Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer/Winantispyware problem


  • Please log in to reply

#1
danwer930

danwer930

    New Member

  • Member
  • Pip
  • 9 posts
Hi geeks,

Like apparently several others on this forum, I have recently acquired the Winfixer/Winantispyware popup problem. I have downloaded VundoFix and attempted to run it in Safe Mode, looking for mlljh.dll and hjllm.*, but VundoFix said the files didn't exist. Having said that, here is my HijackThis log- please help:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svhost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\NDP1.0sp3-KB867461-X86-Enu.exe
C:\DOCUME~1\DANIEL~1\LOCALS~1\Temp\SL3C.tmp
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\msdtc.exe
C:\Program Files\HijackThis.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\gacutil.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.usc.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {4FFD6C2B-B01C-5CCE-8654-645508D47D41} - C:\WINDOWS\System32\gpy.dll (file missing)
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\jkhge.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [syvlay] C:\WINDOWS\System32\syvlay.exe
O4 - HKLM\..\RunOnce: [NetFxUpdate_v1.0.3705] "C:\WINDOWS\Microsoft.NET\Framework\v1.0.3705\netfxupdate.exe" 0 v1.0.3705 GAC + NI NID
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Szpl] C:\WINDOWS\System32\iha.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O15 - Trusted Zone: http://www.neededware.com
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} (CQueueServer Object) - http://www.mtv.com/o...e/bin/setup.exe
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124248151241
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.micro...b5/comdlg32.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll

your help is greatly appreciated-

thanks in advance,

Daniel
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi danwer930 and Welcome to GeekstoGo!

You HijackThis log is incomplete,when you post back,please be sure to Copy&Paste the entire log into the next reply!


For now, Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingc...torial=62#winxp


Locate and Delete

C:\WINDOWS\System32\syvlay.exe<- File

C:\WINDOWS\System32\iha.exe<- File

Delete files/folder from the following directories (But not the directory itself, for example delete all files/folder IN temp; but not temp itself!)

C:\Windows\Temp

C:\Windows\System32\Temp

C:\Documents and Settings\Owner\Local Settings\Temp

C:\Documents and Settings\DANIEL~1\Local Settings\Temp

C:\Documents and Settings\<All other users Profile>\Local Settings\Temp

Empty your "Recycle Bin"

Open Internet Explorer,

Select Tools,
Select Internet Options
Select Delete Cookies and Delete Files(Check the box for Delete all offline content)

Go to Start,
Select All Programs
Select Accessories
Select System Tools
Select and Run Disk Cleanup(Make sure that all boxes are checked for cleaning!!)


Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=

O2 - BHO: (no name) - {4FFD6C2B-B01C-5CCE-8654-645508D47D41} - C:\WINDOWS\System32\gpy.dll (file missing)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - HKLM\..\Run: [syvlay] C:\WINDOWS\System32\syvlay.exe

O4 - HKCU\..\Run: [Szpl] C:\WINDOWS\System32\iha.exe

O15 - Trusted Zone: http://www.neededware.com

O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab

O16 - DPF: {1BAD0830-AC09-44FA-8A44-5365AEB45D11} (CQueueServer Object) - http://www.mtv.com/o...e/bin/setup.exe

O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab

O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe

O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Restart Normal and Download the Hoster from here:
http://www.funkytoad...load/hoster.zip

Press "Restore Original Hosts" and press "OK"!

Exit Program!


Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process-> Give it a minute to run!


Once completed,post back with a fresh HijackThis log!
  • 0

#3
danwer930

danwer930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,

Thanks for responding. I followed your instructions carefully, but I hit a few snags:

1. When I browsed through the System32 folder, and when I used the Windows Search Buddy, I was not able to find either "syvlay.exe" or "iha.exe". However I did find the file syvlayaeg05.dll in the same location. I did not delete it because I was not sure whether I should or not. However, when I later did my Hijackthis scan, I DID see both of those files you told me to delete, and I deleted them according to your instructions.

2. I did not find the following folders in my system:

C:\WINDOWS\System32\Temp
C:\Documents and Settings\Owner\Local Settings\Temp


3. When I attempted to do a disk cleanup, I was unsuccessful. When I opened the Disk Cleanup feature, a progress window opened up saying something like "Disk Cleanup is figuring out how much of your disk can be cleaned up. This may take a few minutes." From the time I opened up, there were three blue bars filled in in the progress bar. I left this window open for 20 minutes, and there was never any additional progress made- it just sat there on the first step- so eventually I cancelled the cleanup. Any suggestions as to how to fix this?

I followed almost all of your other instructions. I chose not to delete the follwing entries on HijackThis, because I know what they are and I want to keep them:

ipixx.cab
ccpm_0237.cab
iPIX-Imagewell-ipix.cab

and here is my fresh HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:58:46 PM, on 10/1/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\svhost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.usc.edu/
F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\jkhge.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O15 - Trusted IP range: 64.127.104.144
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124248151241
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.micro...b5/comdlg32.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O20 - Winlogon Notify: jkhge - C:\WINDOWS\System32\jkhge.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I promise that this is the ENTIRE log that was generated. If it still appears to be "incomplete", please let me know what I can do to generate a better log. Last time I used HijackThis v1.98.0, but I have since upgraded to V1.99.1.

I am continuing to get popups from Winfixer, as well as Super Slots Casino and Matchservice.com, both of which I understand to be affiliated with this Winfixer problem. What's the next step?

Thank you again for your help!

Daniel

Edited by danwer930, 02 October 2005 - 01:09 AM.

  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
No Problems danwer,I missed a bunch of things too!

You have the latest Vundo infection along with another I havent run across yet!

If you will,go to the site below and follow the instructions to create a post and upload a file!
http://www.thespykiller.co.uk/forum/

Upload this file-> C:\WINDOWS\System32\svhost.exe

Careful now,dont upload svchost.exe as its a legit system file!


Once you have that uploaded follow the Instructions to remove the Vundo Infection!

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\jkhge.dll
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\eghkj.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: MSEvents Object - {6DD0BC06-4719-4BA3-BEBC-FBAE6A448152} - C:\WINDOWS\System32\jkhge.dll

    O20 - Winlogon Notify: jkhge - C:\WINDOWS\System32\jkhge.dll

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Now,Open HijackThis again and Click on the "Open Misc Tools Section" tab!

Click on "Delete a file on Reboot"

When the small explorer window opens up navigate to this file

C:\WINDOWS\System32\svhost.exe

Remember-> svhost.exe...Not svchost.exe!

Once you double click svhost.exe-> Click Yes to the prompts that follow and allow HijackThis to reboot the PC!

