Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Assorted viruses and problems [CLOSED]


  • This topic is locked This topic is locked

#1
stillpickedlast

stillpickedlast

    Member

  • Member
  • PipPip
  • 17 posts
This is my first post and it is mainly becuase of a virus. I have ran all the things said to run before posting about a problem. becuase of this site i removed one porblem but another popped up. I no have a AppPatch\binmp3.dll and have had no luck on even finding it on the interenet so i am clearly having little luck gettin rid of it.

Here is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 11:53:20 PM, on 10/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cisvc.exe
C:\WINNT\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\ehome\ehtray.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\WINNT\ehome\ehmsas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\PC MightyMax\pcmm.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.80.59.209:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\AppPatch\binmp3.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LyraHDProfiler] "C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [PCMMRealtime] C:\Program Files\PC MightyMax\pcmm.exe /R
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:Keyboard Preload Check
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SIGMA Photo Pro AutoLaunch.lnk = C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...1613117fb4ea0f9
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: binmp3 - C:\WINNT\AppPatch\binmp3.dll
O20 - Winlogon Notify: comsvr - C:\WINNT\ServicePackFiles\i386\comsvr.dll
O20 - Winlogon Notify: dosiis - C:\WINNT\java\classes\dosiis.dll
O20 - Winlogon Notify: infowave - C:\WINNT\Help\Tours\infowave.dll
O20 - Winlogon Notify: ssqrq - C:\WINNT\system32\ssqrq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


thank you.
  • 0

Advertisements


#2
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Hi stillpickledlast and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.


Your system is currently infected multiple manifestations of the VUNDO trojan. When this happens, only one is active at any given time. To fix the problem, we must run the VUNDOFix as many times as there are Vundo manifestations, once for the active one, then, when the first has been killed, we run it as often as required to kill its replacement. Don't be alarmed if you are still getting popus during or after the first fix. It is just the other trojans taking over, but only for a short while :tazz:

Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):

    • C:\WINNT\AppPatch\binmp3.dll

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINNT\AppPatch\3pmnib.*

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\AppPatch\binmp3.dll
    O20 - Winlogon Notify: binmp3 - C:\WINNT\AppPatch\binmp3.dll

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic


Regards,

Trevuren

  • 0

#3
stillpickedlast

stillpickedlast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Still many more but here is the

Activescan

Incident Status Location

Adware:adware/cws No disinfected C:\Documents and Settings\JD\Favorites\TECHNOLOGY\Adware Remover.lnk
Adware:adware/quicksearch No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/ist.istbar No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/toprebates No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/exact.bargainbuddyNo disinfected C:\WINNT\SYSTEM32\mac80ex.idf
Adware:adware/gator No disinfected C:\WINNT\GatorPdpSetup.log
Adware:adware/twain-tech No disinfected C:\WINNT\smdat32a.sys
Adware:adware/keenvalue No disinfected C:\WINNT\BROWSERXTRAS\PN\remove.exe
Adware:adware/superspider No disinfected C:\winspec.dat
Adware:adware/ncase No disinfected C:\PROGRAM FILES\180Solutions
Spyware:spyware/altnet No disinfected C:\PROGRAM FILES\Altnet
Adware:adware/exact.bullseye No disinfected C:\PROGRAM FILES\BullsEye Network
Adware:adware/wupd No disinfected C:\PROGRAM FILES\ErrorGuard
Adware:adware/savenow No disinfected C:\PROGRAM FILES\Save
Adware:adware/ist.sidefind No disinfected C:\PROGRAM FILES\SideFind
Adware:adware/winad No disinfected C:\PROGRAM FILES\Winad Client
Spyware:spyware/cydoor No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-3f43cd7c-3c650f8a.class
Adware:Adware/CWS No disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-52f8636b.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2bc6ddfd-50d8a329.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[VBUG.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[Dummy.class]
Adware:Adware/Startpage.JU No disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-c15b66d-61660533.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-6f71cc40-3336f7ab.zip[Dummy.class]
Virus:Trj/Shinwow.C Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-4dac567b-1a79a3ae.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv177.jar-405fe33-359546e5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv177.jar-405fe33-359546e5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-68b59373.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-68b59373.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df4-1b27d435.zip[Matrix.class]
Adware:Adware/KeenValue No disinfected C:\Program Files\Kazaa\PerfectNavUninstall.exe
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP686\A0094496.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP689\A0097616.bat
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP689\A0097617.exe
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP690\A0097837.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP696\A0100075.dll
Adware:Adware/KeenValue No disinfected C:\WINNT\browserxtras\pn\remove.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINNT\Downloaded Program Files\istactivex.inf
Adware:Adware/WUpd No disinfected C:\WINNT\Downloaded Program Files\WinadX.inf
Virus:Trj/Agent.AJK Disinfected C:\WINNT\system32\geeby.dll
Virus:Trj/ShellHook.E Disinfected C:\WINNT\system32\jkhfc.dll
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[msbe.dll]
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[Uninstall.exe]
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[bargains.exe]
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[adv.exe]
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[adx.exe]


vundofix.txt

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 644 'smss.exe'
Threads [648][652][656]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 140 'explorer.exe'
Killing PID 140 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.


