Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

JAVA VIRUS(ES) / CANT DELETE [CLOSED]

Started by gatsu , Aug 09 2005 05:18 AM

This topic is locked

#1
gatsu

Posted 09 August 2005 - 05:18 AM

Member

Member
16 posts

I got a list of viruses that I can't delete in any way shape or form with Norton or AVG. A majority seems to be java class

I downloaded hijack this and it gave me this

Logfile of HijackThis v1.99.1
Scan saved at 7:24:30 PM, on 8/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\valve\steam\steam.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Documents and Settings\Glen\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [diagent] C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O20 - Winlogon Notify: pcexp - C:\WINDOWS\Fonts\pcexp.dll (file missing)
O20 - Winlogon Notify: ssvc - C:\WINDOWS\repair\ssvc.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

#2
Rawe

Posted 09 August 2005 - 05:50 AM

Visiting Staff

Member
4,746 posts

Hello and welcome to Geekstogo!

Please do the following;

Download the l2mfix from here;

http://www.atribune....oads/l2mfix.exe

http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double-click l2mfix.exe

Click the Install - button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.

Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log.

Copy the contents of that log and paste it into your next reply.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until I ask you to!

Note; if you recieve any error messages for CMD or Autoexec.bat>> select option 5 from the l2mfix and once at the site, click on the link that apply to your operating system!

Double-click the file it downloads and extract the files to its predetermined System32 folder!

- Rawe :tazz:

#3
gatsu

Posted 09 August 2005 - 04:45 PM

Member

Topic Starter
Member
16 posts

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\pcexp]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
"DllName"="C:\\WINDOWS\\Fonts\\pcexp.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ssvc]
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000000
"Startup"="SysLogon"
"Logoff"="SysLogoff"
"DllName"="C:\\WINDOWS\\repair\\ssvc.dll"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
cdm.dll Thu May 26 2005 4:16:24a A.... 75,544 73.77 K
hhsetup.dll Thu May 26 2005 7:04:28p A.... 41,472 40.50 K
icm32.dll Tue Jun 28 2005 6:46:00p A.... 254,976 249.00 K
itircl.dll Thu May 26 2005 7:04:28p A.... 155,136 151.50 K
itss.dll Thu May 26 2005 7:04:28p A.... 137,216 134.00 K
iuengine.dll Thu May 26 2005 4:16:24a A.... 198,424 193.77 K
mscms.dll Tue Jun 28 2005 6:46:00p A.... 74,240 72.50 K
wuapi.dll Thu May 26 2005 4:16:30a A.... 465,176 454.27 K
wuaueng.dll Thu May 26 2005 4:16:30a A.... 1,343,768 1.28 M
wuaueng1.dll Thu May 26 2005 4:16:30a A.... 194,328 189.77 K
wucltui.dll Thu May 26 2005 4:16:30a A.... 127,256 124.27 K
wups.dll Thu May 26 2005 4:16:30a A.... 41,240 40.27 K
wups2.dll Thu May 26 2005 4:16:30a A.... 18,200 17.77 K
wuweb.dll Thu May 26 2005 4:16:30a A.... 173,536 169.47 K
xpsp3res.dll Mon May 16 2005 5:25:36p ..... 15,360 15.00 K

15 items found: 15 files, 0 directories.
Total of file sizes: 3,315,872 bytes 3.16 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is C43F-FA58

Directory of C:\WINDOWS\System32

07/18/2005 01:15 AM <DIR> dllcache
06/29/2004 08:57 PM <DIR> Microsoft
0 File(s) 0 bytes
2 Dir(s) 36,633,821,184 bytes free

#4
Rawe

Posted 10 August 2005 - 01:16 AM

Visiting Staff

Member
4,746 posts

Can you run the following online scan and post it's results here along with a fresh HiJackThis log;
Panda Activescan

- Rawe :tazz:

#5
gatsu

Posted 10 August 2005 - 02:21 AM

Member

Topic Starter
Member
16 posts

Thanks for your help Rawe.
:tazz:

Here's my Panda Post:

Incident Status Location

Adware:adware/wintools No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-6cfcc75b-53240b68.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-39ef3948.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-39ef3948.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-39ef3948.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-39ef3948.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-4524cd62.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-4524cd62.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-4524cd62.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-4524cd62.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-54c3ff8f.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-54c3ff8f.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-54c3ff8f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-54c3ff8f.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-1723f32b.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-1723f32b.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-1723f32b.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-50757294-1723f32b.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-14668776.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-14668776.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-14668776.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-14668776.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-19dd330c-6ddeae52.class
Adware:Adware/CWS No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-7df71b3f.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-36ce6521.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-36ce6521.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-36ce6521.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a28554b-36ce6521.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a595dd3-2317d77f.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a595dd3-2317d77f.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a595dd3-2317d77f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ar.jar-6a595dd3-2317d77f.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2146f415-211e49cf.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2146f415-211e49cf.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2146f415-211e49cf.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2146f415-211e49cf.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip[VBUG.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip[Dummy.class]
Adware:Adware/Startpage.JU No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip[Beyond.class]
Adware:Adware/Startpage.JU No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip[winmodem.exe]
Adware:Adware/Startpage.JK No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip[rundll32.exe]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3c6cf086-3203f60d.zip[Mein.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3c6cf086-3203f60d.zip[Beyond.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3c9df90e-516216d4.zip[Mein.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3c9df90e-516216d4.zip[Beyond.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-48b5f4f0-4ab63f10.zip[Mein.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-48b5f4f0-4ab63f10.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4a47d569-2fc60e83.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4a47d569-2fc60e83.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4a47d569-2fc60e83.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4a47d569-2fc60e83.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4ac41072-78467e52.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4ac41072-78467e52.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4ac41072-78467e52.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4ac41072-78467e52.zip[Beyond.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4d0f05d6-4e92fd71.zip[Mein.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-4d0f05d6-4e92fd71.zip[Beyond.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-55bd2b27-4dcad43f.zip[Mein.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-55bd2b27-4dcad43f.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6044f2e2-472b0987.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6044f2e2-472b0987.zip[VB.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6044f2e2-472b0987.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6044f2e2-472b0987.zip[Beyond.class]
Virus:Trj/Java.Binny.A Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-7a88ec85-472b9da8.zip[Mein.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-46c19112.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-46c19112.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-46c19112.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1cf39f94-46c19112.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-10e1f906.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-10e1f906.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-10e1f906.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fa9f21f-10e1f906.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-1a3873a4.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-1a3873a4.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-1a3873a4.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-2fdafaa7-1a3873a4.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-49cd484c.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-49cd484c.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-49cd484c.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4dd78ab8-49cd484c.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4e089340-2951e581.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4e089340-2951e581.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4e089340-2951e581.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-4e089340-2951e581.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-1fc1c6c1.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-1fc1c6c1.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-1fc1c6c1.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-1fc1c6c1.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-409a96d6-603cbb49.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-409a96d6-603cbb49.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-409a96d6-603cbb49.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-409a96d6-603cbb49.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-5506bd8f.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-5506bd8f.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-5506bd8f.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-5506bd8f.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-54ac5934.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-54ac5934.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-54ac5934.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-54ac5934.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-351dd652.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-351dd652.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-351dd652.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-66caba6e-351dd652.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-1af6442d-5b742697.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-1af6442d-5b742697.zip[Beyond.class]
Adware:Adware/StartPage.gen No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-1af6442d-5b742697.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-21c9a6a9-7f946f88.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-21c9a6a9-7f946f88.zip[Beyond.class]
Adware:Adware/StartPage.gen No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-21c9a6a9-7f946f88.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counters.jar-e39aabf-5c78ed5c.zip[Counter.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counters.jar-e39aabf-5c78ed5c.zip[Gummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counters.jar-e39aabf-5c78ed5c.zip[VerifierBug.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counters.jar-e39aabf-5c78ed5c.zip[Xeyond.class]
Possible Virus. No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counters.jar-e39aabf-5c78ed5c.zip[web.exe]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cout.jar-4c0f3ba1-6c650ea9.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cout.jar-4c0f3ba1-6c650ea9.zip[Beyond.class]
Adware:Adware/Startpage.NM No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cout.jar-4c0f3ba1-6c650ea9.zip[web.exe]
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-36f3865a.zip[InstallerApplet.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderfox.jar-1833c950-59f9d0b5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderfox.jar-1833c950-59f9d0b5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-236b4a77.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-236b4a77.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-236b4a77.zip[NudeBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-236b4a77.zip[Worker.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-236b4a77.zip[VerifierBug.class]
Virus:Trj/Multidropper.NE Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\menu.jr-1b084c75-236b4a77.zip[javautil.zip]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-7ae96341-293d01f7.zip[GetAccess.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-7ae96341-293d01f7.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-7ae96341-293d01f7.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\msjld.jar-7ae96341-293d01f7.zip[Installer.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc.jar-571bc93f-2612eae2.zip[Jvb.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc.jar-571bc93f-2612eae2.zip[MainApp.class]
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\user\Desktop\l2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\user\Desktop\l2mfix\l2mfix.exe[Process.exe]
Possible Virus. No disinfected C:\WINDOWS\Cursors\faxc.exe
Possible Virus. No disinfected C:\WINDOWS\Registration\inettask.exe
Possible Virus. No disinfected C:\WINDOWS\system32\Cloisonne Demo.scr
Virus:Trj/VBStat.A Disinfected C:\WINDOWS\system32\ctts.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Pakes.S Disinfected C:\WINDOWS\system32\Macromed\Shockwave 10\jpegurl.dll
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~195304.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~550876.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~554886.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~951652.tmp

Here's my HiJack log:

Logfile of HijackThis v1.99.1
Scan saved at 10:20:28 PM, on 8/9/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Documents and Settings\Glen\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [diagent] C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: pcexp - C:\WINDOWS\Fonts\pcexp.dll (file missing)
O20 - Winlogon Notify: ssvc - C:\WINDOWS\repair\ssvc.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

#6
Rawe

Posted 10 August 2005 - 02:53 AM

Visiting Staff

Member
4,746 posts

Please print these instructions out, or write them down, as you can't read them during the fix.

Ok,

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download
CleanUp

Run the CleanUp! installer and get the program ready to be used but don't run it yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Using Windows Explorer, locate the following files and delete them if present;

C:\WINDOWS\system32\Cloisonne Demo.scr
C:\WINDOWS\system32\ctts.exe
C:\WINDOWS\system32\Macromed\Shockwave 10\jpegurl.dll

Launch Ad-Aware SE and click on the gear to access the Configuration menu. Please make sure that this setting is applied;

Click on Tweak => Cleaning engine => UNcheck "Always try to unload modules before deletion".

Click on "Finish". Run a Full System Scan, remove all it finds.

Now run CleanUp! and reboot when prompted. Boot up into normal mode.

1. Click Start > Control Panel.

2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java Plug-in" under the icon - please find the update button or tab in that Java control panel. Update your Java, and reboot.

After reboot, go back into the Control Panel and double-click the Java icon.

3. Under Temporary Internet Files, click the Delete Files button.

There are three options on this window to clear the cache - leave ALL 3 checked.
1. Downloaded Applets
2. Downloaded Applications
3. Other Files

4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

5. Click OK to leave the Java Control Panel.

Please do an online scan with Kaspersky WebScanner

Next Click on Launch Kaspersky Anti-Virus Web Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Standard
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This program will start to scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

- Rawe

#7
gatsu

Posted 10 August 2005 - 11:28 AM

Member

Topic Starter
Member
16 posts

Hi,

I followed your steps but back at the beginning when you had me search for the
Clisonne Demo, ctts, and jpegurl ; I only found the Clisonne.

Here is my Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, August 10, 2005 07:25:38
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/08/2005
Kaspersky Anti-Virus database records: 134591
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 41598
Number of viruses found: 10
Number of infected objects: 33
Number of suspicious objects: 0
Duration of the scan process: 1628 sec

Infected Object Name - Virus Name
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip/Beyond.class Infected: Trojan-Dropper.Java.Beyond.g
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip/winmodem.exe Infected: Trojan.Win32.StartPage.mf
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip/rundll32.exe Infected: Trojan.Win32.StartPage.mf
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2880d2c3-46114e05.zip Infected: Trojan.Win32.StartPage.mf
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3c6cf086-3203f60d.zip/binny/binny.class Infected: Trojan.Java.Binny.a
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3c6cf086-3203f60d.zip Infected: Trojan.Java.Binny.a
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3c9df90e-516216d4.zip/binny/binny.class Infected: Trojan.Java.Binny.a
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-3c9df90e-516216d4.zip Infected: Trojan.Java.Binny.a
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-48b5f4f0-4ab63f10.zip/binny/binny.class Infected: Trojan.Java.Binny.a
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-48b5f4f0-4ab63f10.zip Infected: Trojan.Java.Binny.a
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-55bd2b27-4dcad43f.zip/binny/binny.class Infected: Trojan.Java.Binny.a
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-55bd2b27-4dcad43f.zip Infected: Trojan.Java.Binny.a
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-1af6442d-5b742697.zip/Counter.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-1af6442d-5b742697.zip/web.exe Infected: Trojan.Win32.StartPage.og
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-1af6442d-5b742697.zip Infected: Trojan.Win32.StartPage.og
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-21c9a6a9-7f946f88.zip/Counter.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-21c9a6a9-7f946f88.zip/web.exe Infected: Trojan.Win32.StartPage.og
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Counters.jar-21c9a6a9-7f946f88.zip Infected: Trojan.Win32.StartPage.og
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counters.jar-e39aabf-5c78ed5c.zip/web.exe Infected: Trojan-Downloader.Win32.WinShow.ar
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\counters.jar-e39aabf-5c78ed5c.zip Infected: Trojan-Downloader.Win32.WinShow.ar
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cout.jar-4c0f3ba1-6c650ea9.zip/Counter.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cout.jar-4c0f3ba1-6c650ea9.zip/web.exe Infected: Trojan.Win32.StartPage.uk
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cout.jar-4c0f3ba1-6c650ea9.zip Infected: Trojan.Win32.StartPage.uk
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-36f3865a.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-36f3865a.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc.jar-16c79c2c-2f9aefc8.zip/MyFunction.class Infected: Trojan-Dropper.Java.Small.c
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc.jar-16c79c2c-2f9aefc8.zip Infected: Trojan-Dropper.Java.Small.c
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc.jar-571bc93f-2612eae2.zip/MyFunction.class Infected: Trojan-Dropper.Java.Small.c
C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\proc.jar-571bc93f-2612eae2.zip Infected: Trojan-Dropper.Java.Small.c
C:\WINDOWS\Temp\~195304.tmp Infected: Trojan-Downloader.Win32.Wintool.a
C:\WINDOWS\Temp\~550876.tmp Infected: Trojan-Downloader.Win32.Wintool.a
C:\WINDOWS\Temp\~554886.tmp Infected: Trojan-Downloader.Win32.Wintool.a
C:\WINDOWS\Temp\~951652.tmp Infected: Trojan-Downloader.Win32.Wintool.a

Scan process completed.

#8
Rawe

Posted 10 August 2005 - 11:40 AM

Visiting Staff

Member
4,746 posts

Did you complete the Java cache clearing - step completely? Also, when I asked you to delete those files, did you search for them or did you just locate them using Windows Explorer and deleted if present? I'm asking because they usually don't popup to the Search window..

Ok, locate the following folders;

C:\Documents and Settings\user\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
C:\WINDOWS\Temp\

Delete their content, NOT the folder themselves. Only everything inside them.

Run CleanUp! but don't reboot yet.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Reboot.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

System Restore will now be active again.

Be sure to set a new restore point.

Run a scan with Panda Activescan

& post it's results here along with a fresh HiJackThis log.

- Rawe :tazz:

#9
gatsu

Posted 10 August 2005 - 02:32 PM

Member

Topic Starter
Member
16 posts

Hi Rawe

,

Yes I completed the Java cache clearing completely. Also, as for deleting those 3 files, I looked for them through windows explorer and NOT the search function. Still found only one.

Followed your latest steps and upon deleting files in WINDOWS TEMP it didn't allow me to delete any of the .tmp files (there were 4 or 5)

Here is my new panda scan log:

Incident Status Location

Adware:adware/wintools No disinfected Windows Registry
Adware:Adware/CWS No disinfected C:\Documents and Settings\Glen\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-7c728-7df71b3f.class
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Glen\Desktop\l2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\Glen\Desktop\l2mfix\l2mfix.exe[Process.exe]
Possible Virus. No disinfected C:\WINDOWS\Cursors\faxc.exe
Possible Virus. No disinfected C:\WINDOWS\Registration\inettask.exe
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~195304.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~550876.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~554886.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~951652.tmp

Here's my fresh HIJACK THIS log:

Logfile of HijackThis v1.99.1
Scan saved at 10:30:45 AM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\valve\steam\steam.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Glen\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [diagent] C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: pcexp - C:\WINDOWS\Fonts\pcexp.dll (file missing)
O20 - Winlogon Notify: ssvc - C:\WINDOWS\repair\ssvc.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)
:tazz:

#10
Rawe

Posted 10 August 2005 - 03:15 PM

Visiting Staff

Member
4,746 posts

Let's do it like this;

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on "Delete File on Reboot"
Navigate to this file - C:\WINDOWS\Cursors\faxc.exe
Double click on that file.
HJT asks you if you want to reboot, now. Click "no".
Do that for the following files also. When you get to the last one, click "yes" when HJT asks you to reboot.

C:\WINDOWS\Registration\inettask.exe

1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Delete the following folders content, not the folders themselves;

C:\Documents and Settings\Glen\Cookies\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\
C:\WINDOWS\Temp\

Run CleanUp! and reboot into normal mode.

Post a fresh Panda & HiJackThis log.

- Rawe :tazz:

#11
Rawe

Posted 10 August 2005 - 03:21 PM

Visiting Staff

Member
4,746 posts

Before deleting this file can you submit it to [email protected] ;
C:\WINDOWS\Cursors\faxc.exe

- Rawe :tazz:

#12
gatsu

Posted 10 August 2005 - 05:14 PM

Member

Topic Starter
Member
16 posts

greetings

I deleted the first two files with no problem. I rebooted into safe mode and deleted the contents of the 1.0 folder with no problem as well. However on the C:\WINDOWS\Temp\
folder, anything I tried to delete in there gave me an error message saying
"Access denied: Cannot delete desktop.ini" There were 4 .tmp files with random numbers, and then in C:\WINDOWS\Temp\TemporaryInternetfiles\Content.IE5 contained 4 folders that looked empty with random chars for the name.

Fresh panda log:

Incident Status Location

Adware:adware/wintools No disinfected Windows Registry
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\user\Desktop\l2mfix\l2mfix\Process.exe
Hacktool:Hacktool/Processor No disinfected C:\Documents and Settings\user\Desktop\l2mfix\l2mfix.exe[Process.exe]
Hacktool:Hacktool/Processor No disinfected C:\WINDOWS\system32\Process.exe
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~195304.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~550876.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~554886.tmp
Adware:Adware/WinTools No disinfected C:\WINDOWS\Temp\~951652.tmp

Hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 1:00:22 PM, on 8/10/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\valve\steam\steam.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O4 - HKLM\..\Run: [diagent] C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKCU\..\Run: [Steam] "c:\valve\steam\steam.exe" -silent
O4 - HKCU\..\Run: [MsnMsgr] C:\Program Files\MSN Messenger\MsnMsgr.Exe /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab30149.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab30149.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O20 - Winlogon Notify: pcexp - C:\WINDOWS\Fonts\pcexp.dll (file missing)
O20 - Winlogon Notify: ssvc - C:\WINDOWS\repair\ssvc.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Creative Service for CDROM Access - Unknown owner - C:\WINDOWS\System32\CTsvcCDA.exe (file missing)
O23 - Service: WMDM PMSP Service - Unknown owner - C:\WINDOWS\System32\MsPMSPSv.exe (file missing)

#13
Rawe

Posted 11 August 2005 - 01:04 AM

Visiting Staff

Member
4,746 posts

Ok,

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):

Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
Double-click the file to install it as follows:
- Click "Next", read the agreement, Click "Next"
- Choose "Custom" click "Next".
- Leave the default installation directoy as it is, then click "Next".
- UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
- On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
- Finally, click "Install"
- Once the program is installed, it will open.
- It will prompt you to update to the latest definitions, click Yes.
  Disable SpySweeper Shields[list]
- Click Shields on the left.
- Click Internet Explorer and uncheck all items.
- Click Windows System and uncheck all items.
- Click Startup Programs and uncheck all items.
Once the definitions are installed and shields disabled, exit SpySweeper.

Run CleanUp! but don't reboot yet.

Disable System Restore;

1. Click Start > Programs > Accessories > Windows Explorer
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Check the "Turn off System Restore"
5. Click Apply. An message shows up.
6. Click "Yes" to do this.
7. Confirm with "Ok".

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Launch SpySweeper;

click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

Now reboot into Normal Mode.

Enable System Restore;

1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck the "Turn off System Restore" check box.
5. Click Apply, and then click "OK".

System Restore will now be active again.

Be sure to set a new restore point.

Once done, do the following;

Open HiJackThis
Click on the configure button on the bottom right
Click on the tab "Misc Tools"
Click on the Box that says "Uninstall Manager"
Click on the button "Save list"
Copy and paste the List from the notebook onto your post

Post me the uninstall list along with the SpySweeper session log.

- Rawe :tazz:

#14
gatsu

Posted 11 August 2005 - 06:32 AM

Member

Topic Starter
Member
16 posts

Did your steps.

Spy log:

********
2:17 AM: |··· Start of Session, Thursday, August 11, 2005 ···|
2:17 AM: Spy Sweeper started
2:17 AM: Sweep initiated using definitions version 512
2:17 AM: Starting Memory Sweep
2:18 AM: Memory Sweep Complete, Elapsed Time: 00:00:55
2:18 AM: Starting Registry Sweep
2:18 AM: Found Adware: websearch toolbar
2:18 AM: HKLM\software\classes\typelib\{8992b6ca-b8c9-4aed-bf89-0a17f6296a06}\ (9 subtraces) (ID = 146445)
2:18 AM: HKU\S-1-5-21-1645522239-1303643608-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {87766247-311c-43b4-8499-3d5fec94a183} (ID = 146467)
2:18 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/qdow_as2.dll\ (2 subtraces) (ID = 146482)
2:18 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\qdow_as2.dll (ID = 146497)
2:18 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wintools_adkw\ (4 subtraces) (ID = 146506)
2:18 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wintools_adkw\ || displayname (ID = 146507)
2:18 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wintools_adkw\ || publisher (ID = 146508)
2:18 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wintools_adkw\ || uninstallstring (ID = 146509)
2:18 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wintools_adkw\ || urlinfoabout (ID = 146510)
2:18 AM: HKLM\software\microsoft\windows\currentversion\uninstall\wintools_esies\ (4 subtraces) (ID = 146511)
2:18 AM: HKLM\system\currentcontrolset\enum\root\legacy_wintoolssvc\ (7 subtraces) (ID = 146518)
2:18 AM: HKCR\typelib\{8992b6ca-b8c9-4aed-bf89-0a17f6296a06}\ (9 subtraces) (ID = 146535)
2:18 AM: Registry Sweep Complete, Elapsed Time:00:00:09
2:18 AM: Starting Cookie Sweep
2:18 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
2:18 AM: Starting File Sweep
2:19 AM: Found Adware: apropos
2:19 AM: exec.exe (ID = 50118)
2:23 AM: File Sweep Complete, Elapsed Time: 00:04:16
2:23 AM: Full Sweep has completed. Elapsed time 00:05:27
2:23 AM: Traces Found: 48
2:25 AM: Removal process initiated
2:25 AM: Quarantining All Traces: websearch toolbar
2:25 AM: Quarantining All Traces: apropos
2:25 AM: Removal process completed. Elapsed time 00:00:15
********
2:10 AM: |··· Start of Session, Thursday, August 11, 2005 ···|
2:10 AM: Spy Sweeper started
2:11 AM: Your spyware definitions have been updated.

HiJack this log:

ACE Mega CoDecS Pack
Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop 7.0
Adobe Reader 6.0.1
AOL Instant Messenger
ATI Control Panel
ATI Display Driver
AVG Free Edition
Battlefield Vietnam™
CleanUp!
Conexant HSF V92 56K RTAD Speakerphone PCI Modem
DC++ 0.670
Dell ResourceCD
DivX Player
DivX Pro Codec Adware
eMade Search Engine Lite
EmpirePoker
GameSpy Arcade
GSpot Codec Information Appliance
Half-Life: Counter-Strike
HijackThis 1.99.1
ICQ 4.1
Intel® PRO Network Adapters and Drivers
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
Java 2 Runtime Environment, SE v1.4.2_05
Kaspersky On-line Scanner
LiveReg (Symantec Corporation)
LiveUpdate 1.80 (Symantec Corporation)
Macromedia Shockwave Player
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft Data Access Components KB870669
mIRC
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (0.9.1)
Mozilla Firefox (1.0.1)
MSN Messenger 6.2
Nero - Burning Rom (Web installer)
Office Animation Runtime
Panda ActiveScan
PartyPoker
Personal License Update Wizard for Windows Media Player
Plus! MP3 Audio Converter LE
PunkBuster for Battlefield Vietnam
QuickTime
RealPlayer
Security Task Manager 1.6f
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB903235)
SmartFTP
Sound Blaster Live!
Spy Sweeper
Steam
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Ventrilo Client
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Bonus Pack for Windows XP
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
XP Codec Pack

#15
Rawe

Posted 11 August 2005 - 08:23 AM

Visiting Staff

Member
4,746 posts

Couple things to be corrected on the uninstall list;

Download the following programs if you want to use them (updated versions);
MSN Messenger 7.0
Latest Firefox (1.0.6)

When you have downloaded the installers, don't quite yet install them.

Go to -> Start -> Control Panel -> Add/Remove programs and uninstall the following entries;

Mozilla Firefox (0.9.1)
Mozilla Firefox (1.0.1)
MSN Messenger 6.2
PartyPoker
Viewpoint Manager (Remove Only)
Windows Installer 3.1 (KB893803)

Delete the following folders;
C:\Program Files\Viewpoint\Viewpoint Manager\
C:\Program Files\PartyPoker\

Empty recycle bin.

Then install the latest Firefox and Messenger. I just recommend this because of the critical updates and all..

Then check your Microsoft Updates quickly. Download the latest critical updates.

Then reboot and do the 2 following things;

Click "Start", Run and type in; MRT
Click "Ok". When the window pops up hit "Next". It scans, let me know the results.
Post me a fresh HiJackThis log & tell me how's the system running.

- Rawe :tazz:

Edited by Rawe, 11 August 2005 - 08:25 AM.