Go into Safe Mode again and fix this entry with HijackThis

F3 - REG:win.ini: run=C:\WINDOWS\System32\svhost.exe

Restart Normal and run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#5
danwer930

danwer930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
OK, I followed your instructions very carefully, and this time things went pretty smoothly! I uploaded the file svhost.exe to thespykiller uploads forum. I downloaded and ran CleanUp! Here is the information you requested:

Activecan:


Incident Status Location

Adware:adware/elitebar No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\v2.dll
Adware:adware/maxifiles No disinfected C:\PROGRAM FILES\COMMON FILES\FreeProd1
Adware:adware/neededware No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\Daniel Werner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-32cde947-7b386e2c.class
Possible Virus. No disinfected C:\Program Files\2Wire\Gateway\sy_apps\dllupdate.exe
Adware:Adware/IST.ISTBar No disinfected C:\Program Files\backups\backup-20040716-182302-847.inf
Virus:Trj/Downloader.CZM Disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\D748F93F-8A27-4694-AC76-78FB83\E510A987-6AD2-42D6-9D9E-5A29B6
Spyware:Spyware/BargainBuddy No disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\EC86A00F-82E4-4274-A960-26ECC6\BB6BC34B-C79E-4BA3-B59A-2EE01E
Adware:Adware/PortalScan No disinfected C:\temporary\aun_0001.exe
Virus:W32/Admincash.B Disinfected C:\WINDOWS\$NtUninstallKB896428$\telnet.exe
Virus:Trj/Harnig.M Disinfected C:\WINDOWS\abc.html
Possible Virus. No disinfected C:\WINDOWS\Downloaded Program Files\v2.dll
Adware:Adware/EliteBar No disinfected C:\WINDOWS\gx9fzj83m9.exe
Virus:W32/Sasser.ftp Disinfected C:\WINDOWS\system32\cmd.ftp
Spyware:Spyware/ClearSearch No disinfected C:\WINDOWS\system32\O.BAT
Adware:Adware/Startpage.CBL No disinfected C:\WINDOWS\system32\secure33.txt
Adware:Adware/StartPage.AIW No disinfected C:\WINDOWS\system32\tuvus.dll
Virus:W32/Admincash.B Disinfected C:\WINDOWS\telnet.exe
Vundofix.txt


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Suspending PID 160 'smss.exe'
Threads [164][168][172]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 952 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 236 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:40:37 PM, on 10/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp3\winampa.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.usc.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O15 - Trusted IP range: 64.127.104.144
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124248151241
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.micro...b5/comdlg32.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

I should probably mention that right as my computer was about to reboot after the Vundofix, a message flashed in the Vundofix box that said "there is something missing from Vundofix which is critical to its operation. Please install". Perhaps this is reflected in my vundofix.txt, which does not mention that Vundofix did in fact (I think) delete the file you told me to delete!

Also, as an added bonus, for the first time in months, my computer starts up normally, without me having to manually launch explorer.exe! I'm very happy about that.

What are the next steps?

Thanks again for your help,

Daniel
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Looks like Vundo is history,lets see if we can clean up the rest!


Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!


Download Pocket KillBox from here:
http://www.atribune....ads/KillBox.exe

Highlight the list below and press Ctrl+C to Copy!

C:\temporary\aun_0001.exe
C:\WINDOWS\abc.html
C:\WINDOWS\Downloaded Program Files\v2.dll
C:\WINDOWS\gx9fzj83m9.exe
C:\WINDOWS\system32\O.BAT
C:\WINDOWS\system32\secure33.txt
C:\WINDOWS\system32\tuvus.dll
C:\PROGRAM FILES\COMMON FILES\FreeProd1


Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!


Reboot into SAFE MODE(Tap F8 when restarting)


Open up Killbox and run each entry through again,this time just select "Standard File Kill"

This way we can be sure all the files are gone!


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!


Restart Normal and do one more Online Scan please!

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Now Run DelDomains again to be sure it takes!


Post back with a fresh HijackThis log and the reports from WinPFind and Kaspersky!
  • 0

#7
danwer930

danwer930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,

Sorry, but what is DelDomains again? Is that the Hoster program from before?

Daniel
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
No problems,here ya go!

Right-Click Here and Click "Save As" to download DelDomains.inf to your desktop.

Right Click DelDomains.inf on your desktop and select "Install"

It will perform a silent process>Give it a minute to run!
  • 0

#9
danwer930

danwer930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi,

OK, I have followed your instructions. Again, things went pretty smoothly, with one exception. When I was running Killbox in Safe Mode, and trying to do standard file kills on the files you mentioned, Killbox said the first six files could not be found, and it said that it "could not delete" the last, seventh file, C:\PROGRAM FILES\COMMON FILES\FreeProd1.

With that said, here are the logs you requested.

HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:43:54 AM, on 10/4/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.usc.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124248151241
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.micro...b5/comdlg32.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

WinPFFind Log:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 6/28/2004 3:02:58 PM 149504 C:\Program Files\CWShredder.exe
UPX! 2/16/2005 11:06:16 AM 218112 C:\Program Files\HijackThis.exe
UPX! 10/4/2005 1:27:30 AM 50176 C:\Program Files\KillBox.exe
UPX! 7/17/2004 2:22:14 AM 26953157 C:\Program Files\NAV10ESD.exe
UPX! 9/7/2003 11:07:50 PM 702471 C:\Program Files\stinger.exe
qoologic 10/4/2005 1:26:08 AM 202953 C:\Program Files\WinPFind.zip

Checking %WinDir% folder...

Checking %System% folder...
FSG! 6/12/2005 8:55:50 PM 1881 C:\WINDOWS\SYSTEM32\c4t.exe
PEC2 8/28/2002 7:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
FSG! 6/12/2005 8:55:34 PM 25329 C:\WINDOWS\SYSTEM32\dgdgd.exe
PEC2 10/26/2004 3:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/26/2004 3:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
UPX! 6/12/2005 8:55:38 PM 119405 C:\WINDOWS\SYSTEM32\mc-58-12-0000093.exe
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/28/2002 7:00:00 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/28/2002 7:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/4/2005 1:38:38 AM S 2048 C:\WINDOWS\bootstat.dat
9/29/2005 1:08:52 AM H 54156 C:\WINDOWS\QTFont.qfn
8/16/2005 8:10:02 PM H 0 C:\WINDOWS\inf\oem24.inf
10/2/2005 1:24:38 PM H 0 C:\WINDOWS\LastGood\INF\oem26.inf
10/2/2005 1:24:38 PM H 0 C:\WINDOWS\LastGood\INF\oem26.PNF
10/4/2005 1:38:22 AM H 8192 C:\WINDOWS\system32\config\default.LOG
10/4/2005 1:38:56 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/4/2005 1:38:40 AM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/4/2005 1:40:10 AM H 106496 C:\WINDOWS\system32\config\software.LOG
10/4/2005 1:38:44 AM H 1130496 C:\WINDOWS\system32\config\system.LOG
9/29/2005 12:08:24 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
12/27/2005 7:28:30 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\394f62f2-3752-4b48-a908-09efe3d5b933
10/4/2005 1:37:38 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/28/2002 7:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/17/2001 11:37:02 PM 48128 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 6/3/2004 10:05:06 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/9/2002 7:49:58 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/3/2003 12:46:08 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/18/2005 7:42:46 PM 1747 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MTV Networks Video Optimizer.lnk
10/2/2005 1:21:06 PM 2463 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Dialer (OnStartup).lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/9/2002 12:33:50 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
1/4/2004 1:28:12 PM 13 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
9/9/2002 7:49:58 AM HS 84 C:\Documents and Settings\Daniel Werner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/9/2002 12:33:50 AM HS 62 C:\Documents and Settings\Daniel Werner\Application Data\desktop.ini
6/6/2005 12:27:24 AM 62560 C:\Documents and Settings\Daniel Werner\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YComp 5.0.0.0 = Yahoo! Companion

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\iO
{C14F7681-33D8-11D3-A09B-00500402F30B} = C:\Program Files\iO\iomenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= c:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AGRSMMSG AGRSMMSG.exe
Cpqset C:\Program Files\HPQ\Default Settings\cpqset.exe
PreloadApp c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
srmclean C:\Cpqs\Scom\srmclean.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
WinampAgent "C:\Program Files\Winamp3\winampa.exe"
2wSysTray C:\Program Files\2Wire\Gateway\2PortalMon.exe
mmtask C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
syvlay C:\WINDOWS\System32\syvlay.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/4/2005 1:56:35 AM

Kaspersky Online Scan Log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, October 04, 2005 10:37:33
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/10/2005
Kaspersky Anti-Virus database records: 152353
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 84711
Number of viruses found: 59
Number of infected objects: 289
Number of suspicious objects: 0
Duration of the scan process: 6160 sec

Infected Object Name - Virus Name
C:\!KillBox\aun_0001.exe Infected: Trojan-Downloader.Win32.Small.akz
C:\!KillBox\tuvus.dll Infected: Trojan-Downloader.Win32.Small.bpk
C:\!KillBox\v2.dll Infected: not-a-virus:AdWare.Win32.EliteBar.a
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab/Weather/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab/Weather/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Program Files\GDiVXZen1.0.exe/data0012 Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Program Files\GDiVXZen1.0.exe/data0015 Infected: not-a-virus:AdWare.NewDotNet.d
C:\Program Files\GDiVXZen1.0.exe Infected: not-a-virus:AdWare.NewDotNet.d
C:\Program Files\Microsoft AntiSpyware\Quarantine\EC86A00F-82E4-4274-A960-26ECC6\BB6BC34B-C79E-4BA3-B59A-2EE01E/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Program Files\Microsoft AntiSpyware\Quarantine\EC86A00F-82E4-4274-A960-26ECC6\BB6BC34B-C79E-4BA3-B59A-2EE01E/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Program Files\Microsoft AntiSpyware\Quarantine\EC86A00F-82E4-4274-A960-26ECC6\BB6BC34B-C79E-4BA3-B59A-2EE01E Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Program Files\Norton AntiVirus\Quarantine\011C28A5 Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\037B0FFC.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\037B0FFC.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\058C1FC2.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\06E42F3D.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\06E75939.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\06EC6959.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\07525F61.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\07B26386.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\07B60D83.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\08A12BAB Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton AntiVirus\Quarantine\093872ED.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\093B1CE9.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0AE83854.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0AE83854.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0B61359F.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0B670998.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0EA17A41 Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\0EA4243E Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\0F0B0105.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0F0B0105.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0F61382D.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0F64622A.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0F876F46 Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton AntiVirus\Quarantine\10D32C90.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10D6568C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10D90088.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10DD2A85.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10E05481.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10E37E7E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10E6287A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10EA5277.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10ED7C73.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10F0266F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10F3506C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10F77A68.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10FA2465.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10FD4E61.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1100785D.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11023FD1 Infected: Trojan-Downloader.Win32.PurityScan.f
C:\Program Files\Norton AntiVirus\Quarantine\1104225A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11074C56.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\110A7653.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\110E204F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11114A4B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11147448.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11171E44.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\118D1D4F.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\118D1D4F.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\1287658B.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\128A0F87.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\12E31B5F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\13237868 Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\13491167.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\167B35A4.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\167B35A4.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\18036B81.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\18036B81.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\183F729F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\18AF44FB.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\18B26EF7.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\1A053869 Infected: Trojan.Win32.StartPage.ko
C:\Program Files\Norton AntiVirus\Quarantine\1A684EE9.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\1A6B78E5.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\1B98562A Infected: not-a-virus:AdWare.Win32.BiSpy.q
C:\Program Files\Norton AntiVirus\Quarantine\1B9B0026 Infected: not-a-virus:AdWare.Win32.BiSpy.f
C:\Program Files\Norton AntiVirus\Quarantine\1BB063D6 Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton AntiVirus\Quarantine\1E454BCF Infected: not-a-virus:AdWare.Win32.ImiBar.b
C:\Program Files\Norton AntiVirus\Quarantine\1E73575E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1ED94D65.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1EF1609E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1FC7113B Infected: not-a-virus:AdWare.Win32.ImiBar.b
C:\Program Files\Norton AntiVirus\Quarantine\1FE43544.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\21DD4D16 Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\229A6646 Infected: Trojan-Downloader.JS.IstBar.k
C:\Program Files\Norton AntiVirus\Quarantine\231F4026.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\23DD2F7E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\26290EEE.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\291435EC.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\291435EC.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\29CD74F5.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\29CD74F5.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\2A03135D.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2A690964.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2BB855AE Infected: Trojan-Downloader.Win32.IstBar.fa
C:\Program Files\Norton AntiVirus\Quarantine\2BBC74B6 Infected: not-a-virus:AdWare.Win32.BetterInternet.d
C:\Program Files\Norton AntiVirus\Quarantine\2BC01EB3 Infected: not-a-virus:AdWare.Win32.BetterInternet.d
C:\Program Files\Norton AntiVirus\Quarantine\2C0A6CEC.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2F5C290E.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\2F5F530A.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\311F04E1.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\31222EDE.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\33A65C36.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\33A65C36.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\34E54807.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\34E97204.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\35944F5B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\35FA4563.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\364C4D66.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\3653215F.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\374911AD Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton AntiVirus\Quarantine\37874678 Infected: Trojan-Downloader.Win32.PurityScan.f
C:\Program Files\Norton AntiVirus\Quarantine\38470ADB.class Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\385108D1.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\385B06C6.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\38615ABF.class Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\386504BB.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\38682EB7.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\388510B7.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\38883AB3.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\3B3452E8.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\3B3452E8.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\40A60C10.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\40AA360C.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\41240B5A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\41502D20 Infected: not-a-virus:AdWare.Win32.BiSpy.f
C:\Program Files\Norton AntiVirus\Quarantine\418A0161.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\419A5A29 Infected: Trojan-Downloader.Win32.Harnig.gen
C:\Program Files\Norton AntiVirus\Quarantine\41E22852.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\41E5524E.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\423D57CF.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\423D57CF.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\42CE720D.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\42CE720D.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\45EE794D Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton AntiVirus\Quarantine\467E57FE.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\468101FB.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\46E123F9.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\46E44DF5.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\475D7360.dll Infected: Trojan.Win32.KillAV.de
C:\Program Files\Norton AntiVirus\Quarantine\48012586.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\48012586.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\480D4E9E.exe Infected: Backdoor.Win32.Jeemp.c
C:\Program Files\Norton AntiVirus\Quarantine\49097AF8 Infected: Backdoor.Win32.Ruledor.c
C:\Program Files\Norton AntiVirus\Quarantine\4BAE69ED.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4BB213E9.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4BCA3E5C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4C601402.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4C601402.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4C675019.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4C675019.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4D1A3D60.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4D803367.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4E6909AA Infected: not-a-virus:AdWare.Win32.SaveNow.f
C:\Program Files\Norton AntiVirus\Quarantine\508A0E45.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\50A22595.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\50A22595.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\54D07F1D Infected: Trojan-Dropper.Win32.Small.ff
C:\Program Files\Norton AntiVirus\Quarantine\55D365DE.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\55D60FDB.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\562F637B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\565B6290.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\565B6290.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\567E707F.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\56811A7B.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\58AB795F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\58BA7DE6 Infected: Trojan-Spy.Win32.Briss.g
C:\Program Files\Norton AntiVirus\Quarantine\58EB5667 Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton AntiVirus\Quarantine\58F52D08.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\58F85705.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\59116F66.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\5A7534D8.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5A785ED4.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5B69342C.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5B69342C.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5C8047C4.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5C8047C4.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\62072ADA.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\620B54D7.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\62C228B2 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton AntiVirus\
  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Can you post the Kaspersky log again,it got cut off!

We gotta clean out Nortons Quaratine folder too,dont let me forget that! :tazz:

Go to Add\Remove Programs and see if there is an entry for FreeProd1

If there is,Remove it please!

One more favor please!!

See if you can locate these files

C:\WINDOWS\System32\syvlay.exe

C:\Program Files\GDiVXZen1.0.exe

If so,have them scanned here
http://virusscan.jotti.org/
and
http://www.virustota...h/index_en.html

Try to save the results to a notepad page if you are able to get them scanned!

Edited by Cretemonster, 04 October 2005 - 01:09 PM.

  • 0

#11
danwer930

danwer930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Oops! Sorry about that. Here is the complete Kaspersky Scan:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, October 04, 2005 10:37:33
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 4/10/2005
Kaspersky Anti-Virus database records: 152353
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 84711
Number of viruses found: 59
Number of infected objects: 289
Number of suspicious objects: 0
Duration of the scan process: 6160 sec

Infected Object Name - Virus Name
C:\!KillBox\aun_0001.exe Infected: Trojan-Downloader.Win32.Small.akz
C:\!KillBox\tuvus.dll Infected: Trojan-Downloader.Win32.Small.bpk
C:\!KillBox\v2.dll Infected: not-a-virus:AdWare.Win32.EliteBar.a
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab/Weather/Weather.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab/Weather/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Program Files\GDiVXZen1.0.exe/data0012/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Program Files\GDiVXZen1.0.exe/data0012 Infected: not-a-virus:AdWare.Win32.SaveNow.m
C:\Program Files\GDiVXZen1.0.exe/data0015 Infected: not-a-virus:AdWare.NewDotNet.d
C:\Program Files\GDiVXZen1.0.exe Infected: not-a-virus:AdWare.NewDotNet.d
C:\Program Files\Microsoft AntiSpyware\Quarantine\EC86A00F-82E4-4274-A960-26ECC6\BB6BC34B-C79E-4BA3-B59A-2EE01E/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Program Files\Microsoft AntiSpyware\Quarantine\EC86A00F-82E4-4274-A960-26ECC6\BB6BC34B-C79E-4BA3-B59A-2EE01E/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Program Files\Microsoft AntiSpyware\Quarantine\EC86A00F-82E4-4274-A960-26ECC6\BB6BC34B-C79E-4BA3-B59A-2EE01E Infected: not-a-virus:AdWare.Win32.BargainBuddy.y
C:\Program Files\Norton AntiVirus\Quarantine\011C28A5 Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\037B0FFC.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\037B0FFC.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\058C1FC2.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\06E42F3D.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\06E75939.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\06EC6959.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\07525F61.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\07B26386.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\07B60D83.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\08A12BAB Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton AntiVirus\Quarantine\093872ED.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\093B1CE9.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0AE83854.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0AE83854.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0B61359F.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0B670998.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0EA17A41 Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\0EA4243E Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\0F0B0105.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0F0B0105.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0F61382D.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0F64622A.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\0F876F46 Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton AntiVirus\Quarantine\10D32C90.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10D6568C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10D90088.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10DD2A85.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10E05481.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10E37E7E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10E6287A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10EA5277.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10ED7C73.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10F0266F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10F3506C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10F77A68.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10FA2465.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\10FD4E61.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1100785D.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11023FD1 Infected: Trojan-Downloader.Win32.PurityScan.f
C:\Program Files\Norton AntiVirus\Quarantine\1104225A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11074C56.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\110A7653.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\110E204F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11114A4B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11147448.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\11171E44.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\118D1D4F.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\118D1D4F.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\1287658B.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\128A0F87.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\12E31B5F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\13237868 Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\13491167.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\167B35A4.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\167B35A4.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\18036B81.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\18036B81.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\183F729F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\18AF44FB.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\18B26EF7.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\1A053869 Infected: Trojan.Win32.StartPage.ko
C:\Program Files\Norton AntiVirus\Quarantine\1A684EE9.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\1A6B78E5.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\1B98562A Infected: not-a-virus:AdWare.Win32.BiSpy.q
C:\Program Files\Norton AntiVirus\Quarantine\1B9B0026 Infected: not-a-virus:AdWare.Win32.BiSpy.f
C:\Program Files\Norton AntiVirus\Quarantine\1BB063D6 Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton AntiVirus\Quarantine\1E454BCF Infected: not-a-virus:AdWare.Win32.ImiBar.b
C:\Program Files\Norton AntiVirus\Quarantine\1E73575E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1ED94D65.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1EF1609E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\1FC7113B Infected: not-a-virus:AdWare.Win32.ImiBar.b
C:\Program Files\Norton AntiVirus\Quarantine\1FE43544.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\21DD4D16 Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\229A6646 Infected: Trojan-Downloader.JS.IstBar.k
C:\Program Files\Norton AntiVirus\Quarantine\231F4026.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\23DD2F7E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\26290EEE.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\291435EC.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\291435EC.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\29CD74F5.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\29CD74F5.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\2A03135D.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2A690964.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2BB855AE Infected: Trojan-Downloader.Win32.IstBar.fa
C:\Program Files\Norton AntiVirus\Quarantine\2BBC74B6 Infected: not-a-virus:AdWare.Win32.BetterInternet.d
C:\Program Files\Norton AntiVirus\Quarantine\2BC01EB3 Infected: not-a-virus:AdWare.Win32.BetterInternet.d
C:\Program Files\Norton AntiVirus\Quarantine\2C0A6CEC.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\2F5C290E.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\2F5F530A.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\311F04E1.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\31222EDE.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\33A65C36.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\33A65C36.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\34E54807.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\34E97204.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\35944F5B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\35FA4563.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\364C4D66.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\3653215F.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\374911AD Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton AntiVirus\Quarantine\37874678 Infected: Trojan-Downloader.Win32.PurityScan.f
C:\Program Files\Norton AntiVirus\Quarantine\38470ADB.class Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\385108D1.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\38585CC9.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Program Files\Norton AntiVirus\Quarantine\385B06C6.class Infected: Trojan.Java.ClassLoader.c
C:\Program Files\Norton AntiVirus\Quarantine\38615ABF.class Infected: Trojan.Java.Femad
C:\Program Files\Norton AntiVirus\Quarantine\386504BB.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Program Files\Norton AntiVirus\Quarantine\38682EB7.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton AntiVirus\Quarantine\388510B7.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\38883AB3.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\3B3452E8.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\3B3452E8.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\40A60C10.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\40AA360C.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\41240B5A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\41502D20 Infected: not-a-virus:AdWare.Win32.BiSpy.f
C:\Program Files\Norton AntiVirus\Quarantine\418A0161.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\419A5A29 Infected: Trojan-Downloader.Win32.Harnig.gen
C:\Program Files\Norton AntiVirus\Quarantine\41E22852.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\41E5524E.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\423D57CF.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\423D57CF.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\42CE720D.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\42CE720D.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\45EE794D Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton AntiVirus\Quarantine\467E57FE.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\468101FB.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\46E123F9.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\46E44DF5.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\475D7360.dll Infected: Trojan.Win32.KillAV.de
C:\Program Files\Norton AntiVirus\Quarantine\48012586.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\48012586.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\480D4E9E.exe Infected: Backdoor.Win32.Jeemp.c
C:\Program Files\Norton AntiVirus\Quarantine\49097AF8 Infected: Backdoor.Win32.Ruledor.c
C:\Program Files\Norton AntiVirus\Quarantine\4BAE69ED.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4BB213E9.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4BCA3E5C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4C601402.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4C601402.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4C675019.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4C675019.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\4D1A3D60.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4D803367.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\4E6909AA Infected: not-a-virus:AdWare.Win32.SaveNow.f
C:\Program Files\Norton AntiVirus\Quarantine\508A0E45.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\50A22595.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\50A22595.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\54D07F1D Infected: Trojan-Dropper.Win32.Small.ff
C:\Program Files\Norton AntiVirus\Quarantine\55D365DE.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\55D60FDB.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\562F637B.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\565B6290.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\565B6290.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\567E707F.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\56811A7B.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\58AB795F.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\58BA7DE6 Infected: Trojan-Spy.Win32.Briss.g
C:\Program Files\Norton AntiVirus\Quarantine\58EB5667 Infected: Exploit.HTML.CodeBaseExec
C:\Program Files\Norton AntiVirus\Quarantine\58F52D08.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\58F85705.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\59116F66.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\5A7534D8.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5A785ED4.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5B69342C.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5B69342C.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5C8047C4.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\5C8047C4.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\62072ADA.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\620B54D7.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\62C228B2 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton AntiVirus\Quarantine\634B2A01.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\634E53FD.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\643B355D.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\64A12B65.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\69274C4C Infected: not-a-virus:AdWare.Win32.BiSpy.m
C:\Program Files\Norton AntiVirus\Quarantine\698B7A13 Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\698E2410 Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\6A1A0344 Infected: Trojan-Clicker.Win32.Small.ab
C:\Program Files\Norton AntiVirus\Quarantine\6AB5592D.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\6AB5592D.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\6AC85FC2 Infected: not-a-virus:AdWare.Win32.SaveNow.f
C:\Program Files\Norton AntiVirus\Quarantine\6DD77AEC.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\6DDA24E8.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\6E3908A4 Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\6F8F3FDB.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\6F8F3FDB.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\6FCB715C.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\70316763.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\712B10E5.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\712B10E5.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\718133AE/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.b
C:\Program Files\Norton AntiVirus\Quarantine\718133AE Infected: not-a-virus:AdWare.Win32.BookedSpace.b
C:\Program Files\Norton AntiVirus\Quarantine\71DB50A2.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\742E5870.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\762924C3 Infected: not-a-virus:AdWare.Win32.BargainBuddy.w
C:\Program Files\Norton AntiVirus\Quarantine\762C4EBF Infected: not-a-virus:AdWare.Win32.BargainBuddy.n
C:\Program Files\Norton AntiVirus\Quarantine\762F78BC Infected: Trojan-Downloader.JS.IstBar.j
C:\Program Files\Norton AntiVirus\Quarantine\772C26C3 Infected: Backdoor.Win32.Jeemp.c
C:\Program Files\Norton AntiVirus\Quarantine\77A95A82 Infected: Trojan-Dropper.Win32.Small.hu
C:\Program Files\Norton AntiVirus\Quarantine\77B50A2C Infected: Trojan-Downloader.JS.Small.d
C:\Program Files\Norton AntiVirus\Quarantine\77F6162E.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\782F13EF Infected: Trojan-Downloader.Win32.PurityScan.e
C:\Program Files\Norton AntiVirus\Quarantine\78323DEB Infected: Trojan-Spy.Win32.Briss.g
C:\Program Files\Norton AntiVirus\Quarantine\783567E8 Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\Program Files\Norton AntiVirus\Quarantine\783911E4 Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton AntiVirus\Quarantine\783F65DD Infected: Trojan-Downloader.Win32.Agent.ae
C:\Program Files\Norton AntiVirus\Quarantine\78420FD9 Infected: not-a-virus:AdWare.Win32.SaveNow.f
C:\Program Files\Norton AntiVirus\Quarantine\79283C79 Infected: Trojan-Downloader.JS.Small.b
C:\Program Files\Norton AntiVirus\Quarantine\7B5C2D5A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\7B884F21 Infected: not-a-virus:AdWare.Win32.BiSpy.q
C:\Program Files\Norton AntiVirus\Quarantine\7BC22362.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\7CA00B9A.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\7CF25C51.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\Program Files\Norton AntiVirus\Quarantine\7E23039A.exe Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\7E23039A.new Infected: Virus.Win32.Bube.l
C:\Program Files\Norton AntiVirus\Quarantine\7F683665 Infected: not-a-virus:AdWare.Win32.Beginto.c
C:\Program Files\tbinstall.exe/WISE0009.BIN/WISE0038.BIN Infected: not-a-virus:AdWare.Win32.AmBar.2159
C:\Program Files\tbinstall.exe/WISE0009.BIN Infected: not-a-virus:AdWare.Win32.AmBar.2159
C:\Program Files\tbinstall.exe Infected: not-a-virus:AdWare.Win32.AmBar.2159
C:\SWSetup\Norton\SUPPORT\PCA_HOST\PCA_HOST.MSI/pcAWindowsNTAuthentication.cab/F218_WinNTAuth.dll.608B802B_309D_41F9_BEF2_EEF4FC4007F5 Infected: not-a-virus:[bleep]-Dialer.Win32.CDUpdater.g
C:\SWSetup\Norton\SUPPORT\PCA_HOST\PCA_HOST.MSI/pcAWindowsNTAuthentication.cab Infected: not-a-virus:[bleep]-Dialer.Win32.CDUpdater.g
C:\SWSetup\Norton\SUPPORT\PCA_HOST\PCA_HOST.MSI Infected: not-a-virus:[bleep]-Dialer.Win32.CDUpdater.g
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP19\A0000460.exe Infected: not-a-virus:AdWare.Win32.SurfSide.l
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP19\A0000461.dll Infected: not-a-virus:AdWare.Win32.SurfSide.l
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP19\A0000462.dll Infected: not-a-virus:AdWare.Win32.SurfSide.n
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP21\A0001524.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP21\A0001526.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP21\A0001527.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP22\A0001536.exe Infected: Trojan-Downloader.Win32.Intexp.c
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP22\A0001553.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP23\A0001574.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP23\A0001606.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP24\A0001641.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP25\A0001674.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP25\A0001846.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP25\A0001893.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP26\A0001903.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP27\A0001933.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP28\A0001949.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP29\A0001964.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP30\A0002895.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP31\A0002911.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP32\A0002917.exe Infected: Trojan-Downloader.Win32.Lastad.h
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP32\A0002918.exe Infected: Trojan-Downloader.Win32.Lastad.h
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP32\A0002922.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0002956.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0003888.exe Infected: Virus.Win32.Bube.l
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0003915.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0003925.exe/data0003 Infected: not-a-virus:AdWare.Win32.Beginto.c
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0003925.exe Infected: not-a-virus:AdWare.Win32.Beginto.c
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0003926.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0003927.exe Infected: Trojan.Win32.LowZones.aj
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0004271.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0004281.exe Infected: Trojan-Downloader.Win32.Lastad.p
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0004282.exe Infected: Trojan-Downloader.Win32.Lastad.p
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0004318.dll Infected: not-a-virus:AdWare.Win32.Winsta.a
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0007737.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009399.exe Infected: Virus.Win32.Bube.l
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009761.dll Infected: Trojan-Downloader.Win32.Lastad.h
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009762.dll Infected: Trojan-Downloader.Win32.Lastad.h
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009763.dll Infected: Trojan-Downloader.Win32.Lastad.h
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009791.exe Infected: Virus.Win32.Bube.l
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009809.exe Infected: Virus.Win32.Bube.l
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009810.exe Infected: Virus.Win32.Bube.l
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009819.exe Infected: Trojan-Downloader.Win32.Small.akz
C:\System Volume Information\_restore{68DCCD3E-2073-4915-A5DC-A445A55876AD}\RP33\A0009822.dll Infected: Trojan-Downloader.Win32.Small.bpk
C:\WINDOWS\system32\c4t.exe Infected: not-a-virus:AdWare.Win32.EliteBar.aj
C:\WINDOWS\system32\dgdgd.exe Infected: Trojan-Downloader.Win32.Agent.oj
C:\WINDOWS\system32\mc-58-12-0000093.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.i
C:\WINDOWS\Temp\ASHeuristic\v2_dll.vir Infected: not-a-virus:AdWare.Win32.EliteBar.a

Scan process completed.

I was not able to locate the file syvlay.exe in the location you specified. I DID find the file GDiVXZen1.0.exe, which I think is one of two divx apps I downloaded awhile back, but I made a mistake! Instead of having it scanned, I accidentally deleted it! I hope that's OK.

There was no FreeProd1 in my Add/Remove Programs list.

What's next? Clean out that nasty Norton quarantine folder perhaps?

Daniel
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
As long as you deleted GDiVXZen1.0.exe thats all that matters!

Lets get the rest of these buggers cleaned up!


Copy the text below into a blank notepad page and save it to the desktop as Clr.reg

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]
"syvlay"=-

Dont run it just yet!


Follow the exact same process with Killbox on these files and fodlers

C:\WINDOWS\SYSTEM32\c4t.exe
C:\WINDOWS\SYSTEM32\dgdgd.exe
C:\WINDOWS\SYSTEM32\mc-58-12-0000093.exe
C:\WINDOWS\System32\syvlay.exe
C:\Program Files\GDiVXZen1.0.exe
C:\PROGRAM FILES\COMMON FILES\FreeProd1
C:\WINDOWS\Temp\ASHeuristic\v2_dll.vir
C:\WINDOWS\Temp\ASHeuristic


Delete on Reboot first-> to Safe Mode and Run all the entries through again,placing a tick by any of these selections available


"Standard File Kill"
"End Explorer Shell while Killing File"
"Deltree(Include Subdirectories)"



Now locate and double click Clr.reg and allow it to merge into the registry!


Scan once more with WinPFind while in Safe Mode!


Restart Normal and double click the Norton Antivirus icon in the taskbar next to the clock!

Click on Reports-> Click View Reports-> If it pops up a windows asking if you want to repair anything-> Click NO!

Highlight everything in the list and Click delete and follow the prompts!


One last Online Scan to be sure we havent missed anything
http://support.f-sec.../home/ols.shtml

Save the report if it finds anything!


Post back with a fresh HijackThis log and the reports from WinPFind and F-Secure!

Edited by Cretemonster, 04 October 2005 - 02:34 PM.

  • 0

#13
danwer930

danwer930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Hi Cretemonster,

Sorry I was away for a couple of days. I have followed your latest instructions, and everything went pretty smoothly. When I rebooted my machine in safe mode and launched KillBox, the only items you mentioned that Killbox actually found and deleted were:

FreeProd1
ASHeuristic folder

Also, when I launched Norton, there were 5 items, including desktop.exe, that were listed, which I deleted.

With that said, here are the logs you requested.

F-Secure Scan:

Scanned files: 85812 Warning: 97 file(s) still infected!
C:\!KillBox\aun_0001.exe Trojan-Downloader.Win32.Small.akz

C:\!KillBox\dgdgd.exe Trojan-Downloader.Win32.Agent.oj

C:\!KillBox\tuvus.dll Trojan-Downloader.Win32.Small.bpk

C:\Program Files\Norton AntiVirus\Quarantine\011C28A5 Trojan-Downloader.JS.Small.b

C:\Program Files\Norton AntiVirus\Quarantine\037B0FFC.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\037B0FFC.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\058C1FC2.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\06E42F3D.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\06E42F3D.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\06EC6959.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\07525F61.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\07B26386.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\07B26386.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\08A12BAB Trojan-Downloader.Win32.Agent.ae

C:\Program Files\Norton AntiVirus\Quarantine\093872ED.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\093872ED.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0AE83854.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0AE83854.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0B61359F.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0B61359F.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0EA17A41 Trojan-Downloader.JS.Small.b

C:\Program Files\Norton AntiVirus\Quarantine\0EA4243E Trojan-Downloader.JS.Small.b

C:\Program Files\Norton AntiVirus\Quarantine\0F0B0105.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0F0B0105.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0F61382D.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0F61382D.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\0F876F46 Exploit.HTML.CodeBaseExec

C:\Program Files\Norton AntiVirus\Quarantine\10D32C90.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10D6568C.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10D90088.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10DD2A85.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10E05481.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10E37E7E.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10E6287A.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10EA5277.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10ED7C73.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10F0266F.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10F3506C.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10F77A68.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10FA2465.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\10FD4E61.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\1100785D.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\11023FD1 Trojan-Downloader.Win32.PurityScan.f

C:\Program Files\Norton AntiVirus\Quarantine\1104225A.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\11074C56.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\110A7653.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\110E204F.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\11114A4B.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\11147448.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\11171E44.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\118D1D4F.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\118D1D4F.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\1287658B.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\1287658B.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\12E31B5F.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\13237868 Trojan-Downloader.JS.IstBar.j

C:\Program Files\Norton AntiVirus\Quarantine\13491167.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\167B35A4.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\167B35A4.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\18036B81.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\18036B81.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\183F729F.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\18AF44FB.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\18AF44FB.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\1A053869 Trojan.Win32.StartPage.ko

C:\Program Files\Norton AntiVirus\Quarantine\1A684EE9.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\1A684EE9.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\1BB063D6 Exploit.HTML.CodeBaseExec

C:\Program Files\Norton AntiVirus\Quarantine\1E73575E.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\1ED94D65.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\1EF1609E.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\1FE43544.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\21DD4D16 Trojan-Downloader.JS.Small.b

C:\Program Files\Norton AntiVirus\Quarantine\229A6646 Trojan-Downloader.JS.IstBar.k

C:\Program Files\Norton AntiVirus\Quarantine\231F4026.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\23DD2F7E.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\26290EEE.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\291435EC.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\291435EC.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\29CD74F5.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\29CD74F5.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\2A03135D.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\2A690964.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\2BB855AE Trojan-Downloader.Win32.IstBar.fa

C:\Program Files\Norton AntiVirus\Quarantine\2C0A6CEC.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\2F5C290E.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\2F5C290E.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\311F04E1.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\311F04E1.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\33A65C36.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\33A65C36.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\34E54807.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\34E54807.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\35944F5B.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\35FA4563.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\364C4D66.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\364C4D66.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\374911AD Trojan-Downloader.Win32.Agent.ae

C:\Program Files\Norton AntiVirus\Quarantine\37874678 Trojan-Downloader.Win32.PurityScan.f

C:\Program Files\Norton AntiVirus\Quarantine\388510B7.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\388510B7.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\3B3452E8.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\3B3452E8.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\40A60C10.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\40A60C10.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\41240B5A.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\418A0161.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\419A5A29 Trojan-Downloader.Win32.Harnig.gen

C:\Program Files\Norton AntiVirus\Quarantine\41E22852.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\41E22852.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\423D57CF.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\423D57CF.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\42CE720D.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\42CE720D.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\45EE794D Exploit.HTML.CodeBaseExec

C:\Program Files\Norton AntiVirus\Quarantine\467E57FE.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\467E57FE.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\46E123F9.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\46E123F9.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\475D7360.dll Trojan.Win32.KillAV.de

C:\Program Files\Norton AntiVirus\Quarantine\48012586.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\48012586.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\480D4E9E.exe Backdoor.Win32.Jeemp.c

C:\Program Files\Norton AntiVirus\Quarantine\49097AF8 Backdoor.Win32.Ruledor.c

C:\Program Files\Norton AntiVirus\Quarantine\4BAE69ED.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\4BAE69ED.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\4BCA3E5C.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\4C601402.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\4C601402.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\4C675019.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\4C675019.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\4D1A3D60.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\4D803367.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\508A0E45.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\50A22595.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\50A22595.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\54D07F1D Trojan-Dropper.Win32.Small.ff

C:\Program Files\Norton AntiVirus\Quarantine\55D365DE.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\55D365DE.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\562F637B.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\565B6290.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\565B6290.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\567E707F.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\567E707F.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\58AB795F.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\58BA7DE6 Trojan-Spy.Win32.Briss.g

C:\Program Files\Norton AntiVirus\Quarantine\58EB5667 Exploit.HTML.CodeBaseExec

C:\Program Files\Norton AntiVirus\Quarantine\58F52D08.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\58F52D08.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\59116F66.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\5A7534D8.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\5A7534D8.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\5B69342C.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\5B69342C.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\5C8047C4.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\5C8047C4.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\62072ADA.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\62072ADA.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\634B2A01.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\634B2A01.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\643B355D.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\64A12B65.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\698B7A13 Trojan-Downloader.JS.IstBar.j

C:\Program Files\Norton AntiVirus\Quarantine\698E2410 Trojan-Downloader.JS.IstBar.j

C:\Program Files\Norton AntiVirus\Quarantine\6A1A0344 Trojan-Clicker.Win32.Small.ab

C:\Program Files\Norton AntiVirus\Quarantine\6AB5592D.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\6AB5592D.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\6DD77AEC.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\6DD77AEC.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\6E3908A4 Trojan-Downloader.JS.IstBar.j

C:\Program Files\Norton AntiVirus\Quarantine\6F8F3FDB.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\6F8F3FDB.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\6FCB715C.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\70316763.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\712B10E5.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\712B10E5.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\71DB50A2.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\742E5870.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\762F78BC Trojan-Downloader.JS.IstBar.j

C:\Program Files\Norton AntiVirus\Quarantine\772C26C3 Backdoor.Win32.Jeemp.c

C:\Program Files\Norton AntiVirus\Quarantine\77B50A2C Trojan-Downloader.JS.Small.d

C:\Program Files\Norton AntiVirus\Quarantine\77F6162E.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\782F13EF Trojan-Downloader.Win32.PurityScan.e

C:\Program Files\Norton AntiVirus\Quarantine\78323DEB Trojan-Spy.Win32.Briss.g

C:\Program Files\Norton AntiVirus\Quarantine\783911E4 Trojan-Downloader.Win32.Agent.ae

C:\Program Files\Norton AntiVirus\Quarantine\783F65DD Trojan-Downloader.Win32.Agent.ae

C:\Program Files\Norton AntiVirus\Quarantine\79283C79 Trojan-Downloader.JS.Small.b

C:\Program Files\Norton AntiVirus\Quarantine\7B5C2D5A.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\7BC22362.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\7CA00B9A.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\7CF25C51.exe Trojan-Downloader.Win32.Agent.jq

C:\Program Files\Norton AntiVirus\Quarantine\7E23039A.exe Virus.Win32.Bube.l (disinfected)

C:\Program Files\Norton AntiVirus\Quarantine\7E23039A.exe Virus.Win32.Bube.l (disinfected)


WinPFFind:

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
UPX! 6/28/2004 3:02:58 PM 149504 C:\Program Files\CWShredder.exe
UPX! 2/16/2005 11:06:16 AM 218112 C:\Program Files\HijackThis.exe
UPX! 10/4/2005 1:27:30 AM 50176 C:\Program Files\KillBox.exe
UPX! 7/17/2004 2:22:14 AM 26953157 C:\Program Files\NAV10ESD.exe
UPX! 9/7/2003 11:07:50 PM 702471 C:\Program Files\stinger.exe
qoologic 10/4/2005 1:26:08 AM 202953 C:\Program Files\WinPFind.zip

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/28/2002 7:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/26/2004 3:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/26/2004 3:38:24 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
PECompact2 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 9/8/2005 9:36:32 PM 1997664 C:\WINDOWS\SYSTEM32\MRT.exe
Umonitor 8/28/2002 7:00:00 PM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/28/2002 7:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/8/2005 2:57:26 PM S 2048 C:\WINDOWS\bootstat.dat
10/6/2005 11:20:24 AM H 54156 C:\WINDOWS\QTFont.qfn
8/16/2005 8:10:02 PM H 0 C:\WINDOWS\inf\oem24.inf
10/4/2005 2:23:16 AM H 0 C:\WINDOWS\LastGood\INF\oem26.inf
10/4/2005 2:23:16 AM H 0 C:\WINDOWS\LastGood\INF\oem26.PNF
10/8/2005 2:57:12 PM H 8192 C:\WINDOWS\system32\config\default.LOG
10/8/2005 2:57:46 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
10/8/2005 2:57:28 PM H 16384 C:\WINDOWS\system32\config\SECURITY.LOG
10/8/2005 3:06:22 PM H 118784 C:\WINDOWS\system32\config\software.LOG
10/8/2005 2:57:34 PM H 1142784 C:\WINDOWS\system32\config\system.LOG
9/29/2005 12:08:24 AM H 1024 C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT.LOG
12/27/2005 7:28:30 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\394f62f2-3752-4b48-a908-09efe3d5b933
10/8/2005 2:56:20 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\607fb1ec-3db0-40ec-ab50-0ce4a5a5beaa
10/8/2005 2:56:20 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/8/2005 2:56:18 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/28/2002 7:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/17/2001 11:37:02 PM 48128 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 6/3/2004 10:05:06 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 6:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/28/2002 7:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/29/2002 4:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/9/2002 7:49:58 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/3/2003 12:46:08 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
4/18/2005 7:42:46 PM 1747 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\MTV Networks Video Optimizer.lnk
10/4/2005 2:00:46 AM 2463 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\VPN Dialer (OnStartup).lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/9/2002 12:33:50 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
1/4/2004 1:28:12 PM 13 C:\Documents and Settings\All Users\Application Data\DirectCDUserNameE.txt

Checking files in %USERPROFILE%\Startup folder...
9/9/2002 7:49:58 AM HS 84 C:\Documents and Settings\Daniel Werner\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
9/9/2002 12:33:50 AM HS 62 C:\Documents and Settings\Daniel Werner\Application Data\desktop.ini
6/6/2005 12:27:24 AM 62560 C:\Documents and Settings\Daniel Werner\Application Data\GDIPFONTCACHEV1.DAT

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
YComp 5.0.0.0 = Yahoo! Companion

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\iO
{C14F7681-33D8-11D3-A09B-00500402F30B} = C:\Program Files\iO\iomenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINDOWS\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}
= c:\Program Files\Microsoft Money\System\mnyside.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar1.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{E023F504-0C5A-4750-A1E7-A9046DEA8A21}
ButtonText = MoneySide :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = :
{4E7BD74F-2B8D-469E-D7E4-F660B597BF2A} = :
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AGRSMMSG AGRSMMSG.exe
Cpqset C:\Program Files\HPQ\Default Settings\cpqset.exe
PreloadApp c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
srmclean C:\Cpqs\Scom\srmclean.exe
ATIPTA C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
MMTray C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
AdaptecDirectCD "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
WinampAgent "C:\Program Files\Winamp3\winampa.exe"
2wSysTray C:\Program Files\2Wire\Gateway\2PortalMon.exe
mmtask C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
HPDJ Taskbar Utility C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
HP Software Update "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
HP Component Manager "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
DeviceDiscovery C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
ViewMgr C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SunJavaUpdateSched C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
iTunesHelper C:\Program Files\iTunes\iTunesHelper.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
gcasServ "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149
CDRAutoRun 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/8/2005 3:17:31 PM

HijackThis:

Logfile of HijackThis v1.99.1
Scan saved at 4:30:42 PM, on 10/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://email.usc.edu/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [PreloadApp] c:\hp\drivers\printers\photosmart\hphprld.exe c:\hp\drivers\printers\photosmart\setup.exe -d
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: MTV Networks Video Optimizer.lnk = C:\Program Files\MTV Networks\VOpt\MTVOptTray.exe
O4 - Global Startup: VPN Dialer (OnStartup).lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .edf: C:\Program Files\Internet Explorer\PLUGINS\NPInfotl.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2253F320-AB68-4A07-917D-4F12D8884A06} (ChainCast VMR Client Proxy) - http://www.streamaud...d/ccpm_0237.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1124248151241
O16 - DPF: {8EB3FF4E-86A1-4717-884D-7BA2D38272CB} (F-Secure Online Scanner) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/...ro.cab33902.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {F7A05BAC-9778-410A-9CDE-BFBD4D5D2B7F} (iPIX Media Send Class) - http://216.249.24.60...geWell-ipix.cab
O16 - DPF: {F9043C85-F6F2-101A-A3C9-08002B2F49FB} (Microsoft Common Dialog Control, version 6.0) - http://activex.micro...b5/comdlg32.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.ao.../ampx_en_dl.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Please let me know how to proceed from here!

Thanks!

D
  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
All that looks fine and I am sure it feels better as well!

Disable System Restore
http://service1.syma...src=sec_doc_nam

Double click the Norton Antivirus icon in the taskbar next to the clock!

Click on Reports-> Click View Reports-> If it pops up a windows asking if you want to repair anything-> Click NO!

Highlight everything in the list and Click delete and follow the prompts!


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...p2002/hosts.htm

Made Easy
http://www.mvps.org/...2002/hosts2.htm

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?
  • 0






Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP