Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

"Generated Errors" problem [CLOSED]


  • This topic is locked This topic is locked

#16
dlines

dlines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I am not sure what happened to Panda the first time, but this time it seemed to end without a problem. The 5 viruses that it found last time, it must have fixed because they didn't show up this time.

I have attached the Panda log and the HJT log.


Panda Log:


Incident Status Location

Adware:Adware/EliteBar No disinfected C:\WINNT\SYSTEM32\ELITEWOE32.EXE
Adware:Adware/EliteBar No disinfected C:\WINNT\SYSTEM32\ELITEAOK32.EXE
Adware:Adware/EliteBar No disinfected C:\DOCUME~1\LinesD\LOCALS~1\Temp\459600_2548_2488_1604_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\DOCUME~1\LinesD\LOCALS~1\Temp\393386_2548_2488_1896_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\DOCUME~1\LinesD\LOCALS~1\Temp\656204_1244_2488_1920_65.41.tmp
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
Adware:Adware/EliteBar No disinfected C:\WINNT\etb\nt_hide65.dll
Spyware:Spyware/SurfSideKick No disinfected C:\WINNT\system32\repairs.dll
Spyware:spyware/surfsidekick No disinfected C:\DOCUMENTS AND SETTINGS\LINESD\LOCAL SETTINGS\TEMPORARY INTERNET FILES\Ssk.log
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\system32.dll
Spyware:spyware/linkreplacer No disinfected C:\WINNT\SYSTEM32\lmf32v.dll
Adware:adware/midaddle No disinfected C:\WINNT\SYSTEM32\PreUninstall.exe
Adware:adware/aurora No disinfected C:\WINNT\SYSTEM32\DrPMon.dll
Adware:adware/imgiant No disinfected C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Joystick News.url
Spyware:spyware/media-motor No disinfected C:\WINNT\mm81.ocx
Adware:adware/transponder No disinfected C:\WINNT\abiuninst.htm
Adware:adware/bookedspace No disinfected C:\WINNT\cfgmgr52.ini
Adware:adware/wintools No disinfected C:\WINNT\hisistheurls.exe
Adware:adware/sahagent No disinfected C:\WINNT\unstall.exe
Adware:adware/apropos No disinfected C:\PROGRAM FILES\AutoUpdate
Adware:adware/ncase No disinfected C:\PROGRAM FILES\180searchassistant
Spyware:spyware/dyfuca No disinfected C:\PROGRAM FILES\Internet Optimizer
Adware:adware/delfinmedia No disinfected C:\WINNT\SYSTEM32\nsvsvc
Adware:adware/virtualbouncer No disinfected C:\WINNT\PROFILES\ALL USERS\APPLICATION DATA\VBouncer
Adware:adware/addestroyer No disinfected C:\WINNT\PROFILES\ALL USERS\APPLICATION DATA\AdDestroyer
Adware:adware/savenow No disinfected C:\WINNT\PROFILES\ALL USERS\APPLICATION DATA\nsv
Adware:adware/elitebar No disinfected C:\WINNT\etb
Adware:adware/afaenhance No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\WINNT\system32\repairs.dll
Adware:Adware/EliteBar No disinfected C:\WINNT\etb\nt_hide65.dll
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\etb\xml\images\casino.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\etb\xml\images\dating.bmp
Spyware:Spyware/BargainBuddy No disinfected C:\WINNT\etb\xml\images\virus.bmp
Adware:Adware/Imibar No disinfected C:\WINNT\ttext.dll
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\3DRW0WR6\protector[1].exe
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\YSO99C7U\dating[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\8XUBCDQR\virus[1].bmp
Spyware:Spyware/BargainBuddy No disinfected C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\G52RGTIJ\casino[1].bmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\S1I7KLYN\protector[1].exe
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\393386_2548_2488_1896_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\131448_2884_2488_2048_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\263240_2884_2488_2648_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\197778_2884_2488_2744_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\263438_2884_2488_1856_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\263100_2884_2488_2492_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\393892_2884_2488_272_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\197794_2884_2488_2484_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\459600_2548_2488_1604_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\263114_2884_2488_2180_65.41.tmp
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\LinesD\Local Settings\Temp\656204_1244_2488_1920_65.41.tmp
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\system32.dll[gui.exe]
Adware:Adware/Maxifiles No disinfected C:\Program Files\Common Files\services.exe
Possible Virus. No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\B4DF884B-9834-45AA-B36D-D0F6F2
Adware:Adware/nCase No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\88B6A5B5-C78F-402F-BB9F-DC231B\614FB4BC-4E9A-443E-AED1-70496B
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskBho.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\SskCore.dll
Spyware:Spyware/SurfSideKick No disinfected C:\Program Files\SurfSideKick 3\Ssk.exe
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\ProSiteFinder\4r3kreyh.DLL
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\ProSiteFinder\hinfeper.DLL
Spyware:Spyware/ClearSearch No disinfected C:\Program Files\ProSiteFinder\prositefinderh.exe

Latest HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:10:51 PM, on 9/5/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\TGluZXNE\command.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\hkivc\vvdbdn.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\Explorer.exe
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINNT\system32\afeiaeol\byrqav.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\nrftqa\mkjdvli.exe
C:\WINNT\exe81.exe
C:\PROGRA~1\AIM\aim.exe
C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Common Files\Windows\services32.exe
c:\program files\novell\nwquota\nwquota.exe
C:\WINNT\etb\pokapoka65.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\Connection Wizard\ICWCONN1.EXE
C:\My Download Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.directsea...one.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.directsea...one.com/sp2.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.directsea...one.com/sp2.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prinweb
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.directsea...one.com/sp2.php
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://prinweb.prin.edu/pxycfg.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 155.106.100.248:8080
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe
O1 - Hosts: 155.106.100.225 sctdb1
O1 - Hosts: 216.39.69.102 view.atdmt.com
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [svtcin] C:\WINNT\system32\n20050308.a.Stub.EXE
O4 - HKLM\..\Run: [vvdbdn] C:\WINNT\system32\hkivc\vvdbdn.exe
O4 - HKLM\..\Run: [byrqav] C:\WINNT\system32\afeiaeol\byrqav.exe
O4 - HKLM\..\Run: [mkjdvli] C:\WINNT\system32\nrftqa\mkjdvli.exe
O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe
O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe
O4 - HKLM\..\Run: [ntdll.dll] c:\winnt\system32\eliteaok32.exe
O4 - HKLM\..\Run: [PMET] C:\WINNT\exe81.exe
O4 - HKLM\..\Run: [csrss] C:\winnt\system32\elitewoe32.exe
O4 - HKLM\..\Run: [2010] C:\WINNT\exe81.exe
O4 - HKLM\..\Run: [51=L] C:\WINNT\exe81.exe
O4 - HKLM\..\Run: [saap] c:\program files\180searchassistant\saap.exe
O4 - HKLM\..\Run: [lsass] c:\winnt\system32\eliteaok32.exe
O4 - HKLM\..\Run: [System service65] C:\WINNT\etb\pokapoka65.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [ntdll.dll] "C:\WINNT\stubinstaller6282.exe"
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Sync Director.lnk = C:\Program Files\Motorola\PC Partner\SyncDirector.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://prinweb
O15 - Trusted Zone: *.popuppers.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwia.ops.pl...quicksilver.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} - http://sctcc.prin.ed...iator/jinit.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9BA46C28-F596-486B-A47A-E533EFA46276} (MAPS configuration client launch from the web) - http://155.106.115.1.../mapsconfig.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://sctss.prin.ed...iator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://sctss.prin.ed...iator/jinit.exe
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TGluZXNE\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)
O23 - Service: vvdbdnhkivc - Unknown owner - C:\WINNT\system32\hkivc\vvdbdn.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

Advertisements


#17
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Now we are getting somewhere!


Go to Add\Remove Programs and Remove

SurfSideKick 3
ProSiteFinder
180searchassistant
Internet Optimizer
Virtual Bouncer
AD Destroyer
SaveNow
WeatherBug



Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate this entry

Command Service
System Startup Service
vvdbdnhkivc


Right Click that entry and Select Properties-> Click Stop-> Go up and change the Startup Type to Disabled!

Click Apply-> OK and Exit the Services Page!


Download LQfix.exe and place it on your desktop.
Doubleclick LQfix.exe and click install.
This will create a new folder called LQfix on your desktop.
Open the folder and doubleclick ClickThis.bat
Follow the prompts on the screen.
Your system will reboot afterwards.
Please be patient after reboot, because there is a script running in the background.


Once the Script has finished-> Update Ad Aware and Ewido again,we will need them in Safe Mode!


Download CCleaner but dont run it yet!
http://www.filehippo...d_ccleaner.html


Download Pocket KillBox from here:
http://www.atribune....ads/KillBox.exe

Highlight the list below and press Ctrl+C to Copy!

C:\DOCUME~1\LinesD\LOCALS~1\Temp\459600_2548_2488_1604_65.41.tmp
C:\DOCUME~1\LinesD\LOCALS~1\Temp\393386_2548_2488_1896_65.41.tmp
C:\DOCUME~1\LinesD\LOCALS~1\Temp\656204_1244_2488_1920_65.41.tmp
C:\DOCUMENTS AND SETTINGS\ALL USERS\DESKTOP\Joystick News.url
C:\DOCUMENTS AND SETTINGS\LINESD\LOCAL SETTINGS\TEMPORARY INTERNET FILES\Ssk.log
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\3DRW0WR6\protector[1].exe
C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\YSO99C7U\dating[1].bmp
C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\8XUBCDQR\virus[1].bmp
C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\G52RGTIJ\casino[1].bmp
C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\S1I7KLYN\protector[1].exe
C:\Documents and Settings\LinesD\Local Settings\Temp\393386_2548_2488_1896_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\131448_2884_2488_2048_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\263240_2884_2488_2648_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\197778_2884_2488_2744_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\263438_2884_2488_1856_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\263100_2884_2488_2492_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\393892_2884_2488_272_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\197794_2884_2488_2484_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\459600_2548_2488_1604_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\263114_2884_2488_2180_65.41.tmp
C:\Documents and Settings\LinesD\Local Settings\Temp\656204_1244_2488_1920_65.41.tmp
C:\WINNT\etb
C:\WINNT\ttext.dll
C:\WINNT\TGluZXNE\command.exe
C:\WINNT\TGluZXNE
C:\WINNT\mm81.ocx
C:\WINNT\abiuninst.htm
C:\WINNT\cfgmgr52.ini
C:\WINNT\hisistheurls.exe
C:\WINNT\unstall.exe
C:\WINNT\Nail.exe
C:\WINNT\stubinstaller6282.exe"
C:\WINNT\exe81.exe
C:\WINNT\VCMnet11.exe
C:\WINNT\SvcProc.exe
C:\WINNT\system32\repairs.dll
C:\WINNT\SYSTEM32\lmf32v.dll
C:\WINNT\SYSTEM32\PreUninstall.exe
C:\WINNT\SYSTEM32\DrPMon.dll
C:\WINNT\system32\n20050308.a.Stub.EXE
C:\WINNT\system32\hkivc\vvdbdn.exe
C:\WINNT\system32\hkivc
C:\WINNT\system32\afeiaeol\byrqav.exe
C:\WINNT\system32\afeiaeol
C:\WINNT\system32\nrftqa\mkjdvli.exe
C:\WINNT\system32\nrftqa
C:\WINNT\SYSTEM32\nsvsvc
C:\WINNT\PROFILES\ALL USERS\APPLICATION DATA\VBouncer
C:\WINNT\PROFILES\ALL USERS\APPLICATION DATA\AdDestroyer
C:\WINNT\PROFILES\ALL USERS\APPLICATION DATA\nsv
C:\PROGRAM FILES\COMMON FILES\system32.dll
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
C:\Program Files\Common Files\Windows
C:\Program Files\Common Files\mc-110-12-0000079.exe
C:\Program Files\Common Files\system32.dll
C:\Program Files\Common Files\services.exe
C:\Program Files\SurfSideKick 3\SskBho.dll
C:\Program Files\SurfSideKick 3\SskCore.dll
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\SurfSideKick 3
C:\Program Files\ProSiteFinder\4r3kreyh.DLL
C:\Program Files\ProSiteFinder\hinfeper.DLL
C:\Program Files\ProSiteFinder\prositefinderh.exe
C:\Program Files\ProSiteFinder
C:\PROGRAM FILES\AutoUpdate
C:\PROGRAM FILES\180searchassistant
C:\PROGRAM FILES\Internet Optimizer
C:\PROGRAM FILES\AWS


Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!


Restart in Safe Mode and Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.directsea...one.com/sp2.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.directsea...one.com/sp2.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.directsea...one.com/sp2.php

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.directsea...one.com/sp2.php

R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\Nail.exe

O1 - Hosts: 155.106.100.225 sctdb1

O1 - Hosts: 216.39.69.102 view.atdmt.com

O4 - HKLM\..\Run: [svtcin] C:\WINNT\system32\n20050308.a.Stub.EXE

O4 - HKLM\..\Run: [vvdbdn] C:\WINNT\system32\hkivc\vvdbdn.exe

O4 - HKLM\..\Run: [byrqav] C:\WINNT\system32\afeiaeol\byrqav.exe

O4 - HKLM\..\Run: [mkjdvli] C:\WINNT\system32\nrftqa\mkjdvli.exe

O4 - HKLM\..\Run: [C:\WINNT\VCMnet11.exe] C:\WINNT\VCMnet11.exe

O4 - HKLM\..\Run: [ProSiteFinder] C:\Program Files\ProSiteFinder\prositefinder.exe

O4 - HKLM\..\Run: [ntdll.dll] c:\winnt\system32\eliteaok32.exe

O4 - HKLM\..\Run: [PMET] C:\WINNT\exe81.exe

O4 - HKLM\..\Run: [csrss] C:\winnt\system32\elitewoe32.exe

O4 - HKLM\..\Run: [2010] C:\WINNT\exe81.exe

O4 - HKLM\..\Run: [51=L] C:\WINNT\exe81.exe

O4 - HKLM\..\Run: [saap] c:\program files\180searchassistant\saap.exe

O4 - HKLM\..\Run: [lsass] c:\winnt\system32\eliteaok32.exe

O4 - HKLM\..\Run: [System service65] C:\WINNT\etb\pokapoka65.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe

O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe

O4 - HKCU\..\Run: [ntdll.dll] "C:\WINNT\stubinstaller6282.exe"

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O15 - Trusted Zone: *.popuppers.com

O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TGluZXNE\command.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)

O23 - Service: vvdbdnhkivc - Unknown owner - C:\WINNT\system32\hkivc\vvdbdn.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK!

sc delete cmdService

and

sc delete SvcProc

and

sc delete vvdbdnhkivc


Now Run Ad Aware and Ewido again,please be sure that all other Windows and Browsers are Closed while you run these!

Save the Report from Ewido!


Now run CCleaner-> Open and Press Run Cleaner and let it do its thing!


Run CleanUp! again-> When Prompted to log off-> Click Yes and Restart back in Normal Mode!


Once in Normal Mode again,run the Hoster just as before!


Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!


After all this is completed,have the PC scanned here to see how we did!
http://support.f-sec.../home/ols.shtml

Save the Report it generates!


Post back with a fresh HijackThis log and the reports from Ewido and F-Secure!
  • 0

#18
dlines

dlines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Ok, I did some of what you said, but not everything. I had some issues as I went along. I will add my comments below yours with a prefix of >>>>>.



Go to Add\Remove Programs and Remove

SurfSideKick 3
ProSiteFinder
180searchassistant
Internet Optimizer
Virtual Bouncer
AD Destroyer
SaveNow
WeatherBug

>>>>> Could not find Virtual Bouncer, AD Destroyer, or SaveNow.

Click Start-> Run-> Type in Services.msc and Click OK!

Scroll that list and locate this entry

Command Service

>>>>> This entry was started, but I could not stop it, but I did disable it.

System Startup Service

>>>>> This entry was stopped and I did disable it.

vvdbdnhkivc

>>>>> Could not stop or disable this entry. It would not let me. I got the following text when trying to stop it:

"Could not stop the vvdbdnhkivc service on Local Computer. The service did not return an error. This could be an internal Windows error or an internal service error. If the problem persists, contact your system administrator."


>>>>> LQfix seemed to work just fine.

>>>>> After running Killbox and letting it reboot the computer, I still got the 16 bit MS-DOS errors and and error about nail.exe. I hoped the nail.exe program will go away after fixing it with HiJackThis.

>>>>> The following HiJackThis problems were not found:

O4 - HKLM\..\Run: [csrss] C:\winnt\system32\elitewoe32.exe

O4 - HKLM\..\Run: [2010] C:\WINNT\exe81.exe

O4 - HKLM\..\Run: [51=L] C:\WINNT\exe81.exe

>>>>> The previous two entries were not found, but there were entries the same as above except 'exe81' was replaced with '2010'.

O4 - HKLM\..\Run: [saap] c:\program files\180searchassistant\saap.exe

O4 - HKLM\..\Run: [lsass] c:\winnt\system32\eliteaok32.exe

O4 - HKLM\..\Run: [System service65] C:\WINNT\etb\pokapoka65.exe

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\WEATHER.EXE 1

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\TGluZXNE\command.exe

O23 - Service: vvdbdnhkivc - Unknown owner - C:\WINNT\system32\hkivc\vvdbdn.exe

>>>>> The above entry had '(file missing)' after it.

Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK!

sc delete cmdService

and

sc delete SvcProc

and

sc delete vvdbdnhkivc

>>>>> When trying to do the above sc commands I got the following error:

"Cannot find the file 'sc' (or one of its components). Make sure the apth and filename are correct and that all required libraries are available."

>>>>> I ran AdAware, Ewido (report below), CCleaner, and CleanUp.

Once in Normal Mode again,run the Hoster just as before!

>>>>> I have not rebooted yet and run Hoster because I don't remember running Hoster before.

>>>>> Here is the Ewido report:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:41:33 PM, 9/6/2005
+ Report-Checksum: D7A57296

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DisplayUtility -> Spyware.Delfin : Cleaned with backup
HKLM\SOFTWARE\Mvu -> Spyware.Delfin : Cleaned with backup
HKU\S-1-5-21-1757981266-484763869-682003330-1000\Software\Mvu -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\flynoxy.exe -> Trojan.Agent.ay : Cleaned with backup
C:\WINNT\system32\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINNT\system32\mappedpc.exe -> Heuristic.Win32.Morphine-Crypted : Cleaned with backup
C:\WINNT\system32\vidctrl\vidctrl.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\WINNT\optimize.exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\WINNT\mm15201518.a.Stub.exe -> TrojanDownloader.Delmed.a : Cleaned with backup
C:\Documents and Settings\LinesD\Cookies\linesd@abetterinternet[1].txt -> Spyware.Cookie.Abetterinternet : Cleaned with backup
C:\Documents and Settings\LinesD\Cookies\linesd@yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LinesD\Cookies\linesd@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LinesD\Cookies\linesd@ugl.adtrak[2].txt -> Spyware.Cookie.Adtrak : Cleaned with backup
C:\Documents and Settings\LinesD\Cookies\linesd@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\LinesD\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Error during cleaning
C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\YSO99C7U\stubinstaller6282[1].exe -> TrojanDownloader.Small.asf : Cleaned with backup
C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\YSO99C7U\mm15201518.a.Stub[1].exe -> TrojanDownloader.Delmed.a : Cleaned with backup
C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\8XUBCDQR\nsh_106[1].exe -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\LinesD\Local Settings\Temporary Internet Files\Content.IE5\8XUBCDQR\optimize[1].exe -> TrojanDownloader.Dyfuca.ei : Cleaned with backup
C:\Documents and Settings\LinesD\Local Settings\Temp\res1E72.tmp -> Spyware.180Solutions : Cleaned with backup
C:\Documents and Settings\LinesD\Local Settings\Temp\nsh_106.exe -> Spyware.Downloadware : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\!Submit\system32.dll/gui.exe -> TrojanDownloader.Agent.rv : Error during cleaning
C:\!Submit\svcproc.exe -> Trojan.Stervis.f : Cleaned with backup
C:\!Submit\Nail.exe -> Adware.BetterInternet : Cleaned with backup
C:\!Submit\protector[1].exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\backup.zip/AAVAPI32.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/aesnw.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/CEVFAT.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/daskcopy.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/demsrpcn.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/demsvinn.dLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/djodbc7.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dnru0199e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/dXdrm.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/e6jmlg1116.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/en22l1fo1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/enl0l13m1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/enr8l19u1.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fjsrch.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fJxtiff.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fp2403fqe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/fplu0339e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/idign32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/h40q0ed5eh0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/hr8805lue.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ihxrtmgr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/its.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/j4j6le1s1h.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jibexec.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/jKvart.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k4620ejoehoc0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/k4jsle171h.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/KNRNEL32.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/kt0ql7d51.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/ktnul7591.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/l0j80a1ued.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lort.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lv2409fqe.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/lvpq0975e.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m0lsla371d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m2820cloefqc0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m4640ejqehoe0.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/m6rmlg9116.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mcr2cenu.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mHlsla371d.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/MJRDO20.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mlrmsg.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mmhtmler.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/MODBG.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mtimg32.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/mxls31.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/n2n60c5sef.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/nctid.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/NGTLOGON.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/NWTAPI32.DLL -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/phfmgr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pYutoenr.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/pzrfdisk.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/q4rq0e95eh.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/rqfsaps.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/seclient.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/snclient.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/u8ruli9918.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/wipdxm.dll -> Spyware.Look2Me : Error during cleaning
C:\backup.zip/xSctsrv.dll -> Spyware.Look2Me : Error during cleaning


::Report End


>>>>> Sorry I didn't run everything, but let me know the next steps you would like me to take.
  • 0

#19
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go ahead and Finish up and Scan with F-Secure and Save those Results!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


Post back with a fresh HijackThis log and the Results of WInPFind and F-Secure!
  • 0

#20
dlines

dlines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I have included the log files that you wanted.

I have a couple of questions.

- Are we making progress?
- We sometimes stop the services, but don't start them, yet some of the startup programs are starting again. For example, Microsoft Anti-Spyware has started again and Norton Anti-Virus is running again. Is this ok?


Here is the log file from F-Secure:

Finished: 13 viruses found

Scanned files: 71216 Warning: 13 file(s) still infected!


C:\WINNT\system32\mapppc.exe Backdoor.Win32.SdBot.xm

C:\WINNT\system32\sav2.exe Trojan-Downloader.Win32.Apropo.aj

C:\WINNT\system32\kkyejyww\txxadbhp.dll Trojan-Downloader.Win32.Agent.lg

C:\WINNT\Temp\rraiyl.exe Backdoor.Win32.SdBot.xm

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CBSXL0VQ\stubinstaller6282[1].exe Trojan-Downloader.Win32.Small.asf

C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP6FGPY7\babeb[1].exe Backdoor.Win32.SdBot.xm

C:\Program Files\Windows Media Player\wmplayer.exe Trojan-Downloader.Win32.Small.bem

C:\Program Files\Microsoft AntiSpyware\Quarantine\18A8D8DB-E86A-45AB-BE75-7DB3AE\8055A5BB-9FE4-42F1-BFD1-60FD2B Trojan.Win32.Agent.db

C:\Program Files\Microsoft AntiSpyware\Quarantine\188E8237-E554-4E80-B7FD-D3FB58\1D230F95-47B4-4BF3-861A-94F06B Trojan.Win32.Agent.db

C:\Program Files\Microsoft AntiSpyware\Quarantine\24FDB872-A67A-479A-9275-B3F184\BC0F366F-E891-4C57-B598-9088B9 Trojan-Downloader.Win32.Dyfuca.ei

C:\go_1.exe Trojan-Downloader.Win32.Small.ach

C:\!Submit\DrPMon.dll Trojan.Win32.Agent.db

C:\mmxxxxmas2.exe Trojan-Downloader.Win32.VB.jl




Here is the log file from WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
PEC2 9/2/2005 11:54:14 AM 34295039 C:\backup.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 9/6/2005 7:35:34 PM 226536 C:\WINNT\whCC-GIANT.exe
PEC2 5/19/2001 5:08:44 PM 6656 C:\WINNT\pcboot.exe
PEC2 2/27/2003 2:53:18 AM 340480 C:\WINNT\DOTEST.EXE
PEC2 3/15/2003 10:46:14 PM 168448 C:\WINNT\realtime.exe
UPX! 9/1/2005 2:41:36 AM 36080 C:\WINNT\icont.exe

Checking %System% folder...
winsync 7/26/2000 5:00:00 PM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
PEC2 6/9/2005 3:32:28 PM 692736 C:\WINNT\SYSTEM32\DivX.dll
PECompact2 6/9/2005 3:32:28 PM 692736 C:\WINNT\SYSTEM32\DivX.dll
buddy.exe 7/17/2004 11:43:28 AM 23467 C:\WINNT\SYSTEM32\sample.txt
Umonitor 6/19/2003 12:05:04 PM 529168 C:\WINNT\SYSTEM32\RASDLG.DLL
UPX! 10/7/2002 2:49:38 PM 385536 C:\WINNT\SYSTEM32\QuestLicenseManager.DLL
SAHAgent 9/1/2005 5:06:58 PM 3032 C:\WINNT\SYSTEM32\su8bf669.ini
PTech 7/12/2005 5:50:44 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.DLL
SAHAgent 9/1/2005 12:29:02 PM 35 C:\WINNT\SYSTEM32\3ncerb8o.ini
SAHAgent 8/31/2005 4:36:08 PM 2637 C:\WINNT\SYSTEM32\a8sduap5.ini
UPX! 8/16/2005 4:01:12 PM 16384 C:\WINNT\SYSTEM32\Perflib_Perfdata_cf4.dat
UPX! 8/31/2005 2:01:24 PM 121433 C:\WINNT\SYSTEM32\mc-110-12-0000079.exe
SAHAgent 9/1/2005 12:29:02 PM 35 C:\WINNT\SYSTEM32\1bechnkt.ini
SAHAgent 8/31/2005 4:22:32 PM 35 C:\WINNT\SYSTEM32\befv2esf.ini
SAHAgent 8/31/2005 4:22:32 PM 35 C:\WINNT\SYSTEM32\8r1474gn.ini
PEC2 8/31/2005 4:27:34 PM 16384 C:\WINNT\SYSTEM32\Perflib_Perfdata_d44.dat
PECompact2 8/31/2005 4:27:34 PM 16384 C:\WINNT\SYSTEM32\Perflib_Perfdata_d44.dat
SAHAgent 8/31/2005 8:29:56 PM 1421 C:\WINNT\SYSTEM32\ig58ai6o.ini
SAHAgent 8/31/2005 8:29:54 PM 35 C:\WINNT\SYSTEM32\j0sg9e37.ini

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts
127.0.0.1 www.qoologic.com
127.0.0.1 www.urllogic.com


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/8/2005 12:02:00 PM H 744388 C:\WINNT\ShellIconCache
9/8/2005 9:52:14 AM H 54156 C:\WINNT\QTFont.qfn
9/8/2005 12:12:46 PM H 1024 C:\WINNT\system32\config\software.LOG
9/8/2005 12:02:52 PM H 1024 C:\WINNT\system32\config\default.LOG
9/8/2005 12:03:26 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG
9/8/2005 12:09:10 PM H 1024 C:\WINNT\system32\config\SAM.LOG
8/20/2005 1:22:12 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/20/2005 1:22:12 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\5c76bdda-060b-41cf-81e8-a6486f82e867
9/8/2005 12:02:44 PM H 6 C:\WINNT\Tasks\SA.DAT
9/8/2005 12:02:42 PM S 64 C:\WINNT\CSC\00000001
9/8/2005 8:47:50 AM S 64 C:\WINNT\CSC\csc1.tmp
9/8/2005 12:00:34 PM S 64 C:\WINNT\CSC\00000002
8/31/2005 8:29:50 PM S 53 C:\WINNT\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d642018b883da684e9c7dcbbfa2f2836_c4fe4ef5-407c-469b-bb9c-1bb60c8bc4bf
9/6/2005 3:47:56 PM S 69 C:\WINNT\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\95147d52219a6c289276fe8b5b3650fb_c4fe4ef5-407c-469b-bb9c-1bb60c8bc4bf
9/6/2005 3:48:30 PM H 3802 C:\WINNT\Profiles\All Users\Application Data\AOL\AOLDiag\AOL\HostManager\Win32\2005707.1601.419728a\manifest.bin
9/6/2005 3:48:34 PM H 3802 C:\WINNT\Profiles\All Users\Application Data\AOL\AOLDiag\AOL\ServiceHost\Win32\2005707.1601.419728a\manifest.bin

Checking for CPL files...
Microsoft Corporation 6/19/2003 12:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 60688 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/17/2001 10:43:40 PM 294912 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 2/20/2001 1:09:54 PM 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 54272 C:\WINNT\SYSTEM32\wuaucpl.cpl
Oracle 3/2/2004 2:29:30 PM 45145 C:\WINNT\SYSTEM32\plugincpl13118.cpl
Novell, Inc. 3/24/2003 3:00:08 PM 102400 C:\WINNT\SYSTEM32\nCredps.cpl
Sun Microsystems 8/5/2003 9:02:56 AM 45175 C:\WINNT\SYSTEM32\plugincpl131_09.cpl
Oracle 4/18/2002 2:47:54 PM 24672 C:\WINNT\SYSTEM32\plugincpl1319.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINNT\SYSTEM32\plugincpl131_04.cpl
Oracle 5/8/2003 2:35:36 PM 45153 C:\WINNT\SYSTEM32\plugincpl13113.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/17/2001 10:43:40 PM 294912 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/8/2005 12:01:52 PM 2225 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
4/3/2005 1:07:10 PM 1412 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Application Explorer.lnk
4/3/2005 1:07:06 PM 1484 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/3/2005 1:07:12 PM 598 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sync Director.lnk
4/3/2005 1:07:06 PM 1307 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/3/2005 1:07:12 PM 1357 C:\Documents and Settings\LinesD\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
acc=ventura5 =
acc=none =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareServerMenu
{9b173360-732b-11ce-aa22-00805f9834b0} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c900b400-cdfe-11d3-976a-00e02913a9e0}
WhIeHelperObj Class = C:\Program Files\webHancer\programs\whiehlpr.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{C1994287-422F-47aa-8E5E-6323E210A125}
ButtonText = Novell delivered applications :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
NWTRAY NWTRAY.EXE
CreateCD50 "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
TkBellExe C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
PCDRealtime C:\WINNT\realtime.exe
ZENRC Tray Icon C:\WINNT\System32\zentray.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

2010 C:\WINNT\exe82.exe
51=L C:\WINNT\exe82.exe
HostManager C:\Program Files\Common Files\AOL\1126039706\ee\AOLHostManager.exe
webHancer Agent "C:\Program Files\webHancer\Programs\whAgent.exe"
webHancer Survey Companion "C:\Program Files\webHancer\Programs\whSurvey.exe"
PMET C:\WINNT\exe82.exe
Microsoft Mapped PC mapppc.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Microsoft Mapped PC mapppc.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
services32 C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
Microsoft Mapped PC mapppc.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
CompatibleRUPSecurity 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0
ForceStartMenuLogOff 1
NoWelcomeScreen 1
NoInstrumentation 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
jjlnuabahh.exe C:\WINNT\system\jjlnuabahh.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = explorer.exe
System = ziswin.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINNT\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/8/2005 12:15:40 PM


Here is the latest HJT log (run while still in Safe Mode):

Logfile of HijackThis v1.99.1
Scan saved at 12:18:36 PM, on 9/8/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\My Download Files\WinPFind\WinPFind\WinPFind\WinPFind.exe
C:\My Download Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prinweb
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://prinweb.prin.edu/pxycfg.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 155.106.100.248:8080
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [2010] C:\WINNT\exe82.exe
O4 - HKLM\..\Run: [51=L] C:\WINNT\exe82.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126039706\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [PMET] C:\WINNT\exe82.exe
O4 - HKLM\..\Run: [Microsoft Mapped PC] mapppc.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\RunServices: [Microsoft Mapped PC] mapppc.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [Microsoft Mapped PC] mapppc.exe
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Sync Director.lnk = C:\Program Files\Motorola\PC Partner\SyncDirector.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://prinweb
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwia.ops.pl...quicksilver.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} - http://sctcc.prin.ed...iator/jinit.exe
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9BA46C28-F596-486B-A47A-E533EFA46276} (MAPS configuration client launch from the web) - http://155.106.115.1.../mapsconfig.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://sctss.prin.ed...iator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://sctss.prin.ed...iator/jinit.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

#21
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go to Add\Remove Programs and Remove

WebHancer

Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!


Locate and Run the Hoster again as well to clear out the Infected Hosts File!


Highlight the list below and press Ctrl+C to Copy!

C:\go_1.exe
C:\mmxxxxmas2.exe
C:\WINNT\exe82.exe
C:\WINNT\icont.exe
C:\WINNT\SvcProc.exe
C:\WINNT\ziswin.exe
C:\WINNT\system\jjlnuabahh.exe
C:\WINNT\SYSTEM32\sample.txt
C:\WINNT\SYSTEM32\ziswin.exe
C:\WINNT\SYSTEM32\su8bf669.ini
C:\WINNT\SYSTEM32\3ncerb8o.ini
C:\WINNT\SYSTEM32\a8sduap5.ini
C:\WINNT\SYSTEM32\Perflib_Perfdata_cf4.dat
C:\WINNT\SYSTEM32\mc-110-12-0000079.exe
C:\WINNT\SYSTEM32\1bechnkt.ini
C:\WINNT\SYSTEM32\befv2esf.ini
C:\WINNT\SYSTEM32\8r1474gn.ini
C:\WINNT\SYSTEM32\Perflib_Perfdata_d44.dat
C:\WINNT\SYSTEM32\Perflib_Perfdata_d44.dat
C:\WINNT\SYSTEM32\ig58ai6o.ini
C:\WINNT\SYSTEM32\j0sg9e37.ini
C:\WINNT\system32\mapppc.exe
C:\WINNT\system32\sav2.exe
C:\WINNT\system32\kkyejyww\txxadbhp.dll
C:\WINNT\system32\kkyejyww
C:\WINNT\Temp\rraiyl.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
C:\Program Files\Common Files\Windows
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CBSXL0VQ\stubinstaller6282[1].exe
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP6FGPY7\babeb[1].exe
C:\Program Files\webHancer\programs\whiehlpr.dll
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\programs
C:\Program Files\webHancer


Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!


Restart in Safe Mode and Run each entry through Killbox again,selectiong these options when available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll

O4 - HKLM\..\Run: [2010] C:\WINNT\exe82.exe

O4 - HKLM\..\Run: [51=L] C:\WINNT\exe82.exe

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [PMET] C:\WINNT\exe82.exe

O4 - HKLM\..\Run: [Microsoft Mapped PC] mapppc.exe

O4 - HKLM\..\RunServices: [Microsoft Mapped PC] mapppc.exe

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe

O4 - HKCU\..\Run: [Microsoft Mapped PC] mapppc.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Now Open the l2mfix and run Option 4 and then Option 2


Still in Safe Mode,Scan with WinPFind again and Save that log!


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post back with the logs from WinPFind-> L2mfix and Kaspersky!
  • 0

#22
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Go to Add\Remove Programs and Remove

WebHancer

Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!


Locate and Run the Hoster again as well to clear out the Infected Hosts File!


Highlight the list below and press Ctrl+C to Copy!

C:\go_1.exe
C:\mmxxxxmas2.exe
C:\WINNT\exe82.exe
C:\WINNT\icont.exe
C:\WINNT\SvcProc.exe
C:\WINNT\ziswin.exe
C:\WINNT\system\jjlnuabahh.exe
C:\WINNT\SYSTEM32\sample.txt
C:\WINNT\SYSTEM32\ziswin.exe
C:\WINNT\SYSTEM32\su8bf669.ini
C:\WINNT\SYSTEM32\3ncerb8o.ini
C:\WINNT\SYSTEM32\a8sduap5.ini
C:\WINNT\SYSTEM32\Perflib_Perfdata_cf4.dat
C:\WINNT\SYSTEM32\mc-110-12-0000079.exe
C:\WINNT\SYSTEM32\1bechnkt.ini
C:\WINNT\SYSTEM32\befv2esf.ini
C:\WINNT\SYSTEM32\8r1474gn.ini
C:\WINNT\SYSTEM32\Perflib_Perfdata_d44.dat
C:\WINNT\SYSTEM32\Perflib_Perfdata_d44.dat
C:\WINNT\SYSTEM32\ig58ai6o.ini
C:\WINNT\SYSTEM32\j0sg9e37.ini
C:\WINNT\system32\mapppc.exe
C:\WINNT\system32\sav2.exe
C:\WINNT\system32\kkyejyww\txxadbhp.dll
C:\WINNT\system32\kkyejyww
C:\WINNT\Temp\rraiyl.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
C:\Program Files\Common Files\Windows
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CBSXL0VQ\stubinstaller6282[1].exe
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP6FGPY7\babeb[1].exe
C:\Program Files\webHancer\programs\whiehlpr.dll
C:\Program Files\webHancer\Programs\whSurvey.exe
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\webHancer\programs
C:\Program Files\webHancer


Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!


Restart in Safe Mode and Run each entry through Killbox again,selectiong these options when available!

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://websearch.drs...esearch.cgi?id=

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll

O4 - HKLM\..\Run: [2010] C:\WINNT\exe82.exe

O4 - HKLM\..\Run: [51=L] C:\WINNT\exe82.exe

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"

O4 - HKLM\..\Run: [PMET] C:\WINNT\exe82.exe

O4 - HKLM\..\Run: [Microsoft Mapped PC] mapppc.exe

O4 - HKLM\..\RunServices: [Microsoft Mapped PC] mapppc.exe

O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe

O4 - HKCU\..\Run: [Microsoft Mapped PC] mapppc.exe

O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Now Open the l2mfix and run Option 4 and then Option 2


Still in Safe Mode,Scan with WinPFind again and Save that log!


Restart Normal and Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post back with the logs from WinPFind-> L2mfix and Kaspersky along with a fresh HijackThis log!
  • 0

#23
dlines

dlines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
I did all the steps. The second time through Killbox the only things that were found:

C:\WINNT\system32\kkyejyww
C:\Program Files\Common Files\Windows
C:\Program Files\webHancer\programs
C:\Program Files\webHancer

All the entries said that the directory was deleted except for the last one that said "This File could not be Deleted".

When doing the HijackThis fixing, the following were not found:

O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll

O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"

O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"


Here are the log files:

WinPFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows 2000 Current Build: Service Pack 4 Current Build Number: 2195
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
PEC2 9/10/2005 1:11:58 PM 34298012 C:\backup.zip

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 9/6/2005 7:35:34 PM 226536 C:\WINNT\whCC-GIANT.exe
PEC2 5/19/2001 5:08:44 PM 6656 C:\WINNT\pcboot.exe
PEC2 2/27/2003 2:53:18 AM 340480 C:\WINNT\DOTEST.EXE
PEC2 3/15/2003 10:46:14 PM 168448 C:\WINNT\realtime.exe

Checking %System% folder...
winsync 7/26/2000 5:00:00 PM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu
PEC2 6/9/2005 3:32:28 PM 692736 C:\WINNT\SYSTEM32\DivX.dll
PECompact2 6/9/2005 3:32:28 PM 692736 C:\WINNT\SYSTEM32\DivX.dll
Umonitor 6/19/2003 12:05:04 PM 529168 C:\WINNT\SYSTEM32\RASDLG.DLL
UPX! 10/7/2002 2:49:38 PM 385536 C:\WINNT\SYSTEM32\QuestLicenseManager.DLL
PTech 7/12/2005 5:50:44 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.DLL

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/9/2005 6:54:04 PM H 644482 C:\WINNT\ShellIconCache
9/10/2005 1:14:46 PM H 1024 C:\WINNT\system32\config\software.LOG
9/10/2005 12:32:38 PM H 1024 C:\WINNT\system32\config\default.LOG
9/10/2005 1:10:00 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG
9/10/2005 1:06:58 PM H 1024 C:\WINNT\system32\config\SAM.LOG
8/20/2005 1:22:12 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/20/2005 1:22:12 PM HS 336 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\5c76bdda-060b-41cf-81e8-a6486f82e867
9/10/2005 12:32:18 PM H 6 C:\WINNT\Tasks\SA.DAT
9/10/2005 12:32:10 PM S 64 C:\WINNT\CSC\00000001
9/9/2005 3:45:12 PM S 64 C:\WINNT\CSC\csc1.tmp
9/9/2005 6:04:52 PM S 64 C:\WINNT\CSC\00000002
8/31/2005 8:29:50 PM S 53 C:\WINNT\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\S-1-5-18\d642018b883da684e9c7dcbbfa2f2836_c4fe4ef5-407c-469b-bb9c-1bb60c8bc4bf
9/6/2005 3:47:56 PM S 69 C:\WINNT\Profiles\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\95147d52219a6c289276fe8b5b3650fb_c4fe4ef5-407c-469b-bb9c-1bb60c8bc4bf
9/6/2005 3:48:30 PM H 3802 C:\WINNT\Profiles\All Users\Application Data\AOL\AOLDiag\AOL\HostManager\Win32\2005707.1601.419728a\manifest.bin
9/6/2005 3:48:34 PM H 3802 C:\WINNT\Profiles\All Users\Application Data\AOL\AOLDiag\AOL\ServiceHost\Win32\2005707.1601.419728a\manifest.bin

Checking for CPL files...
Microsoft Corporation 6/19/2003 12:05:04 PM 301328 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 128272 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 118032 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 36112 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 60688 C:\WINNT\SYSTEM32\joy.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 122128 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 303888 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 17168 C:\WINNT\SYSTEM32\ncpa.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 41232 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 90896 C:\WINNT\SYSTEM32\powercfg.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 83216 C:\WINNT\SYSTEM32\sticpl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 5904 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 61200 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 41232 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/17/2001 10:43:40 PM 294912 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 67344 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 6/19/2003 12:05:04 PM 237328 C:\WINNT\SYSTEM32\DESK.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 125712 C:\WINNT\SYSTEM32\SYSDM.CPL
Apple Computer, Inc. 4/8/2004 2:12:42 PM 323072 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 2/20/2001 1:09:54 PM 109056 C:\WINNT\SYSTEM32\INPUT.CPL
Microsoft Corporation 6/19/2003 12:05:04 PM 54272 C:\WINNT\SYSTEM32\wuaucpl.cpl
Oracle 3/2/2004 2:29:30 PM 45145 C:\WINNT\SYSTEM32\plugincpl13118.cpl
Novell, Inc. 3/24/2003 3:00:08 PM 102400 C:\WINNT\SYSTEM32\nCredps.cpl
Sun Microsystems 8/5/2003 9:02:56 AM 45175 C:\WINNT\SYSTEM32\plugincpl131_09.cpl
Oracle 4/18/2002 2:47:54 PM 24672 C:\WINNT\SYSTEM32\plugincpl1319.cpl
Sun Microsystems 5/17/2002 5:04:56 PM 45154 C:\WINNT\SYSTEM32\plugincpl131_04.cpl
Oracle 5/8/2003 2:35:36 PM 45153 C:\WINNT\SYSTEM32\plugincpl13113.cpl
Microsoft Corporation 7/26/2000 5:00:00 PM 41232 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/17/2001 10:43:40 PM 294912 C:\WINNT\SYSTEM32\dllcache\inetcpl.cpl
IBM Corporation 9/23/1999 6:44:36 PM 94208 C:\WINNT\SYSTEM32\dllcache\mwcpa32.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/10/2005 10:54:18 AM 2225 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
4/3/2005 1:07:10 PM 1412 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Application Explorer.lnk
4/3/2005 1:07:06 PM 1484 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/3/2005 1:07:12 PM 598 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Sync Director.lnk
4/3/2005 1:07:06 PM 1307 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...

Checking files in %USERPROFILE%\Startup folder...
4/3/2005 1:07:12 PM 1357 C:\Documents and Settings\LinesD\Start Menu\Programs\Startup\HotSync Manager.lnk

Checking files in %USERPROFILE%\Application Data folder...

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\LDVPMenu
{BDA77241-42F6-11d0-85E2-00AA001FE28C} = C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareMenuItems
{e3bbbfc0-f61f-11cf-bb16-00c04fd371f4} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\NetWareServerMenu
{9b173360-732b-11ce-aa22-00805f9834b0} = novnpnt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\shell32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{7f9609be-af9a-11d1-83e0-00c04fb6e984}
= %SystemRoot%\system32\faxshell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{884EA37B-37C0-11d2-BE3F-00A0C9A83DA1}
= C:\WINNT\System32\docprop2.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\PROGRA~1\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{C1994287-422F-47aa-8E5E-6323E210A125}
ButtonText = Novell delivered applications :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File and Folders Search ActiveX Control = C:\WINNT\system32\shell32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = :
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
{77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} = :
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\System32\browseui.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Synchronization Manager mobsync.exe /logon
NWTRAY NWTRAY.EXE
CreateCD50 "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
AdaptecDirectCD "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
TkBellExe C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
PCDRealtime C:\WINNT\realtime.exe
ZENRC Tray Icon C:\WINNT\System32\zentray.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
Acrobat Assistant 7.0 "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

HostManager C:\Program Files\Common Files\AOL\1126039706\ee\AOLHostManager.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray C:\PROGRA~1\SYMANT~1\VPTray.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\PROGRA~1\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
CompatibleRUPSecurity 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\AdminComponent

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations
LowRiskFileTypes .zip;.rar;.cab;.txt;.exe;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mov;.mp3;.wav

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0
ForceStartMenuLogOff 1
NoWelcomeScreen 1
NoInstrumentation 1

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
jjlnuabahh.exe C:\WINNT\system\jjlnuabahh.exe

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
Network.ConnectionTray {7007ACCF-3202-11D1-AAD2-00805FC1270E} = C:\WINNT\system32\NETSHELL.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,
Shell = explorer.exe
System = ziswin.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon
= C:\WINNT\system32\NavLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif
= wzcdlg.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.3.5 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/10/2005 1:19:01 PM


L2mfix log:

Setting Directory
C:\
C:\
System Rebooted!

Running From:
C:\

killing explorer and rundll32.exe

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Desktop.ini sucessfully removed


Zipping up files for submission:
updating: clear.reg (deflated 2%)
updating: desktop.ini (stored 0%)
updating: PRODtoPPRD.txt (deflated 83%)
updating: TEST_class_sec_objs.txt (deflated 93%)
updating: PROD_class_sec_objs.txt (deflated 94%)
updating: PROD_Class_Users.txt (deflated 86%)
updating: PROD_Class_Security_Objects.txt (deflated 90%)
updating: PROD_Security_Object_Users.txt (deflated 83%)
updating: TEST_Class_Users.txt (deflated 86%)
updating: TEST_Class_Security_Objects.txt (deflated 90%)
updating: TEST_Security_Object_Users.txt (deflated 83%)
updating: PROD_User_Status.txt (deflated 76%)
updating: cloneDVEL1.txt (deflated 87%)
updating: PROD_Role_Users.txt (deflated 86%)
updating: cloneDVEL2.txt (deflated 88%)
updating: cloning_PPRD.txt (deflated 84%)
updating: compile.txt (deflated 82%)
updating: cloning_PPRD_new.txt (deflated 83%)
updating: slpjob.txt (deflated 76%)
updating: unix_lp.txt (deflated 91%)
updating: sql_show.txt (deflated 54%)
updating: unix_lp2.txt (deflated 68%)
updating: PROD_Role_Object_Users.txt (deflated 89%)
updating: LOGFILE.TXT (deflated 72%)
updating: Steve.txt (deflated 56%)
updating: asdf.txt (deflated 69%)
updating: lo2.txt (deflated 69%)
updating: clone_PROD_PPRD.txt (deflated 86%)
updating: BAN6_Class_Users.txt (deflated 86%)
updating: PPRD_User_Status.txt (deflated 76%)
updating: TRNG_8_to_9.txt (deflated 92%)
updating: nation_test_ascii.txt (deflated 81%)
updating: PPRD_Role_Users.txt (deflated 86%)
updating: PROD_Role_Security_Objects.txt (deflated 89%)
updating: PPRD_Role_Object_Users.txt (deflated 89%)
updating: test2.txt (stored 0%)
updating: BAN6_Class_Security_Objects.txt (deflated 90%)
updating: BAN6_Security_Object_Users.txt (deflated 83%)
updating: UNIXhelp.txt (deflated 16%)
updating: PPRD_Class_Users.txt (deflated 86%)
updating: test3.txt (stored 0%)
updating: TEST6_Class_Users.txt (deflated 86%)
updating: TEST6_Class_Security_Objects.txt (deflated 90%)
updating: TEST6_Security_Object_Users.txt (deflated 83%)
updating: TEST_User_Status.txt (deflated 76%)
updating: PPRD_Role_Security_Objects.txt (deflated 89%)
updating: TEST_Role_Users.txt (deflated 86%)
updating: test5.txt (stored 0%)
updating: PPRD_Class_Security_Objects.txt (deflated 90%)
updating: PPRD_Security_Object_Users.txt (deflated 83%)
updating: TEST_Role_Object_Users.txt (deflated 89%)
updating: TEST_Role_Security_Objects.txt (deflated 89%)
updating: test.txt (stored 0%)
updating: TRNG_8_to_9_abbrev.txt (deflated 88%)
updating: TRNG_8_to_9_part2.txt (deflated 67%)
updating: import.err.txt (deflated 81%)
updating: TRNG_8_to_9_part3.txt (deflated 92%)
updating: clone_newserver_PROD.txt (deflated 83%)
updating: clone_newserver_TEST.txt (deflated 83%)
updating: clone_newserver_TRNG.txt (deflated 83%)
adding: log.txt (deflated 84%)

Restoring Registry Permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!


Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

Restoring Windows Update Certificates.:


The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NavLogon]
"Logoff"="NavLogoffEvent"
"DllName"="C:\\WINNT\\system32\\NavLogon.dll"
"StartShell"="NavStartShellEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000


The following are the files found:
****************************************************************************

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
****************************************************************************
Desktop.ini Contents:
****************************************************************************
[.ShellClassInfo]
CLSID={645FF040-5081-101B-9F08-00AA002F954E}
****************************************************************************


Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, September 12, 2005 08:17:02
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 10/09/2005
Kaspersky Anti-Virus database records: 148723
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 71204
Number of viruses found: 35
Number of infected objects: 143
Number of suspicious objects: 22
Duration of the scan process: 7417 sec

Infected Object Name - Virus Name
C:\WINNT\Temp\180sainstallernu.exe/clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\180sainstallernu.exe Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\180SAAX.cab/clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\180SAAX.cab Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Temp\res688.tmp Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\mm81.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\WINNT\whCC-GIANT.exe/WhAgent.exe Infected: not-a-virus:AdWare.WebHancer.351
C:\WINNT\whCC-GIANT.exe/whInstaller.exe Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\whCC-GIANT.exe/WhSurvey.exe Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\whCC-GIANT.exe/Webhdll.dll Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\whCC-GIANT.exe/whiehlpr.dll Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\whCC-GIANT.exe Infected: not-a-virus:AdWare.WebHancer
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80000.VBN Infected: Backdoor.Win32.Rbot.gen
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80001.VBN Infected: Backdoor.Win32.Rbot.gen
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80002.VBN/clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BA80002.VBN Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00000.VBN/clientax.dll Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F00000.VBN Infected: not-a-virus:AdWare.180Solutions.k
C:\WINNT\Profiles\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06240000.VBN Infected: Trojan-Downloader.Win32.Small.ach
C:\WINNT\ztkqln.exe Infected: not-a-virus:AdWare.BetterInternet.aa
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\WP6FGPY7\mm81[1].ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/WhAgent.exe Infected: not-a-virus:AdWare.WebHancer.351
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/whInstaller.exe Infected: not-a-virus:AdWare.WebHancer
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/WhSurvey.exe Infected: not-a-virus:AdWare.WebHancer
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/Webhdll.dll Infected: not-a-virus:AdWare.WebHancer
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe/whiehlpr.dll Infected: not-a-virus:AdWare.WebHancer
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\KDURG9MR\whCC-GIANT[1].exe Infected: not-a-virus:AdWare.WebHancer
C:\Program Files\Windows Media Player\wmplayer.exe Infected: Trojan-Downloader.Win32.Small.bem
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[ ... /[From Joyce Riley vonKleist & Dave vonKleist <gulfwar@bigfoot.com>][Date Fri, 25 Oct 2002 08:52:58 -070 ... /html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[ ... /[From Joyce Riley vonKleist & Dave vonKleist <gulfwar@bigfoot.com>][Date Fri, 25 Oct 2002 08:52:58 -0700]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <mronufrak@att.net> ... /[From ciac <ciac@ciac.org>][Date Tue, 27 Aug 2002 00:05:50 -0400 ( ... /UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <mronufrak@att.net> ... /[From ciac <ciac@ciac.org>][Date Tue, 27 Aug 2002 00:05:50 -0400 (EDT ... /html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <mronufrak@att.net> ... /[From ciac <ciac@ciac.org>][Date Tue, 27 Aug 2002 00:05:50 -0400 (EDT)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <mronufrak@att.net>][Date Wed, 29 May 2002 17:41:43 -0500 (CDT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED/[From mronufrak <mronufrak@att.net>][Date Wed, 29 May 2002 17:41:43 -0500 (CDT)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED/[From mark10 <mark10@optonline.net>][Date Fri, 31 May 2002 11:32:34 -0500 (CDT)]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED/[From AcessAFuse <AcessAFuse@aol.com>][Date Mon, 3 Jun 2002 19:00:03 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text/[From tinklins <tinklins@parod.com>][Date Sat, 8 Jun 2002 08:50:59 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx/[From Lara <lara@relaxed.at>][Date Wed, 10 Jul 2002 14:11:20 -0500 (CDT)]/text Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\Question.mbx Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\JustforY.mbx/[From "eBay Secrets Exposed" <bargains@bargaintimes.com>][Date Tue, 11 Feb 2003 04:41:43 -0800]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\JustforY.mbx Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\PalmOS.mbx/[From InSync Online <InSyncOnline.cz2j0m2.c@insync-palm.com>][Date Mon, 03 Jan 2000 14:30:48 PST]/html Suspicious: not-a-virus:PSWTool.HTML.Fraud.gen
C:\Program Files\Qualcomm\Eudora\DLines.fol\Personal.fol\PalmOS.mbx Suspicious: not-a-virus:PSWTool.HTML.Fraud.gen
C:\Program Files\Microsoft AntiSpyware\Quarantine\2E9F51D5-A9FA-49CD-85CA-F045E3\3E730D14-E734-423F-8F34-E17BEE Infected: not-a-virus:AdWare.CASClient.a
C:\Program Files\Microsoft AntiSpyware\Quarantine\18A8D8DB-E86A-45AB-BE75-7DB3AE\8055A5BB-9FE4-42F1-BFD1-60FD2B Infected: Trojan.Win32.Agent.db
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\E9C67196-D675-4E29-8A4D-63CDDF/WISE0001.BIN Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\E9C67196-D675-4E29-8A4D-63CDDF Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\8E3BC69B-1E6C-4B1A-9CA6-7A2DA1/vb2uninstaller4_19.EXE/WISE0001.BIN Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\8E3BC69B-1E6C-4B1A-9CA6-7A2DA1/vb2uninstaller4_19.EXE Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\F25C8676-1ACE-477B-9D23-886071\8E3BC69B-1E6C-4B1A-9CA6-7A2DA1 Infected: not-a-virus:AdWare.VirtualBouncer.n
C:\Program Files\Microsoft AntiSpyware\Quarantine\188E8237-E554-4E80-B7FD-D3FB58\1D230F95-47B4-4BF3-861A-94F06B Infected: Trojan.Win32.Agent.db
C:\Program Files\Microsoft AntiSpyware\Quarantine\24FDB872-A67A-479A-9275-B3F184\BC0F366F-E891-4C57-B598-9088B9 Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\Program Files\Microsoft AntiSpyware\Quarantine\31A1C3D7-B336-4D1F-AF29-19F5E7\CAA46502-79B9-4B3E-AB4B-6D8620 Infected: not-a-virus:AdWare.180Solutions.l
C:\Program Files\Microsoft AntiSpyware\Quarantine\31A1C3D7-B336-4D1F-AF29-19F5E7\5258F14E-7388-46C0-AC36-D37700 Infected: not-a-virus:AdWare.180Solutions.k
C:\Program Files\ProSiteFinder\e9be3mbj.DLL Infected: not-a-virus:AdWare.ClearSearch.ah
C:\Program Files\ProSiteFinder\71fl2g0p.DLL Infected: not-a-virus:AdWare.ClearSearch.ah
C:\My Download Files\bittorrent-3.4.1.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Swizzor.k
C:\My Download Files\bittorrent-3.4.1.exe/stream Infected: Trojan-Downloader.Win32.Swizzor.k
C:\My Download Files\bittorrent-3.4.1.exe Infected: Trojan-Downloader.Win32.Swizzor.k
C:\!Submit\hinfeper.DLL Infected: not-a-virus:AdWare.ClearSearch.ae
C:\!Submit\4r3kreyh.DLL Infected: not-a-virus:AdWare.ClaerSearch.ab
C:\!Submit\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.f
C:\!Submit\services32.exe Infected: not-a-virus:AdWare.Maxifiles.h
C:\!Submit\system32.dll/gui.exe Infected: not-a-virus:AdWare.Maxifiles.a
C:\!Submit\system32.dll Infected: not-a-virus:AdWare.Maxifiles.a
C:\!Submit\DrPMon.dll Infected: Trojan.Win32.Agent.db
C:\!Submit\PreUninstall.exe Infected: not-a-virus:AdWare.Suggestor.f
C:\!Submit\lmf32v.dll Infected: not-a-virus:AdWare.Suggestor.f
C:\!Submit\hisistheurls.exe/archive comment Infected: Trojan.Win32.Favadd.f
C:\!Submit\hisistheurls.exe Infected: Trojan.Win32.Favadd.f
C:\!Submit\mm81.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\!Submit\ttext.dll Infected: not-a-virus:AdWare.ToolBar.ImiBar.g
C:\!Submit\whagent.exe Infected: not-a-virus:AdWare.WebHancer.351
C:\!Submit\babeb[1].exe Infected: Backdoor.Win32.SdBot.xm
C:\!Submit\stubinstaller6282[1].exe Infected: Trojan-Downloader.Win32.Small.asf
C:\!Submit\rraiyl.exe Infected: Backdoor.Win32.SdBot.xm
C:\!Submit\txxadbhp.dll Infected: Trojan-Downloader.Win32.Agent.lg
C:\!Submit\sav2.exe Infected: Trojan-Downloader.Win32.Apropo.aj
C:\!Submit\mapppc.exe Infected: Backdoor.Win32.SdBot.xm
C:\!Submit\Perflib_Perfdata_d44.dat Infected: Trojan.Win32.EliteBar.a
C:\!Submit\8r1474gn.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\!Submit\1bechnkt.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\!Submit\icont.exe Infected: not-a-virus:AdWare.AdURL.c
C:\!Submit\mmxxxxmas2.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\backup.zip/AAVAPI32.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/aesnw.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/CEVFAT.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/daskcopy.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/demsrpcn.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/demsvinn.dLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/djodbc7.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/dnru0199e.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/dOtime.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/dXdrm.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/dYdrm.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/e6jmlg1116.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/en22l1fo1.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/enl0l13m1.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/enr8l19u1.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/fjsrch.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/fJxtiff.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/fp0o03d3e.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/fp2403fqe.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/hncoin.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/fplu0339e.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/idign32.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/gpnol3531.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/h40q0ed5eh0.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/hr8805lue.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/hrn4055qe.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/ihxrtmgr.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/ir64l5jq1.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/its.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/ixxpromn.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/iVspipe.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/j4j6le1s1h.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/jibexec.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/jKvart.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/k4620ejoehoc0.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/k4jsle171h.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/KNRNEL32.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/kt0ql7d51.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/ktnul7591.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/l0j80a1ued.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/lort.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/lv2409fqe.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/lvpq0975e.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/m0lsla371d.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/m2820cloefqc0.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/m4640ejqehoe0.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/m6rmlg9116.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mcr2cenu.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mHlsla371d.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/MJRDO20.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mlrmsg.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mmhtmler.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/MODBG.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mtimg32.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/mxls31.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/n2n60c5sef.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/nctid.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/NGTLOGON.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/nudsatq.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/NWTAPI32.DLL Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/o0660ajsedo60.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/phfmgr.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/pYutoenr.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/pzrfdisk.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/q4rq0e95eh.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/rqfsaps.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/seclient.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/snclient.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/tirmmgr.dll Infected: not-a-virus:AdWare.Look2Me.u
C:\backup.zip/u8ruli9918.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/wipdxm.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip/xSctsrv.dll Infected: not-a-virus:AdWare.Look2Me.ab
C:\backup.zip Infected: not-a-virus:AdWare.Look2Me.ab

Scan process completed.


and finally the latest HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:19:12 AM, on 9/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.
  • 0

#24
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi dlines, my name is Trevuren and I am a colleague of Cretemonster. He must unavoidably be absent from the forum for an indefinite period of time so I will do my utmost to provide you with the same quality of service as that to which you have become accustomed.

Inasmuch as your last post only included a partial HJT log, would you please post a complete one for review. :tazz:

Thanks,

Trevuren

  • 0

#25
dlines

dlines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Sorry, I thought I had posted the whole thing. Maybe the message was too long? Anyway, here is the whole thing (I think).

Logfile of HijackThis v1.99.1
Scan saved at 8:19:12 AM, on 9/12/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Common Files\AOL\1126039706\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1126039706\ee\AOLServiceHost.exe
c:\program files\novell\nwquota\nwquota.exe
C:\Program Files\Common Files\AOL\1126039706\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft AntiSpyware\GIANTAntiSpywareMain.exe
C:\My Download Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prinweb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://prinweb.prin.edu/pxycfg.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 155.106.100.248:8080
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126039706\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Sync Director.lnk = C:\Program Files\Motorola\PC Partner\SyncDirector.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://prinweb
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwia.ops.pl...quicksilver.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} - http://sctcc.prin.ed...iator/jinit.exe
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9BA46C28-F596-486B-A47A-E533EFA46276} (MAPS configuration client launch from the web) - http://155.106.115.1.../mapsconfig.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} (JInitiator 1.3.1.13) - http://sctss.prin.ed...iator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://sctss.prin.ed...iator/jinit.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\winnt\SvcProc.exe (file missing)
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe


I hope that looks better.

Thanks for the help.
  • 0

Advertisements


#26
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We want to stop, disable and delete an added service (023)

A. To stop a service and set to 'disabled'
  • Go to Start > Run and type in Services.msc then click OK
  • Click the Extended tab.
  • Scroll down until you find the service.
    ===>System Startup Service
  • Click once on the service to highlight it.
  • Click Stop
  • Right-Click on the service.
  • Click on 'Properties'
  • Select the 'General' tab
  • Click the Arrow-down tab on the right-hand side on the 'Start-up Type' box
  • From the drop-down menu, click on 'Disabled'
  • Click the 'Apply' tab, then click 'OK'
The service is now stopped and disabled.


B. We will now delete the service:

1. Open HJT

2. Click on Config>>Misc Tools>>Delete an NT Service

3. Copy/Paste SvcProc in the space provided and click OK

4. The program will ask you to REBOOT --- Accept

5. REBOOT into SAFE MODE

6. Using Windows Explorer, locate and DELETE the following file (if it still is present):

C:\WINNT\svcproc.exe

7. REBOOT back into Normal Mode

8. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#27
dlines

dlines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
Trevuren,

I did the things you said and had a few issues.
Step A2 - there is no Extended tab on my screen.
Step A4 - I did a right click and the service was already stopped. The only option was to Start.

Step B3 - it said that the file was missing
Step B4 - It didn't do a full restart, I had to help it along
Step B6 - the file did not exist
Step B8 - here is the HJT log file. I hope we are getting somewhere.

Logfile of HijackThis v1.99.1
Scan saved at 4:16:40 PM, on 9/16/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Novell\ZENworks\nalntsrv.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Novell\ZENworks\wm.exe
C:\Program Files\Canon\VDC\AuVdc.exe
C:\Program Files\Novell\ZENworks\WMRUNDLL.EXE
C:\WINNT\Explorer.EXE
C:\Program Files\Novell\ZENworks\NALDESK.EXE
C:\WINNT\system32\NWTRAY.EXE
C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\AIM\aim.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\AOL\1126039706\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1126039706\ee\AOLServiceHost.exe
C:\Program Files\Handspring\HOTSYNC.EXE
C:\Program Files\Common Files\AOL\1126039706\ee\AOLServiceHost.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\novell\nwquota\nwquota.exe
C:\Program Files\Qualcomm\Eudora\Eudora.exe
C:\WINNT\system32\cmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\My Download Files\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://prinweb
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://prinweb.prin.edu/pxycfg.pac
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 155.106.100.248:8080
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NWTRAY] NWTRAY.EXE
O4 - HKLM\..\Run: [CreateCD50] "C:\Program Files\Common Files\Adaptec Shared\CreateCD\CreateCD50.exe" -r
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [PCDRealtime] C:\WINNT\realtime.exe
O4 - HKLM\..\Run: [ZENRC Tray Icon] C:\WINNT\System32\zentray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1126039706\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Handspring\HOTSYNC.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Application Explorer.lnk = C:\Program Files\Novell\ZENworks\NALDESK.EXE
O4 - Global Startup: Sync Director.lnk = C:\Program Files\Motorola\PC Partner\SyncDirector.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Novell delivered applications - {C1994287-422F-47aa-8E5E-6323E210A125} - C:\Program Files\Novell\ZENworks\AxNalServer.dll
O14 - IERESET.INF: START_PAGE_URL=http://prinweb
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {3299935F-2C5A-499A-9908-95CFFF6EF8C1} (Quicksilver Class) - http://scpwia.ops.pl...quicksilver.cab
O16 - DPF: {5e2a3510-4371-11d6-b64c-00c04faedb18} - http://sctcc.prin.ed...iator/jinit.exe
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {9BA46C28-F596-486B-A47A-E533EFA46276} (MAPS configuration client launch from the web) - http://155.106.115.1.../mapsconfig.cab
O16 - DPF: {CAFECAFE-0013-0001-0013-ABCDEFABCDEF} - http://sctss.prin.ed...iator/jinit.exe
O16 - DPF: {CAFECAFE-0013-0001-0018-ABCDEFABCDEF} (JInitiator 1.3.1.18) - http://sctss.prin.ed...iator/jinit.exe
O20 - Winlogon Notify: NavLogon - C:\WINNT\system32\NavLogon.dll
O23 - Service: Canon NetSpot Suite Service - CANON INC. - C:\Program Files\Canon\VDC\AuVdc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Novell Application Launcher (NALNTSERVICE) - Novell, Inc. - C:\Program Files\Novell\ZENworks\nalntsrv.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Novell ZfD Wake on LAN Status Agent (Prometheus Wake-On-LAN Status Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\WolSerNT.exe
O23 - Service: Novell ZfD Remote Management (Remote Management Agent) - Novell Inc. - C:\Program Files\Novell\ZENworks\RemoteManagement\RMAgent\ZenRem32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Workstation Manager (ZFDWM) - Novell, INC. - C:\Program Files\Novell\ZENworks\wm.exe
  • 0

#28
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
1. Your log looks good. If you have no more malware-related problems that you are aware of, just give me the OK and we can start the final but essential cleanup procedures.

2. Are the restrictions imposed on access to your control panel your decision? If not, would you like them removed?


Trevuren
  • 0

#29
dlines

dlines

    Member

  • Topic Starter
  • Member
  • PipPip
  • 27 posts
1. I don't know of any malware-related problems, but I wasn't aware of them before and got myself in a real mess.

2. I did not know I had restrictions on access to my control panel. I have been using the control panel and everything I have tried works fine. There are times that I can't get to the Administrative Tools (and now that I try that, I can't get to them now). I recently thought that was part of the malware problem. Let me know what I have to do to remove restrictions that you see.

Thanks,
dlines
  • 0

#30
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside the following item:

    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

  • Now with the item selected, and all windows closed except for HJT, delete it by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System


  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.
Regards,

Trevuren

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP