[lopezvip]

so i have put up a few replys...i tried the regedit thing again, then i did the panda scan here is teh pandascan results:


Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\System32\vtuut.dll

[Advertisements]

Can't Ewido remove those entries that it finds? I see that it's being Ignored again...

Where is the new HijackThis log?

[greyknight17]

Can't Ewido remove those entries that it finds? I see that it's being Ignored again...

Where is the new HijackThis log?

[lopezvip]

i started my computer normally and ewido found vtuut.dll =( here is the HJT log:



Logfile of HijackThis v1.99.1
Scan saved at 1:42:18 AM, on 10/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\desktop\security suite\ewidoctrl.exe
C:\desktop\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pedro Lopez-Villari\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\html\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bellsouth.com/
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vtuut.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,11/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6A-11CF-96B8-444553540000} - http://hometown.aol....age/ProfR1G.exe
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O20 - Winlogon Notify: vtuut - C:\WINDOWS\System32\vtuut.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\desktop\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[greyknight17]

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download VundoFix.exe at http://www.atribune....ds/VundoFix.exe to your desktop.

* Double-click VundoFix.exe to extract the files.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key (or F5 in some machines) until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* Please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\vtuut.dll

* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* When asked for a second path, enter -> C:\WINDOWS\System32\tuutv.*
* Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
* The fix will run then HijackThis will open.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vtuut.dll
O20 - Winlogon Notify: vtuut - C:\WINDOWS\System32\vtuut.dll

* After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
* Pressing any key will cause a 'Blue Screen of Death' this is normal, do not worry!
* Once your machine reboots please continue with the instructions below.

Download and install CleanUp! http://www.greyknigh...spy/CleanUp.exe

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click 'Options...'
Move the arrow down to 'Custom CleanUp!'
Put a check next to the following (Make sure nothing else is checked!):

* Empty Recycle Bins
* Delete Cookies
* Delete Prefetch files
* Cleanup! All Users

Click OK. Press the CleanUp! button to start the program.
It may ask you to reboot at the end, click NO.

Then, please run an online virus scan at ActiveScan http://www.pandasoft.../activescan.htm

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

[lopezvip]

i got into safe mode and completed the vundofix instructions, however HJT did not auto open and when i went back to my desktop there was only a black screen with safe mode on all four corner..so i switched users then went back to administrator and ran HJT--i cheked off what was instructed and then rebooted.. i also did the clean up when i rebooted in normal mode! here is the cleanup results i copied and my HJT results i just did(020-vtuut.dll is still there) =( :

CleanUp! started on 10/12/05 22:03:33.
...
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\lolmyeyesonly0114cp[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\lolmyeyesonly1052xs[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\m-lz6[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\menus[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\messagefriend[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\midas[1].htm - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\myspace[1].css - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\OnlineNowNodeParser[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[1] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[2] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[2].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[3] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[3].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[4].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\optn=1[5].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\popin[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\purple_fairy_blowing_kisses[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\realPages_bottom[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\res_QL_tabTopper[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\rsiads[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\sniffAPI[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\spacer[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\st3060[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\String[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\tmp[1].htm - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\truste[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\UsersOnline[1].html - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\UsersOnline[2].html - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\UsersOnline[3].html - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\videocode[1].asx - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\8RMHIJQX\x88exclusive[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\109999063_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\114126942_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\114274118_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\115796542_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\118540459_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\118778141_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\11931631074328896c2d284[1].swf - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\119616993_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\121612588_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\121654498_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\122986231_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\12417_s[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\128134963_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\128163859_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\136265531_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\136372693_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\136925232_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\138120397_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\139925464_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\144048661_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\146732265_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\152135296_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\152157400_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\152276741_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\153403029_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\16102044_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\164260816_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\190414080_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\192754524_s[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\193975360_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\194468909_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\1x1[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\206024984_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\208600130_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\209893244_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\212957650_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\223565749_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\224099451_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\226791371_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\230367909_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\231037013_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\233522356_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\236888752_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\237873807_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\241830911_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\243351565_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\243516050_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\245137521_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\247048505_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\247484195_m[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\247512551_m[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\248953938_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\249061766_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\249448696_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\250146878_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\251162131_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\251997801_s[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\252253557_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\252337887_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\253897289_s[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\254664835_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\255086720_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\26335395_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\26619222249[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\26726798_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\35830643_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\40636354_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\44027438_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\53287300_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\67089752_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\692119777[1].htm - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\728x90_50[1].htm - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\76239205_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\82996927_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\87822395_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\88[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\89393031_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\92908069_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\94[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\95012224_s[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\99[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\addFavoritesIcon[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\advertisement[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\advertisement_up[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\banner[1].htm - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\bellsouth[1].htm - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\bls_qi_hold[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\boobies112[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\btn_go[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\bulb1[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\button_email_pic[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\bwe[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\CA4HIJK5.swf - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\CA7Y6HJ7.html - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\cnv[1].asx - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\Copy_of_dragonlake[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\cp[1] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\cycle[1] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\deleteSelected[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\dsc001906qq[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\dsl_lb_gelcurve[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\efg_728x90_free_gas_visitor_annoy[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\forwardMailIcon[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\friendRequest_NoFlash[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\[bleep]HerGentlyfullvideo[1].wmv - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\get[1].media - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\gh_icon_order_status[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\gh_tab_about_us[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\gh_tab_res_services[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\gray_med[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\highlightInterests[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\incidental_amp[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\index[1].cfm - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\jsmaster[1] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\layout[1].css - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\logo1[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\lolmyeyesonly0756bo[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\menuAPI[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\menu_vert[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\more_options[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\myspace[1].css - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\myspace[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\navback[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\nav_close[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[10] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[11] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[1] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[2] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[2].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[3] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[3].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[4] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[5] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[6] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[7] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[8] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\optn=1[9] - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\player[1].asx - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\promo_capright[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\redcross[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\rose02_t[1].jpg - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\sent[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\showAD300[1].js - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\trashcan[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\Update[2].aspx - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\UsersOnline[3].html - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\UserStatusChange[1].html - deleted
C:\Documents and Settings\Aly-n-Kwissy\locals~1\tempor~1\Content.IE5\C7WFGTML\x54f[1].gif - deleted
C:\Documents and Settings\Aly-n-Kwissy\Local Settings\History\History.IE5\index.dat - deleted
C:\Documents and Settings\Aly-n-Kwissy\Local Settings\History\History.IE5\MSHist012005101020051011\index.dat - deleted
C:\Documents and Settings\Aly-n-Kwissy\Local Settings\History\History.IE5\MSHist012005101020051011\ - deleted
C:\Documents and Settings\Administrator\Cookies\index.dat - deleted
C:\Documents and Settings\Administrator\locals~1\tempor~1\Content.IE5\index.dat - deleted
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat - deleted
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012005100320051010\index.dat - deleted
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012005100320051010\ - deleted
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012005101220051013\index.dat - deleted
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012005101220051013\ - deleted
C:\WINDOWS\Prefetch\ACDSEE.EXE-05A4D6E1.pf - deleted
C:\WINDOWS\Prefetch\ACRORD32.EXE-0781811F.pf - deleted
C:\WINDOWS\Prefetch\AIM.EXE-061FD532.pf - deleted
C:\WINDOWS\Prefetch\ALBUMEXE.EXE-35D985AB.pf - deleted
C:\WINDOWS\Prefetch\ALSETUP.EXE-2DC81044.pf - deleted
C:\WINDOWS\Prefetch\AOL.EXE-37F91595.pf - deleted
C:\WINDOWS\Prefetch\AOLHOSTMANAGER.EXE-1E680FCC.pf - deleted
C:\WINDOWS\Prefetch\AOLLAUNCH.EXE-1D76DCDC.pf - deleted
C:\WINDOWS\Prefetch\AOLNYSEV.EXE-2317E7D8.pf - deleted
C:\WINDOWS\Prefetch\AOLSERV.EXE-3A8FFD58.pf - deleted
C:\WINDOWS\Prefetch\AOLSERVICEHOST.EXE-0E7D2514.pf - deleted
C:\WINDOWS\Prefetch\AOLSP SCHEDULER.EXE-06707078.pf - deleted
C:\WINDOWS\Prefetch\AOLSP SCHEDULER.EXE-21D17D2F.pf - deleted
C:\WINDOWS\Prefetch\ASP.EXE-06B08E61.pf - deleted
C:\WINDOWS\Prefetch\ASPINST.EXE-08A341D2.pf - deleted
C:\WINDOWS\Prefetch\ASPUPDATE_US.EXE-1135B05E.pf - deleted
C:\WINDOWS\Prefetch\CLEANUP.EXE-1D11FD99.pf - deleted
C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf - deleted
C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf - deleted
C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf - deleted
C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf - deleted
C:\WINDOWS\Prefetch\ENGINEEXE.EXE-089F6C05.pf - deleted
C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf - deleted
C:\WINDOWS\Prefetch\FILEMGREXE.EXE-0DFC4086.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-17EE503B.pf - deleted
C:\WINDOWS\Prefetch\FIREFOX.EXE-28641590.pf - deleted
C:\WINDOWS\Prefetch\FRAMEWORKSERVICE.EXE-2CAB3CF3.pf - deleted
C:\WINDOWS\Prefetch\GLB1A2B.EXE-36D505DF.pf - deleted
C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-26801472.pf - deleted
C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf - deleted
C:\WINDOWS\Prefetch\IMAPI.EXE-0BF740A4.pf - deleted
C:\WINDOWS\Prefetch\INDEX.EXE-0F191830.pf - deleted
C:\WINDOWS\Prefetch\KILLBOX.EXE-30E91B05.pf - deleted
C:\WINDOWS\Prefetch\Layout.ini - deleted
C:\WINDOWS\Prefetch\LOGONUI.EXE-0AF22957.pf - deleted
C:\WINDOWS\Prefetch\MCSHIELD.EXE-0848DB5A.pf - deleted
C:\WINDOWS\Prefetch\MELODYEXE.EXE-3A56BD18.pf - deleted
C:\WINDOWS\Prefetch\MOTOROLA-TOOL.EXE-26470A9E.pf - deleted
C:\WINDOWS\Prefetch\MPFAGENT.EXE-324931EB.pf - deleted
C:\WINDOWS\Prefetch\MPFCONSOLE.EXE-1A2CE790.pf - deleted
C:\WINDOWS\Prefetch\MPFSERVICE.EXE-037A8F95.pf - deleted
C:\WINDOWS\Prefetch\MPFTRAY.EXE-30D2A4D4.pf - deleted
C:\WINDOWS\Prefetch\MPLAYER2.EXE-179FD902.pf - deleted
C:\WINDOWS\Prefetch\MPNOTIFY.EXE-3631A846.pf - deleted
C:\WINDOWS\Prefetch\MSNMSGR.EXE-366A1A81.pf - deleted
C:\WINDOWS\Prefetch\MSPMSPSV.EXE-159858D5.pf - deleted
C:\WINDOWS\Prefetch\MSWORKS.EXE-31812CA4.pf - deleted
C:\WINDOWS\Prefetch\MUNINST.EXE-2166743D.pf - deleted
C:\WINDOWS\Prefetch\NAPRDMGR.EXE-1FE4047B.pf - deleted
C:\WINDOWS\Prefetch\NICSERV.EXE-3AE481AA.pf - deleted
C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf - deleted
C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf - deleted
C:\WINDOWS\Prefetch\OCPINST.EXE-253EC18E.pf - deleted
C:\WINDOWS\Prefetch\ODHOST.EXE-310573B1.pf - deleted
C:\WINDOWS\Prefetch\OPTSCAN.EXE-062DE052.pf - deleted
C:\WINDOWS\Prefetch\OSA.EXE-1878224B.pf - deleted
C:\WINDOWS\Prefetch\P2KMAN.EXE-23F3653C.pf - deleted
C:\WINDOWS\Prefetch\PANELEXE.EXE-123A3BA4.pf - deleted
C:\WINDOWS\Prefetch\POSTPROC.EXE-1470A3C0.pf - deleted
C:\WINDOWS\Prefetch\PPCLEAN.EXE-080D1BE3.pf - deleted
C:\WINDOWS\Prefetch\QTTASK.EXE-342507FB.pf - deleted
C:\WINDOWS\Prefetch\REALONEMESSAGECENTER.EXE-0F115151.pf - deleted
C:\WINDOWS\Prefetch\REALPLAY.EXE-1BF219BD.pf - deleted
C:\WINDOWS\Prefetch\REALSCHED.EXE-3282FD31.pf - deleted
C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf - deleted
C:\WINDOWS\Prefetch\REGISTRYREPAIRPRO.EXE-25A89D76.pf - deleted
C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf - deleted
C:\WINDOWS\Prefetch\RPHELPERAPP.EXE-33CB172B.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-26DA8C9B.pf - deleted
C:\WINDOWS\Prefetch\RUNDLL32.EXE-451FC2C0.pf - deleted
C:\WINDOWS\Prefetch\RUNONCE.EXE-2803F297.pf - deleted
C:\WINDOWS\Prefetch\SCAN32.EXE-34BB0851.pf - deleted
C:\WINDOWS\Prefetch\SECURITYSUITE.EXE-34FE0D5C.pf - deleted
C:\WINDOWS\Prefetch\SETUP.EXE-0E804A2A.pf - deleted
C:\WINDOWS\Prefetch\SHELLMON.EXE-3302A29E.pf - deleted
C:\WINDOWS\Prefetch\SHELLRESTART.EXE-287DD434.pf - deleted
C:\WINDOWS\Prefetch\SHSTAT.EXE-2A9CD834.pf - deleted
C:\WINDOWS\Prefetch\SMAGENT.EXE-34504AD2.pf - deleted
C:\WINDOWS\Prefetch\SSPIPES.SCR-151C97BA.pf - deleted
C:\WINDOWS\Prefetch\STARTUP.EXE-04F3D88A.pf - deleted
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf - deleted
C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf - deleted
C:\WINDOWS\Prefetch\TBSETUP.EXE-0367EBFE.pf - deleted
C:\WINDOWS\Prefetch\UNWISE.EXE-12E4C840.pf - deleted
C:\WINDOWS\Prefetch\UPDATERUI.EXE-21775FB9.pf - deleted
C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf - deleted
C:\WINDOWS\Prefetch\VANGUARD.EXE-1CFC73E8.pf - deleted
C:\WINDOWS\Prefetch\VSTSKMGR.EXE-021A457C.pf - deleted
C:\WINDOWS\Prefetch\VUNDOFIX-1.EXE-11931F58.pf - deleted
C:\WINDOWS\Prefetch\WANMPSVC.EXE-079295ED.pf - deleted
C:\WINDOWS\Prefetch\WAOL.EXE-1659B5EC.pf - deleted
C:\WINDOWS\Prefetch\WDFMGR.EXE-2CF4013B.pf - deleted
C:\WINDOWS\Prefetch\WINZIP32.EXE-335422C1.pf - deleted
C:\WINDOWS\Prefetch\WISEUPDT.EXE-137C7F21.pf - deleted
C:\WINDOWS\Prefetch\WKGDCACH.EXE-09BEAA63.pf - deleted
C:\WINDOWS\Prefetch\WKSWP.EXE-25E36596.pf - deleted
C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf - deleted
C:\WINDOWS\Prefetch\WMPLAYER.EXE-18DDEFA2.pf - deleted
C:\WINDOWS\Prefetch\WPC54CFG.EXE-11207DF6.pf - deleted
C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf - deleted
C:\WINDOWS\Prefetch\YMSGR_TRAY.EXE-256366BA.pf - deleted
C:\WINDOWS\Prefetch\YPAGER.EXE-2F89F868.pf - deleted
C:\WINDOWS\Prefetch\YPAGER.EXE-31587640.pf - deleted
C:\WINDOWS\Prefetch\YSERVER.EXE-21015EB1.pf - deleted
C:\WINDOWS\Prefetch\YUPDATER.EXE-278A4587.pf - deleted
C:\WINDOWS\Prefetch\YUPDATER.EXE-3946FDDF.pf - deleted
Emptied Recycle Bin on drive C:
'Run MRU' list - removed from the registry.
WordPad Recent File List - removed from the registry.
Telnet's MRU list - removed from the registry.
WinZip Extract MRU list - removed from the registry.
WinZip File MRU list - removed from the registry.
CleanUp! 4.0 recovered 229.2 MB of disk space from 11271 files.
CleanUp! finished on 10/12/05 22:05:59.




Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 10:31:12 PM, on 10/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\desktop\security suite\ewidoctrl.exe
C:\desktop\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLHostManager.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLServiceHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
c:\program files\common files\aol\1105942899\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\America Online 9.0\shellmon.exe
C:\Documents and Settings\Pedro Lopez-Villari\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\html\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bellsouth.com/
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vtuut.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105942899\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,11/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6A-11CF-96B8-444553540000} - http://hometown.aol....age/ProfR1G.exe
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O20 - Winlogon Notify: vtuut - C:\WINDOWS\System32\vtuut.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\desktop\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[lopezvip]

here is the pandascan(it was short and quick cause it just stoped:


Incident Status Location

Spyware:Spyware/Virtumonde No disinfected C:\WINDOWS\System32\vtuut.dll

[greyknight17]

Don't post the CleanUp log here...I don't need it.

Please run the same fix I gave you earlier since those entries are still in HijackThis...restart and give me logs for Panda and HijackThis when done.

[lopezvip]

i went into safe mode.
i ran killvundo.bat
when i do this the icons disappear on my screen,(HJT hadn't run on its own)
i hit ctrl+alt+del, so i could open the text file which i left open, i opened it
i clicked save in the file so that i could see HJT on my desktop...i opened it from the save menu of the .txt file
with it opened, i clicked off the kill vundo screen and the text file with instruction and i continued with the process...
i restarted the computer manually and vuutv.dll is still here


i have a question? in killvundo.bat the second file to be enetered is???? C:\WINDOWS\System32\tuutv.*

is that with the period and the asterisk or without it????


HJT file aFTER restart in normal mode:


Logfile of HijackThis v1.99.1
Scan saved at 7:46:51 PM, on 10/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\desktop\security suite\ewidoctrl.exe
C:\desktop\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLServiceHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
c:\program files\common files\aol\1105942899\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLServiceHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Pedro Lopez-Villari\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\HTML\html\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bellsouth.com/
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vtuut.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105942899\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,11/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6A-11CF-96B8-444553540000} - http://hometown.aol....age/ProfR1G.exe
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O20 - Winlogon Notify: vtuut - C:\WINDOWS\System32\vtuut.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\desktop\security suite\ewidoguard.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[greyknight17]

Wait...are you doing this correctly? When you run KillVundo did you enter the second path yet? If you entered the second path, that's when it should open HijackThis. If it doesn't open HijackThis, you can open it up manually using the Task Manager->File->New Task.

Yes, that's a period followed by an asterisk. Please redo this again...

[lopezvip]

sorry i havent been on in a while i had some family issues to take care of...thank you for yoru help and your patience...im goona try again now

[lopezvip]

i did the process again same problem...1 question is in the instruction it says to put in
C:\WINDOWS\System32\vtuut.dll the first time and
C:\WINDOWS\System32\tuutv.* is the last part supposed to be vtuut.* instead of tuutv.*

im trying to figure out why this doesnt work....after i killl the stuff i get a pop up with an red x saying cant kill because its being used somewhere else, yet the kilvundo.bat blue screen reads killing .dll and ini. files

Logfile of HijackThis v1.99.1
Scan saved at 12:14:42 PM, on 10/19/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\desktop\security suite\ewidoctrl.exe
C:\desktop\security suite\ewidoguard.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLServiceHost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0\waol.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Documents and Settings\Aly-n-Kwissy\Desktop\bin\iPodService.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
c:\program files\common files\aol\1105942899\ee\services\antiSpywareApp\ver2_0_7\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1105942899\ee\AOLServiceHost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\dumprep.exe
C:\WINDOWS\System32\dumprep.exe
C:\Documents and Settings\Pedro Lopez-Villari\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8l.hpwis.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bellsouth.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AU

pdate\Channels\ch2\HTML\html\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.bellsouth.com/
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vtuut.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_12_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1105942899\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0\AOL.EXE" -b
O4 - Startup: Check for OneTouch Updates.lnk = C:\Program Files\Visioneer OneTouch\WiseUpdt.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward &Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cac&hed Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Si&milar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcaf...64/mcinsctl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://groups.msn.co...UC/MsnPUpld.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1....loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.co...,11/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6A-11CF-96B8-444553540000} - http://hometown.aol....age/ProfR1G.exe
O16 - DPF: {E04EAE82-14AD-41CB-BF5A-45556ABB8347} (WebCoachDownload Class) - http://esupport.aol....ne/aolcinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...es/WFXScanR.cab
O20 - Winlogon Notify: vtuut - C:\WINDOWS\System32\vtuut.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ewido security suite control - ewido networks - C:\desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\desktop\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Documents and Settings\Aly-n-Kwissy\Desktop\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

[greyknight17]

No, the spelling I gave you is correct. It's not suppose to be the same as the first file.

I want you to delete VundoFix and get a new download below and follow the new instructions also:

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download VundoFix.exe at http://www.atribune....ds/VundoFix.exe to your desktop.

* Double-click VundoFix.exe to extract the files.
* After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key (or F5 in some machines) until a menu appears. Use your up arrow key to highlight Safe Mode then hit Enter.
* Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
* Hit Enter key once...
* Please type the following file path (make sure to enter it exactly as below!):

C:\WINDOWS\System32\vtuut.dll

* Press Enter after you did that.
* When asked for a second path, enter -> C:\WINDOWS\System32\tuutv.*
* Press Enter to continue with the remaining fix.
* The fix will then run HijackThis. If it doesn't open, then run HijackThis manually.
* In HijackThis, please place a check next to the following items and click FIX CHECKED:

O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINDOWS\System32\vtuut.dll
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/...es/WFXScanR.cab
O20 - Winlogon Notify: vtuut - C:\WINDOWS\System32\vtuut.dll

* After you have fixed these items, close HijackThis.
* Press Enter key to exit the program.
* Once your machine reboots please continue with the instructions below.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose NO when asked if you want to logoff.

Run an online virus scan at ActiveScan http://www.pandasoft.../activescan.htm

Copy the results of the ActiveScan and paste them here along with a new HijackThis log and the vundofix.txt file from the vundofix folder into this topic.

[lopezvip]

I cant try to do the last instructions. I deleted the vundo fix file. but when I tried to restart in sfae mode. All i get is the yes/ no pop up screen that asks if i want to be in safe mode...it only pops up for a second. If i hit yes in time ill get windows to open up with all the icons for a second then everything goes black and all i get is the safe mode in all four corners. whats going on????

[greyknight17]

Sorry for the long delay in responding...I must have overlooked your reply in my list of subscriptions

Do you still require assistance at this point or is the problem resolved already?

[lopezvip]

i still require assistance.... i think we should take this from the top, cause the last posts i put up the screen in safe mode wouldnt even show up, it would just go black(no icons) just th e windows version on the top of teh screen
thanks