32\kyf.dat
C:\WINDOWS\SYSTEM32\P2P Networking
C:\WINDOWS\SYSTEM32\P2P Networking v124.cpl.disabled
C:\WINDOWS\SYSTEM32\P2P Networking\MARSHAL2.DLL
C:\WINDOWS\SYSTEM32\xmltok.dll
I:\Program Files\FunWebProducts\
I:\Program Files\MyWebSearch\
I:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.5.inf
I:\WINDOWS\Downloaded Program Files\webcam.exe
I:\WINDOWS\Downloaded Program Files\xmltok_.dll
I:\WINDOWS\NDNuninstall4_88.exe
I:\WINDOWS\SYSTEM32\in10b6s.dll
I:\WINDOWS\SYSTEM32\P2P Networking v124.cpl.disabled
I:\WINDOWS\SYSTEM32\P2P Networking\
I:\WINDOWS\SYSTEM32\xmltok.dll


Download CleanUp! and install it. Then run it and click on Options. Uncheck the entry to clean out all user temp files (I think it's the second to last entry). You may also uncheck delete Newsgroup .... if you use Newsgroup - if not, you may leave it as is. Hit OK. Then click on CleanUp button. When done, logoff. Login again.

Restart and give me a new Panda log. Give me this log also:

Download L2MFix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts. Then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing Enter. This will scan your computer and it may appear nothing is happening. After a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 or any other files in the l2mfix folder until you are asked to do so!
  • 0

#10
justsumguru

justsumguru

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
MyWebSearch, FunWebProducts and P2P Networking were not in the Control Panel so I could not remove them from there.

I did find and delete the P2P Networking folder. Did not find My WebSearch and Fun WebProducts anywhere.

There are not in the paths that the new Panda log says they are :tazz:

New Logs


Incident Status Location

Spyware:spyware/whazit No disinfected C:\WINDOWS\SYSTEM32\fiz1
Dialer:dialer generic No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\dialer.exe
Adware:adware/funweb No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.5.inf
Adware:adware/sahagent No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\sporder_.dll
Adware:adware/comet No disinfected C:\WINDOWS\INF\dm.PNF
Spyware:spyware/betterinet No disinfected C:\WINDOWS\susp.ini
Adware:adware/mywebsearch No disinfected Windows Registry
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\dialer.exe
Dialer:Dialer.Gen No disinfected C:\WINDOWS\Downloaded Program Files\webcam.exe
Adware:Adware/FunWeb No disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.5.inf
Possible Virus. No disinfected C:\Program Files\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Possible Virus. No disinfected C:\cpclient.exe
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
Possible Virus. No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\ProcessViewer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vi
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\dialer.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vi
No disinfected C:\Documents and Settings\storm46\Local Settings\Temp\ASHeuristic\cpclient.exe.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.vir.
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE.tcf[rundll16.exe]
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE.tcf[rundll16.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\bundleinstall.exe.tcf
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf[msiefr40.dll]
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf[install.dll]
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\OPTIMIZE.EXE.tcf
No disinfected I:\WINDOWS\Orgasm.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsiE7.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsiB9.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi125.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi13F.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi128.exe
Adware:Adware/IESearchBar No disinfected I:\WINDOWS\TEMP\temp.cab[stoolbar.dll]
Adware:Adware/MSView No disinfected I:\WINDOWS\TEMP\msiein\CAB37729.8103454861\MSView.inf
No disinfected I:\WINDOWS\Downloaded Program Files\dialer.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\Downloaded Program Files\webcam.exe
Adware:Adware/FunWeb No disinfected I:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.5.inf
Adware:Adware/SAHAgent No disinfected I:\WINDOWS\Downloaded Program Files\xmltok_.dll
No disinfected I:\cpclient.exe
Adware:Adware/TVMedia No disinfected I:\Documents and Settings\LTRAIN69\Local Settings\Temp\Tvm.upd
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE.tcf[rundll16.exe]
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE.tcf[rundll16.dll]
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf[msiefr40.dll]
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf[install.dll]
Spyware:Spyware/Dyfuca No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\OPTIMIZE.EXE.tcf
Spyware:Spyware/BargainBuddy No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\bundleinstall.exe.tcf

L2M Log is in the next post because it keeps getting cut off for some reason ;)

Edited by justsumguru, 04 August 2005 - 11:38 AM.

  • 0

Advertisements


#11
justsumguru

justsumguru

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
"YPC 3.2.0"="Yahoo! Parental Controls"

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"=""
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{568804CA-CBD7-11d0-9816-00C04FD91972}"="Menu Shell Folder"
"{5b4dae26-b807-11d0-9815-00c04fd91972}"="Menu Band"
"{8278F931-2A3E-11d2-838F-00C04FD918D0}"="Tracking Shell Menu"
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}"="Menu Site"
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}"="Menu Desk Bar"
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}"="IShellFolderBand"
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}"="&Links"
"{7487cd30-f71a-11d0-9ea7-00805f714772}"="Thumbnail Image"
"{8BEBB290-52D0-11D0-B7F4-00C04FD706EC}"="Thumbnails"
"{8DE56A0D-E58B-41FE-9F80-3563CDCB2C22}"="Default Image Extrator for Properties"
"{450D8FBA-AD25-11D0-98A8-0800361B1103}"="MyDocs Folder"
"{1A9BA3A0-143A-11CF-8350-444553540000}"="Shell Favorite Folder"
"{20D04FE0-3AEA-1069-A2D8-08002B30309D}"="My Computer"
"{86747AC0-42A0-1069-A2E6-08002B30309D}"="Briefcase Folder"
"{0AFACED1-E828-11D1-9187-B532F1E9575D}"="Folder Shortcut"
"{12518493-00B2-11d2-9FA5-9E3420524153}"="Mounted Volume"
"{21B22460-3AEA-1069-A2DC-08002B30309D}"="File Property Page Extension"
"{B091E540-83E3-11CF-A713-0020AFD79762}"="File Types Page"
"{FBF23B41-E3F0-101B-8488-00AA003E56F8}"="MIME File Types Hook"
"{C2FBB630-2971-11d1-A18C-00C04FD75D13}"="Microsoft CopyTo Service"
"{C2FBB631-2971-11d1-A18C-00C04FD75D13}"="Microsoft MoveTo Service"
"{13709620-C279-11CE-A49E-444553540000}"="Shell Automation Service"
"{62112AA1-EBE4-11cf-A5FB-0020AFE7292D}"="Shell Automation Folder View"
"{4622AD11-FF23-11d0-8D34-00A0C90F2719}"="Start Menu"
"{7BA4C740-9E81-11CF-99D3-00AA004AE837}"="Microsoft SendTo Service"
"{D969A300-E7FF-11d0-A93B-00A0C90F2719}"="Microsoft New Object Service"
"{09799AFB-AD67-11d1-ABCD-00C04FC30936}"="Open With Context Menu Handler"
"{3FC0B520-68A9-11D0-8D77-00C04FD70822}"="Display Control Panel HTML Extensions"
"{75048700-EF1F-11D0-9888-006097DEACF9}"="ActiveDesktop"
"{6D5313C0-8C62-11D1-B2CD-006097DF8C11}"="Folder Options Property Page Extension"
"{57651662-CE3E-11D0-8D77-00C04FC99D61}"="CmdFileIcon"
"{4657278A-411B-11d2-839A-00C04FD918D0}"="Shell Drag and Drop helper"
"{5464D816-CF16-4784-B9F3-75C0DB52B499}"="Yahoo! Mail"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{7C9D5882-CB4A-4090-96C8-430BFE8B795B}"="Webroot Spy Sweeper Context Menu Integration"
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}"="LDVP Shell Extensions"
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"="TrojanHunter Menu Shell Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
@="Compressed Folder Right Drag Handler"

[HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}\InProcServer32]
@=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,74,00,25,\
00,5c,00,53,00,79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,7a,00,69,00,\
70,00,66,00,6c,00,64,00,72,00,2e,00,64,00,6c,00,6c,00,00,00
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
xpsp3res.dll Mon May 16 2005 7:25:36p ..... 15,360 15.00 K
itircl.dll Thu May 26 2005 9:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 9:04:28p A.... 137,216 134.00 K
hhsetup.dll Thu May 26 2005 9:04:28p A.... 41,472 40.50 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
mscms.dll Tue Jun 28 2005 8:46:00p A.... 74,240 72.50 K
icm32.dll Tue Jun 28 2005 8:46:00p A.... 254,976 249.00 K
s32evnt1.dll Sun Jul 31 2005 11:34:52p A.... 83,208 81.26 K

16 items found: 16 files, 0 directories.
Total of file sizes: 3,399,080 bytes 3.24 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is DRV2_VOL1
Volume Serial Number is 640F-661A

Directory of C:\WINDOWS\System32

02/21/2005 08:23 AM <DIR> Microsoft
02/21/2005 08:22 AM <DIR> dllcache
03/14/2004 08:10 AM 1,020 ZevIhUUP.8r9
02/23/2004 06:58 PM 1,180 FmrCj.a90
02/22/2004 02:38 PM 1,180 Kej7.b76
02/22/2004 02:38 PM 1,180 UbgrXPno.dwc
02/21/2004 08:36 AM 1,180 Oval63H.i9q
02/15/2004 12:41 PM 1,104 TagqXPmo.dwc
01/05/2004 08:41 PM 1,020 Elq0i.a99
01/05/2004 07:41 PM 1,020 MtyJ62K.mbu
01/05/2004 06:41 PM 1,020 VchsZQoq.fye
01/05/2004 05:41 PM 1,104 Elq0i.z89
12/30/2003 06:09 PM 1,104 Cjp9g.y89
12/15/2003 06:38 PM 1,104 Oval63H.j9q
12 File(s) 13,216 bytes
2 Dir(s) 20,284,669,952 bytes free
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
So all those files can't be found? They should be in My Computer->C: drive->...whatever the path of them are listed in...

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

I:\WINDOWS\Orgasm.exe
I:\WINDOWS\Downloaded Program Files\dialer.exe
I:\WINDOWS\Downloaded Program Files\webcam.exe
I:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.5.inf
I:\WINDOWS\Downloaded Program Files\xmltok_.dll
I:\cpclient.exe
C:\WINDOWS\SYSTEM32\fiz1
C:\WINDOWS\DOWNLOADED PROGRAM FILES\dialer.exe
C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.5.inf
C:\WINDOWS\DOWNLOADED PROGRAM FILES\sporder_.dll
C:\WINDOWS\INF\dm.PNF
C:\WINDOWS\susp.ini
C:\WINDOWS\Downloaded Program Files\dialer.exe
C:\WINDOWS\Downloaded Program Files\webcam.exe
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.5.inf
C:\cpclient.exe


Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing Enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2MFix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new HijackThis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!
  • 0

#13
justsumguru

justsumguru

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
L2Mfix 1.03a

Running From:
C:\Documents and Settings\storm46\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\storm46\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\storm46\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'
Killing PID 1396 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed


Zipping up files for submission:
adding: echo.reg (deflated 9%)
adding: clear.reg (deflated 22%)
adding: desktop.ini (stored 0%)
adding: readme.txt (deflated 49%)
adding: direct.txt (stored 0%)
adding: report.txt (deflated 64%)
adding: 08042005report.txt (deflated 64%)
adding: lo2.txt (deflated 76%)
adding: test2.txt (deflated 12%)
adding: test3.txt (stored 0%)
adding: test5.txt (stored 0%)
adding: test.txt (stored 0%)
adding: backregs/shell.reg (deflated 74%)
adding: backregs/BD472F60-27FA-11cf-B8B4-444553540000.reg (deflated 64%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{BD472F60-27FA-11cf-B8B4-444553540000}"=-
[-HKEY_CLASSES_ROOT\CLSID\{BD472F60-27FA-11cf-B8B4-444553540000}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************



Logfile of HijackThis v1.99.1
Scan saved at 11:33:12 PM, on 8/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\BTTNSERV.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\COMPAQ\EASYAC~1\EAUSBKBD.EXE
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe
C:\Program Files\ISP50\bin\bartshel.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\PROGRA~1\ISP50\bin\ppshared.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_3_12_0.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\cpqeadm.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [EPSON Stylus C42 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC1.EXE /P23 "EPSON Stylus C42 Series" /O6 "USB001" /M "Stylus C42"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [YBrowser] C:\Program Files\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [SBC Yahoo! Connection Manager] C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe -Show
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [Bart Station] C:\Program Files\ISP50\hta\station.sbrt
O4 - HKLM\..\Run: [EPSON Stylus CX6400] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2L1.EXE /P19 "EPSON Stylus CX6400" /O6 "USB002" /M "Stylus CX6400"
O4 - HKLM\..\Run: [C:\Program Files\SBC Yahoo!\Connection Manager\ConnectionManager.exe ] SBC Yahoo! Connection Manager
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [ABK] C:\Program Files\ABK\abk.exe /q
O4 - HKCU\..\Run: [HijackThis startup scan] C:\Hijackthis\HijackThis.exe /startupscan
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.c...s/ebraryRdr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} (yucsetreg Class) - C:\Program Files\Yahoo!\common\yucconfig.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6D5FCFCB-FA6C-4CFB-9918-5F0A9F7365F2} - http://www.gigex.com.../gigexagent.dll
O16 - DPF: {72FF22A1-8BF1-11D5-9A3D-000021506A27} (ShClass Class) - http://216.226.129.108/short.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {7D1E9C49-BD6A-11D3-87A8-009027A35D73} (Yahoo! Audio UI1) - http://chat.yahoo.com/cab/yacsui.cab
O16 - DPF: {855F3B16-6D32-4FE6-8A56-BBB695989046} - http://www.icq.com/c...ar/toolbaru.cab
O16 - DPF: {8714912E-380D-11D5-B8AA-00D0B78F3D48} (Yahoo! Webcam Upload Wrapper) - http://chat.yahoo.com/cab/yuplapp.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (&Yahoo! Companion) - http://us.dl1.yimg.c...bio4_0_2_10.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://pv3fd.pav3.ho...ex/HMAtchmt.ocx
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/bin/msnchat45.cab
O16 - DPF: {F5C90925-ABBF-4475-88F5-8622B452BA9E} (Compaq System Data Class) - http://www29.compaq....co/SysQuery.cab
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I want you to go to http://virusscan.jotti.org and upload the following files in this folder C:\WINDOWS\System32\

ZevIhUUP.8r9
FmrCj.a90
Kej7.b76
UbgrXPno.dwc
Oval63H.i9q
TagqXPmo.dwc
Elq0i.a99
MtyJ62K.mbu
VchsZQoq.fye
Elq0i.z89
Cjp9g.y89
Oval63H.j9q


Upload and submit them one at a time. See if any of them are reported as malware/trojan.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a new Panda scan and post the log here.
  • 0

#15
justsumguru

justsumguru

    Member

  • Topic Starter
  • Member
  • PipPip
  • 20 posts
I checked all of the files below. None of them were reported as malware/trojans at http://virusscan.jotti.org.

ZevIhUUP.8r9
FmrCj.a90
Kej7.b76
UbgrXPno.dwc
Oval63H.i9q
TagqXPmo.dwc
Elq0i.a99
MtyJ62K.mbu
VchsZQoq.fye
Elq0i.z89
Cjp9g.y89
Oval63H.j9q


Then I ran clean up again. Followed all instructions as you requested.

Lastly ran a new Panda scan, but what I don't understand is why the files that Panda keeps finding are in the temp folder of 2 users and why is it saying it finds a funweb folder when I can't find it regardless of what user account I am logged in and of course making sure that all files are unhidden? Confusing! :tazz:

Not sure if this important or not but this computer has 2 hard drives. One was an old drive that had WindowsME on it, it now called the I: drive. The 2nd hard drive (the C:) is a new drive.

Thanks so far for you help. It is greatly appreciated! New panda log below:

Incident Status Location

Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\storm46\Desktop\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\storm46\Desktop\l2mfix\Process.exe
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE.tcf[rundll16.exe]
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE.tcf[rundll16.dll]
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\bundleinstall.exe.tcf
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf[msiefr40.dll]
Adware:Adware/BrowserAid No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf[install.dll]
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\OPTIMIZE.EXE.tcf
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsiE7.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsiB9.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi125.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi13F.exe
Dialer:Dialer.Gen No disinfected I:\WINDOWS\TEMP\nsi128.exe
Adware:Adware/IESearchBar No disinfected I:\WINDOWS\TEMP\temp.cab[stoolbar.dll]
Adware:Adware/MSView No disinfected I:\WINDOWS\TEMP\msiein\CAB37729.8103454861\MSView.inf
Adware:Adware/TVMedia No disinfected I:\Documents and Settings\LTRAIN69\Local Settings\Temp\Tvm.upd
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE.tcf[rundll16.exe]
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\Owner\Local Settings\Temp\_PS_INST.EXE.tcf[rundll16.dll]
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf[msiefr40.dll]
Adware:Adware/BrowserAid No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\_PS_INST.EXE.tcf[install.dll]
Spyware:Spyware/Dyfuca No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\OPTIMIZE.EXE.tcf
Spyware:Spyware/BargainBuddy No disinfected I:\Documents and Settings.000\LTRAIN69\Local Settings\Temp\bundleinstall.exe.tcf

Edited by justsumguru, 06 August 2005 - 08:28 AM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP