I did all the steps. The second time through Killbox the only things that were found:
C:\WINNT\system32\kkyejyww
C:\Program Files\Common Files\Windows
C:\Program Files\webHancer\programs
C:\Program Files\webHancer
All the entries said that the directory was deleted except for the last one that said "This File could not be Deleted".
When doing the HijackThis fixing, the following were not found:
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
Here are the log files:
WinPFind:
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2600.0000
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
PEC2 9/10/2005 1:11:58 PM 34298012 C:\backup.zip
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
UPX! 9/6/2005 7:35:34 PM 226536 C:\WINNT\whCC-GIANT.exe
PEC2 5/19/2001 5:08:44 PM 6656 C:\WINNT\pcboot.exe
PEC2 2/27/2003 2:53:18 AM 340480 C:\WINNT\DOTEST.EXE
PEC2 3/15/2003 10:46:14 PM 168448 C:\WINNT\realtime.exe
Checking %System% folder...
winsync 7/26/2000 5:00:00 PM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
PEC2 6/9/2005 3:32:28 PM 692736 C:\WINNT\SYSTEM32\DivX.dll
PECompact2 6/9/2005 3:32:28 PM 692736 C:\WINNT\SYSTEM32\DivX.dll
Umonitor 6/19/2003 12:05:04 PM 529168 C:\WINNT\SYSTEM32\RASDLG.DLL
UPX! 10/7/2002 2:49:38 PM 385536 C:\WINNT\SYSTEM32\QuestLicenseManager.DLL
PTech 7/12/2005 5:50:44 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.DLL
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/9/2005 6:54:04 PM H 644482 C:\WINNT\ShellIconCache
9/10/2005 1:14:46 PM H 1024 C:\WINNT\system32\config\software.LOG
9/10/2005 12:32:38 PM H 1024 C:\WINNT\system32\config\default.LOG
9/10/2005 1:10:00 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG
9/10/2005 1:06:58 PM H 1024 C:\WINNT\system32\config\SAM.LOG
8/20/2005 1:22:12 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/20/2005 1:22:12 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\5c76bdda-060b-41cf-81e8-a6486f82e867
9/10/2005 12:32:18 PM H 6 C:\WINNT\Tasks\SA.DAT
9/10/2005 12:32:10 PM S 64 C:\WINNT\CSC\00000001
9/9/2005 3:45:12 PM S 64 C:\WINNT\CSC\csc1.tmp
9/9/2005 6:04:52 PM S 64 C:\WINNT\CSC\00000002
8/31/2005 8:29:50 PM S 53 C:\WINNT\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d642018b883da684e9c7dcbbfa2f2836_c4fe4ef5-407c-469b-bb9c-1bb60c8bc4bf
9/6/2005 3:47:56 PM S 69 C:\WINNT\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\95147d52219a6c289276fe8b5b3650fb_c4fe4ef5-407c-469b-bb9c-1bb60c8bc4bf
9/6/2005 3:48:30 PM H 3802 C:\WINNT\Profiles\All Users\Application Data\AOL\AOLDiag\AOL\HostManager\Win32\2005707.1601.419728a\manifest.bin
9/6/2005 3:48:34 PM H 3802 C:\WINNT\Profiles\All Users\Application Data\AOL\AOLDiag\AOL\ServiceHost\Win32\2005707.1601.419728a\manifest.bin
Checking for CPL files...
Microsoft Corporation 6/19/2003 12:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 60688 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/17/2001 10:43:40 PM 294912 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 2/20/2001 1:09:54 PM 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 54272 C:\WINNT\SYSTEM32\wuaucpl.cpl
Oracle 3/2/2004 2:29:30 PM 45145 C:\WINNT\SYSTEM32\plugincpl13118.cpl
Novell, Inc. 3/24/2003 3:00:08 PM 102400 C:\WINNT\SYSTEM32\nCredps.cpl
Sun Microsystems 8/5/2003 9:02:56 AM 45175 C:\WINNT\SYSTEM32\plugincpl131_09.cpl
Oracle 4/18/2002 2:47:54 PM 24672 C:\WINNT\SYSTEM32\plugincpl1319.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINNT\SYSTEM32\plugincpl131_04.cpl
Oracle 5/8/2003 2:35:36 PM 45153 C:\WINNT\SYSTEM32\plugincpl13113.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/17/2001 10:43:40 PM 294912 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
9/10/2005 10:54:18 AM 2225 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
4/3/2005 1:07:10 PM 1412 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Application Explorer.lnk
4/3/2005 1:07:06 PM 1484 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/3/2005 1:07:12 PM 598 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sync Director.lnk
4/3/2005 1:07:06 PM 1307 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
Checking files in %USERPROFILE%\Startup folder...
4/3/2005 1:07:12 PM 1357 C:\Documents and Settings\LinesD\Start Menu\Programs\Startup\HotSync Manager.lnk
Checking files in %USERPROFILE%\Application Data folder...
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareServerMenu
{9b173360-732b-11ce-aa22-00805f9834b0} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{C1994287-422F-47aa-8E5E-6323E210A125}
ButtonText = Novell delivered applications :
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
NWTRAY NWTRAY.EXE
CreateCD50 "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
TkBellExe C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
PCDRealtime C:\WINNT\realtime.exe
ZENRC Tray Icon C:\WINNT\System32\zentray.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
HostManager C:\Program Files\Common Files\AOL\1126039706\ee\AOLHostManager.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\VPTray.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
CompatibleRUPSecurity 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0
ForceStartMenuLogOff 1
NoWelcomeScreen 1
NoInstrumentation 1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
jjlnuabahh.exe C:\WINNT\system\jjlnuabahh.exe
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = explorer.exe
System = ziswin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINNT\system32\NavLogon.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/10/2005 1:19:01 PM
L2mfix log:
Setting Directory
C:\
C:\
System Rebooted!
Running From:
C:\
killing explorer and rundll32.exe
Scanning First Pass. Please Wait!
First Pass Completed
Second Pass Scanning
Second pass Completed!
Desktop.ini sucessfully removed
Zipping up files for submission:
updating: clear.reg (deflated 2%)
updating: desktop.ini (stored 0%)
updating: PRODtoPPRD.txt (deflated 83%)
updating: TEST_class_sec_objs.txt (deflated 93%)
updating: PROD_class_sec_objs.txt (deflated 94%)
updating: PROD_Class_Users.txt (deflated 86%)
updating: PROD_Class_Security_Objects.txt (deflated 90%)
updating: PROD_Security_Object_Users.txt (deflated 83%)
updating: TEST_Class_Users.txt (deflated 86%)
updating: TEST_Class_Security_Objects.txt (deflated 90%)
updating: TEST_Security_Object_Users.txt (deflated 83%)
updating: PROD_User_Status.txt (deflated 76%)
updating: cloneDVEL1.txt (deflated 87%)
updating: PROD_Role_Users.txt (deflated 86%)
updating: cloneDVEL2.txt (deflated 88%)
updating: cloning_PPRD.txt (deflated 84%)
updating: compile.txt (deflated 82%)
updating: cloning_PPRD_new.txt (deflated 83%)
updating: slpjob.txt (deflated 76%)
updating: unix_lp.txt (deflated 91%)
updating: sql_show.txt (deflated 54%)
updating: unix_lp2.txt (deflated 68%)
updating: PROD_Role_Object_Users.txt (deflated 89%)
updating: LOGFILE.TXT (deflated 72%)
updating: Steve.txt (deflated 56%)
updating: asdf.txt (deflated 69%)
updating: lo2.txt (deflated 69%)
updating: clone_PROD_PPRD.txt (deflated 86%)
updating: BAN6_Class_Users.txt (deflated 86%)
updating: PPRD_User_Status.txt (deflated 76%)
updating: TRNG_8_to_9.txt (deflated 92%)
updating: nation_test_ascii.txt (deflated 81%)
updating: PPRD_Role_Users.txt (deflated 86%)
updating: PROD_Role_Security_Objects.txt (deflated 89%)
updating: PPRD_Role_Object_Users.txt (deflated 89%)
updating: test2.txt (stored 0%)
updating: BAN6_Class_Security_Objects.txt (deflated 90%)
updating: BAN6_Security_Object_Users.txt (deflated 83%)
updating: UNIXhelp.txt (deflated 16%)
updating: PPRD_Class_Users.txt (deflated 86%)
updating: test3.txt (stored 0%)
updating: TEST6_Class_Users.txt (deflated 86%)
updating: TEST6_Class_Security_Objects.txt (deflated 90%)
updating: TEST6_Security_Object_Users.txt (deflated 83%)
updating: TEST_User_Status.txt (deflated 76%)
updating: PPRD_Role_Security_Objects.txt (deflated 89%)
updating: TEST_Role_Users.txt (deflated 86%)
updating: test5.txt (stored 0%)
updating: PPRD_Class_Security_Objects.txt (deflated 90%)
updating: PPRD_Security_Object_Users.txt (deflated 83%)
updating: TEST_Role_Object_Users.txt (deflated 89%)
updating: TEST_Role_Security_Objects.txt (deflated 89%)
updating: test.txt (stored 0%)
updating: TRNG_8_to_9_abbrev.txt (deflated 88%)
updating: TRNG_8_to_9_part2.txt (deflated 67%)
updating: import.err.txt (deflated 81%)
updating: TRNG_8_to_9_part3.txt (deflated 92%)
updating: clone_newserver_PROD.txt (deflated 83%)
updating: clone_newserver_TEST.txt (deflated 83%)
updating: clone_newserver_TRNG.txt (deflated 83%)
adding: log.txt (deflated 84%)
Restoring Registry Permissions:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!
Registry permissions set too:
RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (
http://www.heysoft.de)
This program is Freeware, use it on your own risk!
Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER
Restoring Sedebugprivilege:
Granting SeDebugPrivilege to Administrators ... successful
Restoring Windows Update Certificates.:
The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000
The following are the files found:
****************************************************************************
Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************
Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, September 12, 2005 08:17:02
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/09/2005
Kaspersky Anti-Virus database records: 148723
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 71204
Number of viruses found: 35
Number of infected objects: 143
Number of suspicious objects: 22
Duration of the scan process: 7417 sec
Infected Object Name - Virus Name
C:\WINNT\Temp\180sainstallernu.exe/clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\180sainstallernu.exe Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\180SAAX.cab/clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\180SAAX.cab Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\res688.tmp Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\mm81.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\WINNT\whCC-GIANT.exe/WhAgent.exe Infected: not-a-virus:AdWare.WebHancer.351
C:\WINNT\whCC-GIANT.exe/whInstaller.exe Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\whCC-GIANT.exe/WhSurvey.exe Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\whCC-GIANT.exe/Webhdll.dll Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\whCC-GIANT.exe/whiehlpr.dll Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\whCC-GIANT.exe Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80000.VBN Infected: Backdoor.Win32.Rbot.gen
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80001.VBN Infected: Backdoor.Win32.Rbot.gen
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80002.VBN/clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80002.VBN Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00000.VBN/clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00000.VBN Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06240000.VBN Infected: Trojan-Downloader.Win32.Small.ach
C:\WINNT\ztkqln.exe Infected: not-a-virus:AdWare.BetterInternet.aa
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP6FGPY7\mm81[1].ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/WhAgent.exe Infected: not-a-virus:AdWare.WebHancer.351
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/whInstaller.exe Infected: not-a-virus:AdWare.WebHancer
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/WhSurvey.exe Infected: not-a-virus:AdWare.WebHancer
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/Webhdll.dll Infected: not-a-virus:AdWare.WebHancer
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/whiehlpr.dll Infected: not-a-virus:AdWare.WebHancer
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe Infected: not-a-virus:AdWare.WebHancer
C:\Program Files\Windows Media Player\wmplayer.exe Infected: Trojan-Downloader.Win32.Small.bem
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[ ... /[From Joyce Riley vonKleist & Dave vonKleist <
[email protected]>][Date Fri, 25 Oct 2002 08:52:58 -070 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[ ... /[From Joyce Riley vonKleist & Dave vonKleist <
[email protected]>][Date Fri, 25 Oct 2002 08:52:58 -0700]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <
[email protected]> ... /[From ciac <
[email protected]>][Date Tue, 27 Aug 2002 00:05:50 -0400 ( ... /UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <
[email protected]> ... /[From ciac <
[email protected]>][Date Tue, 27 Aug 2002 00:05:50 -0400 (EDT ... /html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <
[email protected]> ... /[From ciac <
[email protected]>][Date Tue, 27 Aug 2002 00:05:50 -0400 (EDT)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <
[email protected]>][Date Wed, 29 May 2002 17:41:43 -0500 (CDT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <
[email protected]>][Date Wed, 29 May 2002 17:41:43 -0500 (CDT)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <
[email protected]>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <
[email protected]>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <
[email protected]>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <
[email protected]>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\JustforY.mbx/[From "eBay Secrets Exposed" <
[email protected]>][Date Tue, 11 Feb 2003 04:41:43 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\JustforY.mbx Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\PalmOS.mbx/[From InSync Online <
[email protected]>][Date Mon, 03 Jan 2000 14:30:48 PST]/html Suspicious: not-a-virus:PSWTool.HTML.Fraud.gen
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\PalmOS.mbx Suspicious: not-a-virus:PSWTool.HTML.Fraud.gen
C:\Program Files\Microsoft AntiSpyware\Quarantine\2E9F51D5-A9FA-49CD-85CA-F045E3\3E730D14-E734-423F-8F34-E17BEE Infected: not-a-virus:AdWare.CASClient.a
C:\Program Files\Microsoft AntiSpyware\Quarantine\18A8D8DB-E86A-45AB-BE75-7DB3AE\8055A5BB-9FE4-42F1-BFD1-60FD2B Infected: Trojan.Win32.Agent.db
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\E9C67196-D675-4E29-8A4D-63CDDF/WISE0001.BIN Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\E9C67196-D675-4E29-8A4D-63CDDF Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\8E3BC69B-1E6C-4B1A-9CA6-7A2DA1/vb2uninstaller4_19.EXE/WISE0001.BIN Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\8E3BC69B-1E6C-4B1A-9CA6-7A2DA1/vb2uninstaller4_19.EXE Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\8E3BC69B-1E6C-4B1A-9CA6-7A2DA1 Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\188E8237-E554-4E80-B7FD-D3FB58\1D230F95-47B4-4BF3-861A-94F06B Infected: Trojan.Win32.Agent.db
C:\Program Files\Microsoft AntiSpyware\Quarantine\24FDB872-A67A-479A-9275-B3F184\BC0F366F-E891-4C57-B598-9088B9 Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\Program Files\Microsoft AntiSpyware\Quarantine\31A1C3D7-B336-4D1F-AF29-19F5E7\CAA46502-79B9-4B3E-AB4B-6D8620 Infected: not-a-virus:AdWare.180Solutions.l
C:\Program Files\Microsoft AntiSpyware\Quarantine\31A1C3D7-B336-4D1F-AF29-19F5E7\5258F14E-7388-46C0-AC36-D37700 Infected: not-a-virus:AdWare.180Solutions.k
C:\Program Files\ProSiteFinder\e9be3mbj.DLL Infected: not-a-virus:AdWare.ClearSearch.ah
C:\Program Files\ProSiteFinder\71fl2g0p.DLL Infected: not-a-virus:AdWare.ClearSearch.ah
C:\My Download Files\bittorrent-3.4.1.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Swizzor.k
C:\My Download Files\bittorrent-3.4.1.exe/stream Infected: Trojan-Downloader.Win32.Swizzor.k
C:\My Download Files\bittorrent-3.4.1.exe Infected: Trojan-Downloader.Win32.Swizzor.k
C:\!Submit\hinfeper.DLL Infected: not-a-virus:AdWare.ClearSearch.ae
C:\!Submit\4r3kreyh.DLL Infected: not-a-virus:AdWare.ClaerSearch.ab
C:\!Submit\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.f
C:\!Submit\services32.exe Infected: not-a-virus:AdWare.Maxifiles.h
C:\!Submit\system32.dll/gui.exe Infected: not-a-virus:AdWare.Maxifiles.a
C:\!Submit\system32.dll Infected: not-a-virus:AdWare.Maxifiles.a
C:\!Submit\DrPMon.dll Infected: Trojan.Win32.Agent.db
C:\!Submit\PreUninstall.exe Infected: not-a-virus:AdWare.Suggestor.f
C:\!Submit\lmf32v.dll Infected: not-a-virus:AdWare.Suggestor.f
C:\!Submit\hisistheurls.exe/archive comment Infected: Trojan.Win32.Favadd.f
C:\!Submit\hisistheurls.exe Infected: Trojan.Win32.Favadd.f
C:\!Submit\mm81.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\!Submit\ttext.dll Infected: not-a-virus:AdWare.ToolBar.ImiBar.g
C:\!Submit\whagent.exe Infected: not-a-virus:AdWare.WebHancer.351
C:\!Submit\babeb[1].exe Infected: Backdoor.Win32.SdBot.xm
C:\!Submit\stubinstaller6282[1].exe Infected: Trojan-Downloader.Win32.Small.asf
C:\!Submit\rraiyl.exe Infected: Backdoor.Win32.SdBot.xm
C:\!Submit\txxadbhp.dll Infected: Trojan-Downloader.Win32.Agent.lg
C:\!Submit\sav2.exe Infected: Trojan-Downloader.Win32.Apropo.aj
C:\!Submit\mapppc.exe Infected: Backdoor.Win32.SdBot.xm
C:\!Submit\Perflib_Perfdata_d44.dat Infected: Trojan.Win32.EliteBar.a
C:\!Submit\8r1474gn.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\!Submit\1bechnkt.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\!Submit\icont.exe Infected: not-a-virus:AdWare.AdURL.c
C:\!Submit\mmxxxxmas2.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\backup.zip/AAVAPI32.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/aesnw.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/CEVFAT.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/daskcopy.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/demsrpcn.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/demsvinn.dLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/djodbc7.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/dnru0199e.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/dOtime.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/dXdrm.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/dYdrm.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/e6jmlg1116.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/en22l1fo1.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/enl0l13m1.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/enr8l19u1.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/fjsrch.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/fJxtiff.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/fp0o03d3e.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/fp2403fqe.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/hncoin.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/fplu0339e.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/idign32.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/gpnol3531.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/h40q0ed5eh0.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/hr8805lue.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/hrn4055qe.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/ihxrtmgr.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/ir64l5jq1.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/its.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/ixxpromn.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/iVspipe.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/j4j6le1s1h.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/jibexec.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/jKvart.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/k4620ejoehoc0.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/k4jsle171h.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/KNRNEL32.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/kt0ql7d51.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/ktnul7591.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/l0j80a1ued.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/lort.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/lv2409fqe.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/lvpq0975e.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/m0lsla371d.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/m2820cloefqc0.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/m4640ejqehoe0.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/m6rmlg9116.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mcr2cenu.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mHlsla371d.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/MJRDO20.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mlrmsg.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mmhtmler.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/MODBG.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mtimg32.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mxls31.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/n2n60c5sef.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/nctid.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/NGTLOGON.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/nudsatq.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/NWTAPI32.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/o0660ajsedo60.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/phfmgr.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/pYutoenr.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/pzrfdisk.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/q4rq0e95eh.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/rqfsaps.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/seclient.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/snclient.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/tirmmgr.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/u8ruli9918.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/wipdxm.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/xSctsrv.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip Infected: not-a-virus:AdWare.Look2Me.ab
Scan process completed.
and finally the latest HiJackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 8:19:12 AM, on 9/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.