and the Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 12:37:42 AM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\WINNT\ehome\ehmsas.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.80.59.209:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\ServicePackFiles\i386\comsvr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LyraHDProfiler] "C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:Keyboard Preload Check
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SIGMA Photo Pro AutoLaunch.lnk = C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...1613117fb4ea0f9
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: comsvr - C:\WINNT\ServicePackFiles\i386\comsvr.dll
O20 - Winlogon Notify: dosiis - C:\WINNT\java\classes\dosiis.dll
O20 - Winlogon Notify: infowave - C:\WINNT\Help\Tours\infowave.dll
O20 - Winlogon Notify: ssqrq - C:\WINNT\system32\ssqrq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
  • 0

#4
stillpickedlast

stillpickedlast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Still many more but here is the

Activescan

Incident Status Location

Adware:adware/cws No disinfected C:\Documents and Settings\JD\Favorites\TECHNOLOGY\Adware Remover.lnk
Adware:adware/quicksearch No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/ist.istbar No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/toprebates No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/exact.bargainbuddyNo disinfected C:\WINNT\SYSTEM32\mac80ex.idf
Adware:adware/gator No disinfected C:\WINNT\GatorPdpSetup.log
Adware:adware/twain-tech No disinfected C:\WINNT\smdat32a.sys
Adware:adware/keenvalue No disinfected C:\WINNT\BROWSERXTRAS\PN\remove.exe
Adware:adware/superspider No disinfected C:\winspec.dat
Adware:adware/ncase No disinfected C:\PROGRAM FILES\180Solutions
Spyware:spyware/altnet No disinfected C:\PROGRAM FILES\Altnet
Adware:adware/exact.bullseye No disinfected C:\PROGRAM FILES\BullsEye Network
Adware:adware/wupd No disinfected C:\PROGRAM FILES\ErrorGuard
Adware:adware/savenow No disinfected C:\PROGRAM FILES\Save
Adware:adware/ist.sidefind No disinfected C:\PROGRAM FILES\SideFind
Adware:adware/winad No disinfected C:\PROGRAM FILES\Winad Client
Spyware:spyware/cydoor No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-3f43cd7c-3c650f8a.class
Adware:Adware/CWS No disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-52f8636b.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2bc6ddfd-50d8a329.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[VBUG.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[Dummy.class]
Adware:Adware/Startpage.JU No disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-c15b66d-61660533.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-6f71cc40-3336f7ab.zip[Dummy.class]
Virus:Trj/Shinwow.C Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-4dac567b-1a79a3ae.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv177.jar-405fe33-359546e5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv177.jar-405fe33-359546e5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-68b59373.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-68b59373.zip[Matrix.class]
Virus:Exp
  • 0

#5
stillpickedlast

stillpickedlast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Still many more but here is the

Activescan

Incident Status Location

Adware:adware/cws No disinfected C:\Documents and Settings\JD\Favorites\TECHNOLOGY\Adware Remover.lnk
Adware:adware/quicksearch No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\Install.inf
Adware:adware/ist.istbar No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\istactivex.inf
Adware:adware/toprebates No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/exact.bargainbuddyNo disinfected C:\WINNT\SYSTEM32\mac80ex.idf
Adware:adware/gator No disinfected C:\WINNT\GatorPdpSetup.log
Adware:adware/twain-tech No disinfected C:\WINNT\smdat32a.sys
Adware:adware/keenvalue No disinfected C:\WINNT\BROWSERXTRAS\PN\remove.exe
Adware:adware/superspider No disinfected C:\winspec.dat
Adware:adware/ncase No disinfected C:\PROGRAM FILES\180Solutions
Spyware:spyware/altnet No disinfected C:\PROGRAM FILES\Altnet
Adware:adware/exact.bullseye No disinfected C:\PROGRAM FILES\BullsEye Network
Adware:adware/wupd No disinfected C:\PROGRAM FILES\ErrorGuard
Adware:adware/savenow No disinfected C:\PROGRAM FILES\Save
Adware:adware/ist.sidefind No disinfected C:\PROGRAM FILES\SideFind
Adware:adware/winad No disinfected C:\PROGRAM FILES\Winad Client
Spyware:spyware/cydoor No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-3f43cd7c-3c650f8a.class
Adware:Adware/CWS No disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-52f8636b.class
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2bc6ddfd-50d8a329.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[BlackBox.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[VBUG.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[Dummy.class]
Adware:Adware/Startpage.JU No disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip[Beyond.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-c15b66d-61660533.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-6f71cc40-3336f7ab.zip[Dummy.class]
Virus:Trj/Shinwow.C Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loader.jar-4dac567b-1a79a3ae.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv177.jar-405fe33-359546e5.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv177.jar-405fe33-359546e5.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-68b59373.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-68b59373.zip[Matrix.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df4-1b27d435.zip[Matrix.class]
Adware:Adware/KeenValue No disinfected C:\Program Files\Kazaa\PerfectNavUninstall.exe
Adware:Adware/StartPage.AIW No disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP686\A0094496.dll
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP689\A0097616.bat
Virus:W32/Sdbot.EFG.worm Disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP689\A0097617.exe
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP690\A0097837.dll
Spyware:Spyware/Virtumonde No disinfected C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP696\A0100075.dll
Adware:Adware/KeenValue No disinfected C:\WINNT\browserxtras\pn\remove.exe
Adware:Adware/IST.ISTBar No disinfected C:\WINNT\Downloaded Program Files\istactivex.inf
Adware:Adware/WUpd No disinfected C:\WINNT\Downloaded Program Files\WinadX.inf
Virus:Trj/Agent.AJK Disinfected C:\WINNT\system32\geeby.dll
Virus:Trj/ShellHook.E Disinfected C:\WINNT\system32\jkhfc.dll
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[msbe.dll]
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[Uninstall.exe]
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[bargains.exe]
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[adv.exe]
Adware:Adware/Exact.BargainBuddyNo disinfected C:\WINNT\system32\mac80ex.idf[adx.exe]


vundofix.txt

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 644 'smss.exe'
Threads [648][652][656]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 140 'explorer.exe'
Killing PID 140 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 716 'winlogon.exe'
Killing PID 716 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.


and the Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 12:37:42 AM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\system32\cidaemon.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\WINNT\ehome\ehmsas.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\NORTON~1\Navw32.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.80.59.209:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: NavErrRedir Class - {00D6A7E7-4A97-456f-848A-3B75BF7554D7} - (no file)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\ServicePackFiles\i386\comsvr.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LyraHDProfiler] "C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:Keyboard Preload Check
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SIGMA Photo Pro AutoLaunch.lnk = C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...1613117fb4ea0f9
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O20 - Winlogon Notify: comsvr - C:\WINNT\ServicePackFiles\i386\comsvr.dll
O20 - Winlogon Notify: dosiis - C:\WINNT\java\classes\dosiis.dll
O20 - Winlogon Notify: infowave - C:\WINNT\Help\Tours\infowave.dll
O20 - Winlogon Notify: ssqrq - C:\WINNT\system32\ssqrq.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



Sorry about the other comments. Cat layed on enter button. I would delete them but have no idea how to.

Edited by stillpickedlast, 15 October 2005 - 12:20 AM.

  • 0

#6
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.13 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Type in the filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):

    • C:\WINNT\ServicePackFiles\i386\comsvr.dll

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum staff
    Then Press Enter, Then F6, Then Enter Again to continue with the fix.

  • At this point please type the following file path (make sure to enter it exactly as below!):

    C:\WINNT\ServicePackFiles\i386\rvsmoc.*

  • Press Enter, then press the F6 key, then press Enter one more time to continue with the fix.
  • The fix will run then HijackThis will open.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:

    O2 - BHO: MSEvents Object - {827DC836-DD9F-4A68-A602-5812EB50A834} - C:\WINNT\ServicePackFiles\i386\comsvr.dll
    O20 - Winlogon Notify: comsvr - C:\WINNT\ServicePackFiles\i386\comsvr.dll

  • After you have fixed these items, close Hijackthis and Press any key to Force a reboot of your computer.
  • Pressing any key will cause a "Blue Screen of Death" this is normal, do not worry!
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic


Regards,

Trevuren

  • 0

#7
stillpickedlast

stillpickedlast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
a friend helped with the pop up viruses but i want to no if i am fully clean.



Logfile of HijackThis v1.99.1
Scan saved at 5:05:29 PM, on 10/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\cisvc.exe
C:\WINNT\ehome\ehSched.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\ehome\ehtray.exe
C:\WINNT\system32\CTHELPER.EXE
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\WINNT\ehome\ehmsas.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINNT\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.80.59.209:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LyraHDProfiler] "C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:Keyboard Preload Check
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SIGMA Photo Pro AutoLaunch.lnk = C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...1613117fb4ea0f9
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Suspending PID 652 'smss.exe'
Threads [656][660][664]

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 3580 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 724 'winlogon.exe'
Killing PID 724 'winlogon.exe'
Killing PID 724 'winlogon.exe'
Killing PID 724 'winlogon.exe'
File Deleted sucessfully.
Files Deleted sucessfully.
  • 0

#8
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapp...://my.yahoo.com
    O4 - Startup: PowerReg Scheduler.exe
    O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...1613117fb4ea0f9
    O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540006} (CInstall Class) - http://www.errorguar...ion/Install.cab



  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

    PowerReg Scheduler.exe<==You will have to Search for this one

  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum in your next reply after the following.

B. Please follow the instructions provided, you may want to print out these instructions and use them as a reference.
  • Please download ewido security suite it is a trial version of the program.
    • Install ewido security suite
    • When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
    • Launch ewido, there should be an icon on your desktop double-click it.
    • The program will prompt you to update click the OK button
    • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update
    • Click on Start
    • The update will start and a progress bar will show the updates being installed.
  • Once the updates are installed do the following:
    • REBOOT into Safe Mode
    • Run EWIDO
    • Click on scanner
    • Click on Start Scan
    • Let the program scan the machine
    • While the scan is in progress you will be prompted to clean files, click OK
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
    • Click Save report
    • Save the report to your desktop
  • Reboot your machine and post back a new HJT log and the ewido .txt log file you saved by using Add Reply
Regards,

Trevuren

  • 0

#9
stillpickedlast

stillpickedlast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Logfile of HijackThis v1.99.1
Scan saved at 12:57:56 PM, on 10/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\cisvc.exe
C:\WINNT\ehome\ehSched.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\ehome\ehtray.exe
C:\WINNT\system32\CTHELPER.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Gateway Utilities\GWInkMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe
C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe
C:\WINNT\ehome\ehmsas.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINNT\System32\HPZipm12.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\cleanmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe
C:\WINNT\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 207.80.59.209:80
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINNT\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [Gateway Ink Monitor] "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LyraHDProfiler] "C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
O4 - HKLM\..\Run: [LyraHD2TrayApp] "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WildTangent CDA] "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Keyboard Preload Check] C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:Keyboard Preload Check
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4
O4 - Startup: SIGMA Photo Pro AutoLaunch.lnk = C:\Program Files\SIGMA\Photo Pro\SIGMA_AutoLaunch.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Free WebSite Tools.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O4 - Global Startup: officejet 6100.lnk = ?
O8 - Extra context menu item: &AOL Toolbar Search - res://c:\program files\aol\aol toolbar 2.0\aoltbhtml.dll/search.html
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab27571.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab28578.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.c.../ymmapi_416.dll
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe



---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:48:14 PM, 10/16/2005
+ Report-Checksum: D5B70C0D

+ Scan result:

HKLM\SOFTWARE\Altnet -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Messages -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Settings -> Spyware.Altnet : Error during cleaning
HKLM\SOFTWARE\Altnet\Dashboard\Setup -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Altnet\Dashboard\Temp Internet Shares -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Altnet\LocalFiles -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Altnet\TopSearch -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM25.ADM25 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM25.ADM25\CurVer -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM25.ADM25.1 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM25.ADM25.1\CLSID\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM4.ADM4 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM4.ADM4\CurVer -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM4.ADM4.1 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\ADM4.ADM4.1\CLSID\\ -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\adm.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\adm.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\Altnet Signing Module.EXE\\AppID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\BHO.PerfectNavBHO -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\BHO.PerfectNavBHO\CLSID -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\BHO.PerfectNavBHO\CLSID\\ -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\BHO.PerfectNavBHO\CurVer -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\BHO.PerfectNavBHO.1 -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\BHO.PerfectNavBHO.1\CLSID\\ -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{21FFB6C0-0DA1-11D5-A9D5-00500413153C} -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8B8F6968-2F24-41E3-B653-E9613226F14D} -> Spyware.KeenValue : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8B8F6968-2F24-41E3-B653-E9613226F14D}\TypeLib\\ -> Spyware.SearchUpgrader : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\MiniBugTransporter.MiniBugTransporterX.1\CLSID\\ -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CLSID -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink\CurVer -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TopSearch.TSLink.1 -> Spyware.Altnet : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{DE289BFA-737B-4ABB-A4EC-F8753551B875} -> Spyware.SearchUpgrader : Cleaned with backup
HKLM\SOFTWARE\Classes\WinadX.Installer -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WinadX.Installer\CLSID -> Spyware.BlazeFind : Cleaned with backup
HKLM\SOFTWARE\Classes\WinadX.Installer\CLSID\\ -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Cydoor -> Spyware.Cydoor : Cleaned with backup
HKLM\SOFTWARE\Gator.com -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\AppInfo -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\CMEII -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\Gator -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\Gator\dyn -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\Gator\dyn\GCH -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Gator.com\Gator\dyn\GCH\_gs -> Spyware.Gator : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/Install.dll\\.Owner -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/Install.dll\\{205FF73B-CA67-11D5-99DD-444553540006} -> Spyware.CnsMin : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/WinadX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINNT/Downloaded Program Files/WinadX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKU\S-1-5-21-4011730921-3500939666-135915560-500\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup
C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-52f8636b.class -> TrojanDownloader.Small.wv : Cleaned with backup
C:\Documents and Settings\JD\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-487b52a0-26266d45.zip/Beyond.class -> TrojanDropper.Beyond.g : Cleaned with backup
C:\Documents and Settings\JD\Cookies\jd@advertising[1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\JD\Cookies\jd@atdmt[2].txt -> Spyware.Cookie.Atdmt : Cleaned with backup
C:\Documents and Settings\JD\Cookies\jd@doubleclick[1].txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\JD\Cookies\jd@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\JD\Cookies\[email protected][1].txt -> Spyware.Cookie.Advertising : Cleaned with backup
C:\Documents and Settings\JD\Cookies\jd@tradedoubler[1].txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\JD\Cookies\jd@valueclick[1].txt -> Spyware.Cookie.Valueclick : Cleaned with backup
C:\Documents and Settings\JD\Desktop\My Stuff\Programs\Setup.exe -> Spyware.AlexaBar : Cleaned with backup
C:\Documents and Settings\Kayla\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\Altnet -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Altnet\My Altnet Shares -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Altnet\My Altnet Shares\Bullguard Protection -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.cab -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Altnet\My Altnet Shares\Bullguard Protection\cevakrnl.ivd.cab -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab -> Spyware.Altnet : Cleaned with backup
C:\Program Files\Altnet\My Altnet Shares\Bullguard Protection\plugins.cab.cab (incomplete) -> Spyware.Altnet : Cleaned with backup
C:\Program Files\BullsEye Network -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\ad.dat -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\ub.dat -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\Common Files\Sony Shared\Visualizer\ExlGen.dll -> Dialer.Generic : Cleaned with backup
C:\Program Files\ISTbar -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\ISTbar\navmain.bmp -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\ISTbar\search.bmp -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\ISTbar\version_xml.php -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\ISTbar\xml_istbar.php -> Spyware.ISTBar : Cleaned with backup
C:\Program Files\Mightsoft\Audio Editor Pro\areditor.exe -> Backdoor.Agobot.we : Cleaned with backup
C:\Program Files\Save -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Save\ReadMe.txt -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Save\save.db -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Save\save.htm -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Save\store.db -> Spyware.SaveNow : Cleaned with backup
C:\Program Files\Web_Rebates -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Ap1150 -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Ap1150\merc1187.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Ap1150\psid1187.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Ap1150\topr1150.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Da1150 -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Da1150\1150sh.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Da1150\41b5360c7efd.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Da1150\JD -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Da1150\JD\41b53614383f.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\README.txt -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150 -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\foot1150c_rb.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\foot1150c_ub.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\f_popo1150c_rb.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\f_popo1150c_ub.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\f_spec1150c_rb.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\f_spec1150c_ub.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\popo1150c.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\pref1150c.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\remv1150c.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\scri1150a.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Html\spec1150c.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images\p.gif -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_envelope.gif -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_footer.gif -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_autotrack_remove.gif -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_settings.gif -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_hdr_settings_toprebates.gif -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_pop_circles.gif -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Images\topr_c_pop_circles_bg2.gif -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Sy1150 -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_0.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_1.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Sy1150\1150_2.dat -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150 -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\foot1150c_rb.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\foot1150c_ub.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\f_popo1150c_rb.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\f_popo1150c_ub.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\f_spec1150c_rb.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\f_spec1150c_ub.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\log.txt -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\popo1150c.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\pref1150c.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\remv1150c.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm -> Spyware.WebRebates : Cleaned with backup
C:\Program Files\Web_Rebates\Sy1150\Tp1150\spec1150c.htm -> Spyware.WebRebates : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP670\A0088003.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP675\A0091417.exe -> Spyware.AlexaBar : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP675\A0091418.exe -> Spyware.AlexaBar : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP686\A0094496.dll -> TrojanDownloader.Small.bpk : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP690\A0097837.dll -> Spyware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP696\A0100075.dll -> Spyware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP696\A0100566.dll -> TrojanDownloader.ConHook.k : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP697\A0100594.dll -> Spyware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP697\A0100606.dll -> Spyware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP697\A0100619.dll -> Spyware.Virtumonde : Cleaned with backup
C:\System Volume Information\_restore{14777EC5-8DD8-4F5E-8CCA-9D8D102AA20D}\RP697\A0100632.dll -> Spyware.Virtumonde : Cleaned with backup
C:\WINNT\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup
C:\WINNT\system32\mac80ex.idf/C:/WINNT/system32/msbe.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\system32\mac80ex.idf/C:/Program Files/BullsEye Network/bin/adx.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINNT\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINNT\wt\wtupdates\wtwebdriver\files\3.3.1.001\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINNT\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup


::Report End
  • 0

#10
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
  • First we need to make all files and folders VISIBLE:
    • Go to start>control panel>folder options>view (tab)
    • Choose to "show hidden files and folders,"
    • Uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
    • Close the window with ok
  • Please RUN HijackThis.
    . Click the SCAN button to produce a log.

  • Place a check mark beside each one of the following items:

    O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe"

  • Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

  • Reboot Your System in Safe Mode

    How to use the F8 method to Start Your Computer in Safe Mode

    • Restart the computer.
    • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
    • Use the arrow keys to select the Safe mode menu item
    • Press Enter.
  • Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):


    C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ<==Folder and all its content.


  • Exit Explorer, and REBOOT BACK INTO NORMAL MODE

  • Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everything looks now. Please also tell me if everything appears to be OK. If so, we can procede with the final cleanup.
Regards,

Trevuren

  • 0

Advertisements


#11
stillpickedlast

stillpickedlast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
trying to delete the O4 - HKLM\..\Run: [NI.UWAS5LP_0001_0811] "C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe wasn't allowed.

an error popped up that read

Unexpected error occured!
Error #52 (Bad file name or number) in Sub GetLongPath(exe".exe):

Please send a report to [email protected], mentioning what you were doing, and what version of windows you have.

I followed the rules to the T and this came up.
  • 0

#12
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
We will get it another way:

Please Download the following tool to assist us in removing this infection!
  • Download WinPFind
    • Right Click the Zip Folder and Select "Extract All"
    • Extract it somewhere you will remember like the Desktop
    • Dont do anything with it yet!
  • Reboot into Safe Mode

    Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

  • Doubleclick WinPFind.exe
    • Click "Start Scan"
    • It will scan the entire System, so please be patient!
    • Once the Scan is Complete
    • Go to the WinPFind folder
    • Locate WinPFind.txt
    • Place those results in the next post!
  • Reboot back to Normal Mode!

Regards,

Trevuren

  • 0

#13
stillpickedlast

stillpickedlast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
PECompact2 12/31/2004 1:48:20 AM 11689652 C:\WINNT\LPT$VPN.325
qoologic 12/31/2004 1:48:20 AM 11689652 C:\WINNT\LPT$VPN.325
SAHAgent 12/31/2004 1:48:20 AM 11689652 C:\WINNT\LPT$VPN.325
UPX! 12/31/2004 1:48:20 AM 162885 C:\WINNT\tsc.exe
PECompact2 12/31/2004 1:48:20 AM 11689652 C:\WINNT\VPTNFILE.325
qoologic 12/31/2004 1:48:20 AM 11689652 C:\WINNT\VPTNFILE.325
SAHAgent 12/31/2004 1:48:20 AM 11689652 C:\WINNT\VPTNFILE.325
UPX! 12/31/2004 1:48:20 AM 1036800 C:\WINNT\vsapi32.dll
aspack 12/31/2004 1:48:20 AM 1036800 C:\WINNT\vsapi32.dll

Checking %System% folder...
PEC2 3/31/2003 7:00:00 AM 41397 C:\WINNT\SYSTEM32\dfrg.msc
PEC2 10/26/2004 5:38:24 PM 716800 C:\WINNT\SYSTEM32\DivX.dll
PECompact2 10/26/2004 5:38:24 PM 716800 C:\WINNT\SYSTEM32\DivX.dll
PTech 7/12/2005 6:04:22 PM 520456 C:\WINNT\SYSTEM32\LegitCheckControl.dll
PECompact2 10/4/2005 9:09:08 PM 2293088 C:\WINNT\SYSTEM32\MRT.exe
aspack 10/4/2005 9:09:08 PM 2293088 C:\WINNT\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINNT\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINNT\SYSTEM32\rasdlg.dll
winsync 3/31/2003 7:00:00 AM 1309184 C:\WINNT\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINNT\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINNT\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/18/2005 3:48:28 PM S 2048 C:\WINNT\bootstat.dat
10/14/2005 4:12:52 PM HS 415 C:\WINNT\AppPatch\3pmnib.ini
8/26/2005 5:02:10 PM HS 178314 C:\WINNT\ServicePackFiles\i386\rvsmoc.bak2
8/26/2005 6:32:00 PM HS 179142 C:\WINNT\ServicePackFiles\i386\rvsmoc.ini
9/4/2005 1:26:08 PM HS 303 C:\WINNT\system32\qrqss.ini
10/4/2005 6:17:42 PM S 21737 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 11:53:30 AM S 17402 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
9/9/2005 7:15:08 PM S 11084 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB901017.cat
8/29/2005 9:25:44 PM S 11084 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB904706.cat
8/22/2005 1:48:28 PM S 11084 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905414.cat
8/22/2005 9:03:36 PM S 11084 C:\WINNT\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB905749.cat
10/18/2005 8:28:08 PM H 1024 C:\WINNT\system32\config\default.LOG
10/18/2005 9:40:10 PM H 1024 C:\WINNT\system32\config\SAM.LOG
10/18/2005 9:50:56 PM H 1024 C:\WINNT\system32\config\SECURITY.LOG
10/18/2005 10:06:40 PM H 1024 C:\WINNT\system32\config\software.LOG
10/18/2005 9:59:58 PM H 1024 C:\WINNT\system32\config\system.LOG
10/14/2005 12:12:56 AM H 1024 C:\WINNT\system32\config\systemprofile\NTUSER.DAT.LOG
9/25/2005 9:53:02 PM HS 388 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\d5f7494a-e9fb-4f4b-bd5d-8a298365c817
9/25/2005 9:53:02 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\Preferred
9/25/2005 9:50:34 PM HS 388 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\68c6ad2e-691c-4ac8-ab63-cc5f53eed7cd
9/25/2005 9:50:34 PM HS 24 C:\WINNT\system32\Microsoft\Protect\S-1-5-18\User\Preferred
10/18/2005 3:48:36 PM H 6 C:\WINNT\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINNT\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINNT\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINNT\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINNT\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINNT\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINNT\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINNT\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINNT\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINNT\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINNT\SYSTEM32\joy.cpl
Sun Microsystems 10/7/2003 1:34:44 PM 53352 C:\WINNT\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 187904 C:\WINNT\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINNT\SYSTEM32\mmsys.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 35840 C:\WINNT\SYSTEM32\ncpa.cpl
Ahead Software AG 10/9/2002 7:36:12 AM 57344 C:\WINNT\SYSTEM32\NeroBurnRights.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINNT\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINNT\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 6/13/2003 6:31:00 PM 143360 C:\WINNT\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 36864 C:\WINNT\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINNT\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINNT\SYSTEM32\powercfg.cpl
Intel® Corporation 3/11/2003 5:15:56 PM 77824 C:\WINNT\SYSTEM32\PRApplet.cpl
Apple Computer, Inc. 9/23/2004 7:57:40 PM 323072 C:\WINNT\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINNT\SYSTEM32\sysdm.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 28160 C:\WINNT\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINNT\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINNT\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 187904 C:\WINNT\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 35840 C:\WINNT\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 36864 C:\WINNT\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 3/31/2003 7:00:00 AM 28160 C:\WINNT\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINNT\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
2/27/2005 7:34:00 PM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
5/22/2005 5:36:04 PM 1753 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
10/7/2003 12:29:30 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
12/2/2004 10:28:36 PM 631 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Free WebSite Tools.lnk
12/29/2003 4:32:28 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hpoddt01.exe.lnk
2/9/2005 8:17:44 PM 1726 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
5/29/2004 10:36:30 AM 1567 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NkvMon.exe.lnk
12/29/2003 4:38:46 PM 779 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
10/7/2003 12:14:28 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
12/29/2003 4:36:38 PM 203 C:\Documents and Settings\All Users\Application Data\hpzinstall.log

Checking files in %USERPROFILE%\Startup folder...
10/7/2003 12:29:30 PM HS 84 C:\Documents and Settings\JD\Start Menu\Programs\Startup\desktop.ini
8/8/2005 8:50:46 PM 919 C:\Documents and Settings\JD\Start Menu\Programs\Startup\SIGMA Photo Pro AutoLaunch.lnk

Checking files in %USERPROFILE%\Application Data folder...
10/7/2003 12:14:28 PM HS 62 C:\Documents and Settings\JD\Application Data\desktop.ini
2/9/2005 11:21:46 PM 58024 C:\Documents and Settings\JD\Application Data\GDIPFONTCACHEV1.DAT
12/13/2004 7:28:14 PM 204 C:\Documents and Settings\JD\Application Data\G-Force Prefs (WindowsMediaPlayer).txt
9/11/2005 8:23:32 PM 6390 C:\Documents and Settings\JD\Application Data\PhotoPro.state.xml
9/12/2005 10:22:44 PM 6582 C:\Documents and Settings\JD\Application Data\wklnhst.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\WINNT\Downloaded Program Files\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
ButtonText = Messenger :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = &Yahoo! Companion : C:\Program Files\Yahoo!\Common\ycomp5_2_3_0.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{40D41A8B-D79B-43D7-99A7-9EE0F344C385} = AIM Search : C:\Program Files\AIM Toolbar\AIMBar.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ehTray C:\WINNT\ehome\ehtray.exe
NvCplDaemon RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
CTHelper CTHELPER.EXE
Hot Key Kbd 9910 Daemon SK9910DM.EXE
Gateway Ink Monitor "C:\Program Files\Gateway Utilities\GWInkMonitor.exe"
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
mmtask C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
UpdateManager "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
LyraHDProfiler "C:\Program Files\Thomson multimedia\RCA Lyra MP3 Jukebox\Profiler\LYRAHDDProfilerTrayApp.exe"
LyraHD2TrayApp "C:\Program Files\Thomson\Lyra Jukebox\LyraHDTrayApp\LYRAHD2TrayApp.exe"
NeroFilterCheck C:\WINNT\system32\NeroCheck.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
WildTangent CDA "C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"
NI.UWAS5LP_0001_0811 "C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
Keyboard Preload Check C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:Keyboard Preload Check

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
ares "C:\Program Files\Ares\Ares.exe" -h
NBJ "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
AIM C:\Program Files\AIM\aim.exe -cnetwait.odl
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
Windows Registry Repair Pro C:\Program Files\3B Software\Windows Registry Repair Pro\RegistryRepairPro.exe 4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\AIM
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item aim
hkey HKCU
command C:\Program Files\AIM\aim.exe -cnetwait.odl
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msnmsgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msnmsgr
hkey HKCU
command "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 149


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINNT\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\System32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/18/2005 10:08:41 PM
  • 0

#14
Trevuren

Trevuren

    Old Dog

  • Retired Staff
  • 18,699 posts
A. 1. Backup the registry by going to Start>Run> and type "regedit" without the quotes. Then on the file menu choose ‘export’ in XP. Export the file to your Desktop.

If a restore of the registry is required in case of emergency, just click on the exported regfile on your desktop, and answer YES to the question whether you want to merge this file with the registry. Wait until you get a message saying something like Merge Successfull.

2. Launch Notepad, and copy/paste everything in the codebox below into the new document, including the word REGEDIT4. Go up to "File Save As" and click the drop-down box to change the "Save As Type" to "All Files" and save it to your desktop as fixme.reg.

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NI.UWAS5LP_0001_0811 "=-


3. Locate fixme.reg on your Desktop and double-click on it. You will receive a prompt similar to: "Do you wish to merge the information into the registry?". Answer Yes and wait for a message to appear similar to Merged Successfully.

4. Reboot your computer.



B. Using Windows Explorer, locate and DELETE the following file:

C:\Documents and Settings\JD\Local Settings\Temporary Internet Files\Content.IE5\2P0V8NAJ\WAS5Scan[1].exe"

C. Finally, run HijackThis, click SCAN, produce a LOG and POST it in this thread for review.

Regards,

Trevuren

  • 0

#15
stillpickedlast

stillpickedlast

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Im sorry, but I can't find the menu. I am stuck on the first instruction.

1. Backup the registry by going to Start>Run> and type "regedit" without the quotes. Then on the file menu choose ‘export’ in XP. Export the file to your Desktop.


Where is export at?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP