Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Winfixer (yes another one) Please Help Me


  • Please log in to reply

#1
usafreedom

usafreedom

    Member

  • Member
  • PipPip
  • 76 posts
I had it once and it came back :/

Logfile of HijackThis v1.99.1
Scan saved at 12:50:08 PM, on 10/28/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Macromedia\Dreamweaver 4\Dreamweaver.exe
C:\Program Files\Winamp\winamp.exe
C:\unzipped\MozillaFirebird-0.6-win32[1]\MozillaFirebird\MozillaFirebird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:100
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\ssqpm.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O20 - Winlogon Notify: jkhhh - C:\WINDOWS\System32\jkhhh.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\System32\mlljh.dll
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\System32\ssqpm.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
  • 0

Advertisements


#2
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hi usafreedom and Welcome to GeekstoGo!


Please print these instructions out for use in Safe Mode.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to extract the files
  • This will create a VundoFix folder on your desktop.
  • After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.
  • Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat
  • You will first be presented with a warning.
    It should look like this

    VundoFix V2.15 by Atri
    By using VundoFix you agree that you are doing so at your own risk
    Press enter to continue....

  • At this point press enter one time.
  • Next you will see:

    Please Type in the filepath as instructed by the forum staff
    and then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):
    • C:\WINDOWS\System32\ssqpm.dll
  • Press Enter to continue with the fix.
  • Next you will see:

    Please type in the second filepath as instructed by the forum
    staff then press enter:

  • At this point please type the following file path (make sure to enter it exactly as below!):C:\WINDOWS\System32\mpqss.*
    This will be the vundo filename spelt backwards. for example if the vundo dll was vundo.dll you would have the user enter odnuv.*
  • Press Enter to continue with the fix.
  • The fix will run then HijackThis will open, if it does not open automatically please open it manually.
  • In HiJackThis, please place a check next to the following items and click FIX CHECKED:O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\ssqpm.dll

    O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe

    O20 - Winlogon Notify: jkhhh - C:\WINDOWS\System32\jkhhh.dll

    O20 - Winlogon Notify: mlljh - C:\WINDOWS\System32\mlljh.dll

    O20 - Winlogon Notify: ssqpm - C:\WINDOWS\System32\ssqpm.dll
  • After you have fixed these items, close Hijackthis.
  • Press enter to exit the program then manually reboot your computer.
  • Once your machine reboots please continue with the instructions below.
Download and install CleanUp!

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

It may ask you to reboot at the end, click NO.

Then, please run this online virus scan: ActiveScan

Copy the results of the ActiveScan and paste them here along with a new HiJackThis log and the vundofix.txt file from the vundofix folder into this topic.
  • 0

#3
usafreedom

usafreedom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
Thanks here are the logs you have requested:

Logfile of HijackThis v1.99.1
Scan saved at 1:53:51 PM, on 10/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\unzipped\MozillaFirebird-0.6-win32[1]\MozillaFirebird\MozillaFirebird.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:100
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\jkhhh.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O20 - Winlogon Notify: jkhhh - C:\WINDOWS\System32\jkhhh.dll
O20 - Winlogon Notify: mlljh - C:\WINDOWS\System32\mlljh.dll
O20 - Winlogon Notify: ssqpm - C:\WINDOWS\System32\ssqpm.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe








Detected Disinfected
Virus 0 0
Spyware 0 0
Hacking Tools 0 0
Dialers 0 0
Security Risks 0 0
Suspicious files 0 0




VundoFix V2.15 by Atri
--------------------------------------------------------------------------------------

Listing files contained in the vundofix folder.
--------------------------------------------------------------------------------------

killvundo.bat
process.exe
ReadMe.txt
vundo.reg
vundofix.txt

--------------------------------------------------------------------------------------

Filepaths entered
--------------------------------------------------------------------------------------

The filepath entered was C:\WINDOWS\System32\ssqpm.dll

The second filepath entered was C:\WINDOWS\System32\mpqss.*

--------------------------------------------------------------------------------------

Log from Process
--------------------------------------------------------------------------------------


Killing PID 156 'smss.exe'

Killing PID 1304 'explorer.exe'


Killing PID 232 'winlogon.exe'
Killing PID 232 'winlogon.exe'
--------------------------------------------------------------------------------------

C:\WINDOWS\System32\ssqpm.dll Deleted sucessfully.
C:\WINDOWS\System32\mpqss.* Deleted sucessfully.

Fixing Registry
--------------------------------------------------------------------------------------

Edited by usafreedom, 29 October 2005 - 11:52 AM.

  • 0

#4
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O2 - BHO: MSEvents Object - {FC148228-87E1-4D00-AC06-58DCAA52A4D1} - C:\WINDOWS\System32\jkhhh.dll

O20 - Winlogon Notify: jkhhh - C:\WINDOWS\System32\jkhhh.dll

O20 - Winlogon Notify: mlljh - C:\WINDOWS\System32\mlljh.dll

O20 - Winlogon Notify: ssqpm - C:\WINDOWS\System32\ssqpm.dll (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!


Post back with the Session Log from SpySweeper and a fresh Hijackthis log!
  • 0

#5
usafreedom

usafreedom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
********
4:48 PM: | Start of Session, Saturday, October 29, 2005 |
4:48 PM: Spy Sweeper started
4:48 PM: Sweep initiated using definitions version 564
4:48 PM: Starting Memory Sweep
4:49 PM: Found Adware: virtumonde
4:49 PM: Detected running threat: C:\WINDOWS\SYSTEM32\jkhhh.dll (ID = 77)
4:49 PM: Detected running threat: C:\WINDOWS\SYSTEM32\mlljh.dll (ID = 77)
4:51 PM: Memory Sweep Complete, Elapsed Time: 00:02:50
4:51 PM: Starting Registry Sweep
4:51 PM: Found Adware: delfin
4:51 PM: HKLM\software\dsi\ (2 subtraces) (ID = 124852)
4:51 PM: Found Adware: subsearch
4:51 PM: HKCR\interface\{5a4e1627-8677-41f7-b78c-4cacdf5b12ff}\ (8 subtraces) (ID = 143047)
4:51 PM: HKCR\interface\{47d8f3a0-c511-4d91-a963-f00dddee4e49}\ (8 subtraces) (ID = 143049)
4:51 PM: HKLM\software\classes\interface\{5a4e1627-8677-41f7-b78c-4cacdf5b12ff}\ (8 subtraces) (ID = 143075)
4:51 PM: HKLM\software\classes\interface\{47d8f3a0-c511-4d91-a963-f00dddee4e49}\ (8 subtraces) (ID = 143077)
4:51 PM: Found Adware: wildmedia
4:51 PM: HKCR\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146688)
4:51 PM: HKLM\software\classes\appid\winaffiliatebho.dll\ (1 subtraces) (ID = 146699)
4:51 PM: Found Adware: cws-aboutblank
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\main\ || search bar_bak (ID = 115924)
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\main\ || search page_bak (ID = 115925)
4:51 PM: Found Adware: cws_ns3
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\toolbar\shellbrowser\ || {0e1230f8-ea50-42a9-983c-d22abc2eed3b} (ID = 121295)
4:51 PM: Found Adware: ebates money maker
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {6685509e-b47b-4f47-8e16-9a5f3a62f683} (ID = 125587)
4:51 PM: Found Adware: ie driver
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\extensions\cmdmapping\ || {120e090d-9136-4b78-8258-f0b44b4bd2ac} (ID = 127930)
4:51 PM: Found Adware: drsnsrch.com hijack
4:51 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\search assistant\ || defaultsearchurl (ID = 128205)
4:52 PM: Found Adware: bho_sep
4:52 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\sep\ (9 subtraces) (ID = 141642)
4:52 PM: Found Trojan Horse: trojan-downloader-domcom
4:52 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\down\ (1 subtraces) (ID = 144517)
4:52 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\main\ || updater2 (ID = 146720)
4:52 PM: HKU\S-1-5-21-757298511-2304659736-1445258045-1006\software\microsoft\internet explorer\main\ || search page_bak (ID = 774883)
4:52 PM: Registry Sweep Complete, Elapsed Time:00:00:20
4:52 PM: Starting Cookie Sweep
4:52 PM: Found Spy Cookie: yieldmanager cookie
4:52 PM: jason aron@ad.yieldmanager[2].txt (ID = 3751)
4:52 PM: Found Spy Cookie: adknowledge cookie
4:52 PM: jason aron@adknowledge[2].txt (ID = 2072)
4:52 PM: Found Spy Cookie: adrevolver cookie
4:52 PM: jason aron@adrevolver[2].txt (ID = 2088)
4:52 PM: jason aron@adrevolver[3].txt (ID = 2088)
4:52 PM: Found Spy Cookie: falkag cookie
4:52 PM: jason aron@as-us.falkag[2].txt (ID = 2650)
4:52 PM: Found Spy Cookie: ask cookie
4:52 PM: jason aron@ask[1].txt (ID = 2245)
4:52 PM: Found Spy Cookie: belnk cookie
4:52 PM: jason aron@ath.belnk[2].txt (ID = 2293)
4:52 PM: Found Spy Cookie: banner cookie
4:52 PM: jason aron@banner[2].txt (ID = 2276)
4:52 PM: jason aron@belnk[2].txt (ID = 2292)
4:52 PM: Found Spy Cookie: casalemedia cookie
4:52 PM: jason aron@casalemedia[1].txt (ID = 2354)
4:52 PM: jason aron@dist.belnk[1].txt (ID = 2293)
4:52 PM: Found Spy Cookie: ru4 cookie
4:52 PM: jason aron@edge.ru4[2].txt (ID = 3269)
4:52 PM: Found Spy Cookie: fortunecity cookie
4:52 PM: jason aron@fortunecity[2].txt (ID = 2686)
4:52 PM: Found Spy Cookie: maxserving cookie
4:52 PM: jason aron@maxserving[2].txt (ID = 2966)
4:52 PM: Found Spy Cookie: realmedia cookie
4:52 PM: jason aron@realmedia[1].txt (ID = 3235)
4:52 PM: Found Spy Cookie: serving-sys cookie
4:52 PM: jason aron@serving-sys[1].txt (ID = 3343)
4:52 PM: Found Spy Cookie: tradedoubler cookie
4:52 PM: jason aron@tradedoubler[1].txt (ID = 3575)
4:52 PM: Found Spy Cookie: trafficmp cookie
4:52 PM: jason aron@trafficmp[2].txt (ID = 3581)
4:52 PM: Found Spy Cookie: tribalfusion cookie
4:52 PM: jason aron@tribalfusion[1].txt (ID = 3589)
4:52 PM: Cookie Sweep Complete, Elapsed Time: 00:00:04
4:52 PM: Starting File Sweep
4:52 PM: c:\documents and settings\all users\application data\ieservice (2 subtraces) (ID = -2147480200)
4:52 PM: c:\documents and settings\all users\application data\pcsvc (1 subtraces) (ID = -2147481135)
4:52 PM: c:\program files\common files\dpi (ID = -2147481129)
4:52 PM: Found Adware: coolwebsearch (cws)
4:52 PM: c:\documents and settings\jason aron\application data\winds_24 (ID = -2147481201)
5:10 PM: Found Adware: mds search booster
5:10 PM: a0129072.dll (ID = 69318)
5:10 PM: Found Trojan Horse: trojan-downloader-cat
5:10 PM: paydial.exe (ID = 80292)
5:11 PM: Warning: Failed to read file "c:\windows\inf\brmfcmf.pnf". Data error (cyclic redundancy check)
5:15 PM: Found Adware: purityscan
5:15 PM: mediaticketsinstaller.ocx (ID = 73162)
5:15 PM: mediaticketsinstaller.inf (ID = 73158)
5:16 PM: mediaticketsinstaller.inf (ID = 73158)
5:17 PM: mediaticketsinstaller.inf (ID = 73158)
5:17 PM: Found Adware: java byteverify
5:17 PM: verifierbug.class-3e1f6334-477f0f7b.class (ID = 64831)
5:18 PM: mediaticketsinstaller.ocx (ID = 73162)
5:19 PM: Found Trojan Horse: topconverting downloader
5:19 PM: loader2.ocx (ID = 79617)
5:23 PM: mediaticketsinstaller.ocx (ID = 73162)
5:23 PM: Found Adware: ez-finder toolbar
5:23 PM: webdlg32.dll (ID = 60328)
5:28 PM: loader2.ocx (ID = 79617)
5:28 PM: loader2.ocx (ID = 79606)
5:28 PM: mediaticketsinstaller.ocx (ID = 73162)
5:28 PM: mstasks2.exe (ID = 54306)
5:28 PM: Found Trojan Horse: trojan_downloader_winreg
5:28 PM: toolbar.exe (ID = 81502)
5:30 PM: verifierbug.class-5297c6aa-4764879d.class (ID = 64831)
5:31 PM: noeljeda.tmp (ID = 55185)
5:31 PM: Found Adware: cws_adslim
5:31 PM: popup.html (ID = 55745)
5:36 PM: Found Adware: ipinsight
5:36 PM: conscorr.ini (ID = 64264)
5:36 PM: Found Adware: abetterinternet
5:36 PM: alchem.inf (ID = 83109)
5:36 PM: Found Adware: twain-tech
5:36 PM: polmx.inf (ID = 81856)
5:36 PM: polall1r.inf (ID = 83425)
5:36 PM: Found Adware: azsearch toolbar
5:36 PM: today's specials.url (ID = 131129)
5:36 PM: sepsd.bin (ID = 75367)
5:36 PM: conscorr.inf (ID = 64277)
5:36 PM: dummy.class-2207c494-400880b7.class (ID = 64821)
5:36 PM: webdlg32.inf (ID = 60327)
5:36 PM: winsx.inf (ID = 54632)
5:36 PM: Found Adware: shopathomeselect
5:36 PM: setup4002b.ini (ID = 75934)
5:36 PM: dummy.class-3cf36b1e-4f16f93a.class (ID = 64821)
5:36 PM: Found System Monitor: potentially rootkit-masked files
5:36 PM: 13-coheed_and_cambria-the_willing_well_ii_-_fear_through_the_eyes_of_madness-tc.mp3 (ID = 0)
5:36 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.m3u (ID = 0)
5:36 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.nfo (ID = 0)
5:36 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.sfv (ID = 0)
5:36 PM: 000-va-listen_to_bob_dylan_-_a_tribute-2cd-(retail)-2005-(000-va-listen_to_bob_dylan_-_a_tribute-2cd-(retail)-2005-(cover)-glasspane)-glasspane.jpg (ID = 0)
5:36 PM: moneen - are we really happy with who we are right now - 06 - i have never done anything for anyone that was not for me as well.mp3 (ID = 0)
5:36 PM: zolof the rock and roll destroyer - 10 - running starts will only get you faster to the place that will make you say ouch.mp3 (ID = 0)
5:36 PM: classload.jar-5b3646cb-4c5bcd90.zip (ID = 64823)
5:37 PM: loaderadv156.jar-8e3574-1d40d0b2.zip (ID = 64819)
5:37 PM: loaderadv157.jar-9c4cf5-60418d7d.zip (ID = 64819)
5:37 PM: loaderadv570.jar-573c46f6-691177b4.zip (ID = 64819)
5:37 PM: loaderadv410.jar-1818f7fb-12e18219.zip (ID = 64819)
5:37 PM: loaderadv408.jar-16d4db64-45d39e37.zip (ID = 64819)
5:37 PM: classload.jar-57df9d95-22c1e8b0.zip (ID = 64823)
5:43 PM: File Sweep Complete, Elapsed Time: 00:50:57
5:43 PM: Full Sweep has completed. Elapsed time 00:54:14
5:43 PM: Traces Found: 136
5:44 PM: Removal process initiated
5:44 PM: Quarantining All Traces: potentially rootkit-masked files
5:46 PM: potentially rootkit-masked files is in use. It will be removed on reboot.
5:46 PM: 13-coheed_and_cambria-the_willing_well_ii_-_fear_through_the_eyes_of_madness-tc.mp3 is in use. It will be removed on reboot.
5:46 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.m3u is in use. It will be removed on reboot.
5:46 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.nfo is in use. It will be removed on reboot.
5:46 PM: 00-cursive-the_difference_between_houses_and_homes_(lost_songs_and_loose_ends_1995-2001)-2005.sfv is in use. It will be removed on reboot.
5:46 PM: 000-va-listen_to_bob_dylan_-_a_tribute-2cd-(retail)-2005-(000-va-listen_to_bob_dylan_-_a_tribute-2cd-(retail)-2005-(cover)-glasspane)-glasspane.jpg is in use. It will be removed on reboot.
5:46 PM: moneen - are we really happy with who we are right now - 06 - i have never done anything for anyone that was not for me as well.mp3 is in use. It will be removed on reboot.
5:46 PM: zolof the rock and roll destroyer - 10 - running starts will only get you faster to the place that will make you say ouch.mp3 is in use. It will be removed on reboot.
5:46 PM: Quarantining All Traces: abetterinternet
5:46 PM: Quarantining All Traces: cws_ns3
5:46 PM: Quarantining All Traces: cws-aboutblank
5:46 PM: Quarantining All Traces: topconverting downloader
5:46 PM: Quarantining All Traces: trojan-downloader-cat
5:46 PM: Quarantining All Traces: trojan-downloader-domcom
5:46 PM: Quarantining All Traces: azsearch toolbar
5:46 PM: Quarantining All Traces: bho_sep
5:46 PM: Quarantining All Traces: coolwebsearch (cws)
5:46 PM: Quarantining All Traces: cws_adslim
5:46 PM: Quarantining All Traces: delfin
5:46 PM: Quarantining All Traces: drsnsrch.com hijack
5:46 PM: Quarantining All Traces: ebates money maker
5:46 PM: Quarantining All Traces: ez-finder toolbar
5:46 PM: Quarantining All Traces: ie driver
5:46 PM: Quarantining All Traces: ipinsight
5:46 PM: Quarantining All Traces: java byteverify
5:46 PM: Quarantining All Traces: mds search booster
5:46 PM: Quarantining All Traces: purityscan
5:46 PM: Quarantining All Traces: shopathomeselect
5:46 PM: Quarantining All Traces: subsearch
5:46 PM: Quarantining All Traces: trojan_downloader_winreg
5:46 PM: Quarantining All Traces: twain-tech
5:46 PM: Quarantining All Traces: virtumonde
5:46 PM: virtumonde is in use. It will be removed on reboot.
5:46 PM: C:\WINDOWS\SYSTEM32\jkhhh.dll is in use. It will be removed on reboot.
5:46 PM: C:\WINDOWS\SYSTEM32\mlljh.dll is in use. It will be removed on reboot.
5:46 PM: Quarantining All Traces: wildmedia
5:46 PM: Quarantining All Traces: adknowledge cookie
5:46 PM: Quarantining All Traces: adrevolver cookie
5:46 PM: Quarantining All Traces: ask cookie
5:46 PM: Quarantining All Traces: banner cookie
5:46 PM: Quarantining All Traces: belnk cookie
5:46 PM: Quarantining All Traces: casalemedia cookie
5:46 PM: Quarantining All Traces: falkag cookie
5:46 PM: Quarantining All Traces: fortunecity cookie
5:46 PM: Quarantining All Traces: maxserving cookie
5:46 PM: Quarantining All Traces: realmedia cookie
5:46 PM: Quarantining All Traces: ru4 cookie
5:46 PM: Quarantining All Traces: serving-sys cookie
5:46 PM: Quarantining All Traces: tradedoubler cookie
5:46 PM: Quarantining All Traces: trafficmp cookie
5:46 PM: Quarantining All Traces: tribalfusion cookie
5:46 PM: Quarantining All Traces: yieldmanager cookie
5:47 PM: Removal process completed. Elapsed time 00:02:30
********
4:47 PM: | Start of Session, Saturday, October 29, 2005 |
4:47 PM: Spy Sweeper started
4:48 PM: Your spyware definitions have been updated.
4:48 PM: | End of Session, Saturday, October 29, 2005 |


Logfile of HijackThis v1.99.1
Scan saved at 5:56:28 PM, on 10/29/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\fix\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\unzipped\MozillaFirebird-0.6-win32[1]\MozillaFirebird\MozillaFirebird.exe
C:\fix\Spy Sweeper\SpySweeper.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:100
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\fix\Spy Sweeper\WRSSSDK.exe
  • 0

#6
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Gotta love SpySweeper!

Have HijackThis fix this entry

O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akama...meInstaller.exe


Please Install these 2 to add to the Security of the PC!

SpywareBlaster:
http://www.javacools...areblaster.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/...2002/hosts2.htm

Disable System Restore
http://service1.syma...src=sec_doc_nam

Go ahead and Reconfigure Msconfig the way you like the PC to Startup!

Go ahead and remove any of the tools downloaded that are of no use anymore!

Post back and let me know how things are?
  • 0

#7
usafreedom

usafreedom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
thanks

how do i fix
"Go ahead and Reconfigure Msconfig the way you like the PC to Startup!"
  • 0

#8
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Dont worry about Msconfig since we never made any changes to the System with it.


Go ahead and Renable System Restore and restart the PC,this will clear out all old nasty restore points and create a nice new fresh clean one for you to fall back on should you ever need it.


Read through those 3 little black links in my signature to get some extra ideas about how to avoid this in the future.


Make sure you keep your Windows Operating System up to date by visiting Windows Updates
regularly to download and install any critical updates and service packs.


If you ever need us again,you know how to find us! :tazz:
  • 0

#9
usafreedom

usafreedom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
i still have pop ups

Logfile of HijackThis v1.99.1
Scan saved at 10:09:28 PM, on 10/30/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AIM95\aim.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.1:100
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697519} (NsvPlayX Control) - http://www.nullsoft....ayx_vp6_aac.cab
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Firebird Guardian - DefaultInstance (FirebirdGuardianDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbguard.exe
O23 - Service: Firebird Server - DefaultInstance (FirebirdServerDefaultInstance) - The Firebird Project - C:\Program Files\Firebird\Firebird_1_5\bin\fbserver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe

Edited by usafreedom, 30 October 2005 - 09:09 PM.

  • 0

#10
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Hmmm,Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Restart in Safe Mode

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Post the results of the WinPFind scan in the next reply please
  • 0

Advertisements


#11
usafreedom

usafreedom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 1 Current Build Number: 2600
Internet Explorer Version: 6.0.2800.1106

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
FSG! 10/27/2005 12:12:58 PM 3509812 C:\Jason Aron - Life is but a dream (louder rough mix).mp3
UPX! 3/16/2005 3:06:42 PM 4608 C:\new.exe
PTech 9/2/2005 7:07:54 PM 3263352 C:\newlist.txt
PEC2 4/19/2005 5:18:46 PM 4107666 C:\rawrlist
PTech 4/19/2005 5:18:46 PM 4107666 C:\rawrlist

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
SAHAgent 8/12/2004 9:46:28 AM 102321 C:\WINDOWS\KB828741.log
SAHAgent 8/12/2004 9:46:52 AM 106745 C:\WINDOWS\KB835732.log
SAHAgent 8/12/2004 9:45:52 AM 98114 C:\WINDOWS\KB837001.log
SAHAgent 8/12/2004 9:44:10 AM 77856 C:\WINDOWS\KB839643-DirectX9.log
SAHAgent 8/12/2004 9:45:18 AM 95989 C:\WINDOWS\KB839645.log
SAHAgent 8/12/2004 9:43:10 AM 76928 C:\WINDOWS\KB840315.log
SAHAgent 8/12/2004 9:44:52 AM 92517 C:\WINDOWS\KB840374.log
SAHAgent 8/12/2004 9:43:54 AM 79635 C:\WINDOWS\KB841873.log
SAHAgent 8/12/2004 9:43:36 AM 78915 C:\WINDOWS\KB842773.log
PECompact2 1/15/2005 11:43:54 AM 12036217 C:\WINDOWS\LPT$VPN.351
qoologic 1/15/2005 11:43:54 AM 12036217 C:\WINDOWS\LPT$VPN.351
SAHAgent 1/15/2005 11:43:54 AM 12036217 C:\WINDOWS\LPT$VPN.351
SAHAgent 8/12/2004 9:48:42 AM 155440 C:\WINDOWS\Q828026.log
UPX! 1/15/2005 11:43:54 AM 162885 C:\WINDOWS\tsc.exe
PECompact2 1/15/2005 11:43:54 AM 12036217 C:\WINDOWS\VPTNFILE.351
qoologic 1/15/2005 11:43:54 AM 12036217 C:\WINDOWS\VPTNFILE.351
SAHAgent 1/15/2005 11:43:54 AM 12036217 C:\WINDOWS\VPTNFILE.351
UPX! 5/18/2004 6:04:38 PM 1036800 C:\WINDOWS\vsapi32.dll
aspack 5/18/2004 6:04:38 PM 1036800 C:\WINDOWS\vsapi32.dll

Checking %System% folder...
PEC2 8/18/2001 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PEC2 9/3/2004 1:03:48 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 9/3/2004 1:03:48 PM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
UPX! 8/18/2003 5:27:54 PM 74752 C:\WINDOWS\SYSTEM32\kxfxlib.kxl
Umonitor 8/29/2002 5:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 8/12/2004 10:59:30 AM 28672 C:\WINDOWS\SYSTEM32\Rtdx119.dat
winsync 8/18/2001 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
10/31/2005 12:42:14 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
10/29/2005 4:56:14 PM HS 10240 C:\WINDOWS\Thumbs.db
10/29/2005 4:46:10 PM HS 2809 C:\WINDOWS\SYSTEM32\hhhkj.ini
10/28/2005 8:20:58 AM HS 361 C:\WINDOWS\SYSTEM32\hjllm.ini
10/27/2005 6:34:58 PM HS 28173 C:\WINDOWS\SYSTEM32\pmkhf.dll
10/31/2005 12:42:06 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
10/31/2005 12:42:32 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
10/31/2005 12:42:18 PM H 16384 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
10/31/2005 12:43:34 PM H 77824 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
10/31/2005 12:42:18 PM H 897024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
10/19/2009 11:24:28 AM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\72235a34-6f0f-437f-bcb7-b5dc58555a6a
9/19/2005 12:03:24 AM H 8628 C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LXARNTCP.GID
10/31/2005 12:39:48 PM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/18/2001 6:00:00 AM 66048 C:\WINDOWS\SYSTEM32\ACCESS.CPL
Microsoft Corporation 8/29/2002 5:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 5/28/2001 12:47:00 PM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
Creative Technology Ltd. 8/24/2000 1:56:00 AM 228352 C:\WINDOWS\SYSTEM32\CTDetect.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
IBPhoenix 7/14/2004 1:05:10 AM 69632 C:\WINDOWS\SYSTEM32\Firebird2Control.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 150016 C:\WINDOWS\SYSTEM32\HDWWIZ.CPL
Microsoft Corporation 8/29/2002 5:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 5:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/19/2003 5:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 559616 C:\WINDOWS\SYSTEM32\MMSYS.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 256000 C:\WINDOWS\SYSTEM32\NUSRMGR.CPL
NVIDIA Corporation 10/6/2003 1:16:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 36864 C:\WINDOWS\SYSTEM32\ODBCCP32.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 109056 C:\WINDOWS\SYSTEM32\POWERCFG.CPL
Microsoft Corporation 8/29/2002 5:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/18/2001 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/18/2001 6:00:00 AM 90112 C:\WINDOWS\SYSTEM32\TIMEDATE.CPL
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\DLLCACHE\joy.cpl
NVIDIA Corporation 5/2/2003 2:19:00 PM 143360 C:\WINDOWS\SYSTEM32\ReinstallBackups\0014\DriverFiles\nvtuicpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
11/8/2002 6:12:52 PM 986 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
11/15/2001 7:31:16 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
11/15/2001 8:18:02 AM 875 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Works Calendar Reminders.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/15/2001 7:23:32 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
11/15/2001 7:31:16 AM HS 84 C:\Documents and Settings\Jason Aron\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
11/15/2001 7:23:32 AM HS 62 C:\Documents and Settings\Jason Aron\Application Data\DESKTOP.INI
5/6/2005 10:38:56 AM 66744 C:\Documents and Settings\Jason Aron\Application Data\GDIPFONTCACHEV1.DAT
7/12/2005 2:13:24 PM 917721 C:\Documents and Settings\Jason Aron\Application Data\Install.dat
2/22/2003 9:16:08 PM 784 C:\Documents and Settings\Jason Aron\Application Data\mpauth.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TheCleaner
{2DE506B9-4320-11d3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\TheCleaner
{2DE506B9-4320-11D3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TheCleaner
{2DE506B9-4320-11D3-8E42-002035221EDA} = C:\Program Files\The Cleaner\tcshellex.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
WINDVDPatch CTHELPER.EXE
UpdReg C:\WINDOWS\UpdReg.EXE
PrinTray C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
Microsoft Works Update Detection C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
Jet Detection "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
AHQInit C:\Program Files\Creative\SBLive\Program\AHQInit.exe
AdaptecDirectCD C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
DeadAIM rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
Lexmark X73 Button Monitor C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
Lexmark X73 Button Manager C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
iTunesHelper "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AIM C:\Program Files\AIM95\aim.exe -cnetwait.odl
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Steam

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun _


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
Microsoft DirectXb =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WRNotifier
= WRLogonNTF.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 10/31/2005 12:54:38 PM
  • 0

#12
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
Now theres definatly some strange entries in there and leftovers of previous infections!

Lets see what the best in the Buisness have to say.


Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#13
usafreedom

usafreedom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, October 31, 2005 21:57:28
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/11/2005
Kaspersky Anti-Virus database records: 157551
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 126146
Number of viruses found: 26
Number of infected objects: 77
Number of suspicious objects: 6
Duration of the scan process: 6496 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip/124847.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS5.zip/125026.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS5.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS9.zip/124715.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\TIBS9.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2a79b1dc-131efe01.zip/Mein.class Infected: Trojan.Java.ClassLoader.aj
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2a79b1dc-131efe01.zip/ProbeLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2a79b1dc-131efe01.zip/Beyond.class Infected: Trojan-Dropper.Java.Beyond.d
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2a79b1dc-131efe01.zip/binny/binny.class Infected: Trojan-Dropper.Java.Beyond.d
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-2a79b1dc-131efe01.zip Infected: Trojan-Dropper.Java.Beyond.d
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6a989b93-46c70d1c.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.z
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6a989b93-46c70d1c.zip/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6a989b93-46c70d1c.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6a989b93-46c70d1c.zip Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-1df0a005-13f1fa47.zip/Beyond.class Infected: Trojan.Java.Needy.c
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-1df0a005-13f1fa47.zip/BlackBox.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-1df0a005-13f1fa47.zip/VerifierBug.class Infected: Trojan.Java.Needy.c
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-1df0a005-13f1fa47.zip Infected: Trojan.Java.Needy.c
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-e8d5547-53e60898.zip/Beyond.class Infected: Trojan.Java.Needy.c
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-e8d5547-53e60898.zip/BlackBox.class Infected: Trojan.Java.Bytverify
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-e8d5547-53e60898.zip/VerifierBug.class Infected: Trojan.Java.Needy.c
C:\Documents and Settings\Jason Aron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count1.jar-e8d5547-53e60898.zip Infected: Trojan.Java.Needy.c
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <support_id_600195353104@ebay.com>][Date Wed, 22 Jan 2003 22:47:06 -0700]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <support_id_600195353104@ebay.com>][Date Wed, 22 Jan 2003 22:47:06 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From PayPal <service@paypal.com>][Date Tue, 06 Sep 2005 22:37:08 -0400]/html Infected: Trojan-Spy.HTML.Bankfraud.iy
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <custservice_98888009@ebay.com>][Date Thu, 15 Sep 2005 23:31:32 -0400]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <custservice_98888009@ebay.com>][Date Thu, 15 Sep 2005 23:31:32 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <custservice_id_1@ebay.com>][Date Mon, 10 Feb 2003 00:55:31 +0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <custservice_id_1@ebay.com>][Date Mon, 10 Feb 2003 00:55:31 +0600]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <support_refnum_95@ebay.com>][Date Tue, 04 Oct 2005 01:51:34 +0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <support_refnum_95@ebay.com>][Date Tue, 04 Oct 2005 01:51:34 +0500]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <identdep_op991529991@ebay.com>][Date Fri, 07 Oct 2005 10:14:20 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <identdep_op991529991@ebay.com>][Date Fri, 07 Oct 2005 10:14:20 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Jason Aron\Local Settings\Temporary Internet Files\Content.IE5\LFRR5X0E\nat3[1].exe Infected: not-a-virus:[bleep]-Dialer.Win32.GBDialer.e
C:\new.exe Infected: Trojan-Downloader.Win32.Small.aiq
C:\Program Files\Adobe\Acrobat 6.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Adobe\Photoshop 7.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Common Files\InstallShield\engine\6\Intel 32\knlwrap.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Common Files\InstallShield\engine\6.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Common Files\InstallShield\engine.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Common Files\Real\Codecs.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Common Files\Real\Update_OB\nprfxinsw.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Common Files\Sony Shared\OpenMG\HotFixes\HotFix3.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\CONEXANT\CNXT_MODEM_PCI_VEN_14F1&DEV_2016&SUBSYS_021913E0\hxfsetup.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Creative\SBLive\AudioHQ.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Creative\ShareDLL.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\hijackthis\backups\backup-20051029-134219-304.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.q
C:\Program Files\HLSW\serverlist.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\KaZaA Lite\Kazupernodes.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\KaZaA Lite\klrun.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Lavasoft\Ad-Aware SE Personal.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Microsoft Works Suite 2002\Setup.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Microsoft Works Suite 2002\Setupl.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Microsoft Works Suite 2002\Setuplq.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\mIRC\backup\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.603
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.612
C:\Program Files\PokerStars\update.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\SpacialAudio\SAM2.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Steam\dbgm.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Steam\INSTALL.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Steam\Steam_10.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\Symantec\LiveUpdate\SymantecRootInstaller.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\The Cleaner\Loader.exe Infected: VirTool.Win32.Patcher.a
C:\Program Files\Ventrilo2.0.1\ChannelLeave.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\Program Files\WinZip\WINZIP32.dll Infected: Trojan-Downloader.Win32.Murlo.a
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP936\A0132009.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP936\A0132018.dll Infected: Trojan.Win32.Crypt.o
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0132202.dll Infected: Trojan.Win32.Crypt.o
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP942\A0132203.dll Infected: Trojan.Win32.Crypt.o
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP992\A0134676.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.q
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP992\A0134699.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.q
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP992\A0135958.exe Infected: Trojan-Downloader.Win32.Small.ahg
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP992\A0135962.dll Infected: not-a-virus:AdWare.Win32.SBSoft.g
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP992\A0135966.exe Infected: Trojan-Clicker.Win32.Promo.a
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP992\A0135968.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.q
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP992\A0135969.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.q
C:\unzipped\AimAmp[1]\AimAmp\aimamp.exe Infected: Flooder.Win32.VB.aq
C:\WINDOWS\NDNuninstall4_85.exe Infected: not-a-virus:AdWare.Win32.NewDotNet
C:\WINDOWS\SYSTEM32\ddaby.dll Infected: Trojan-Downloader.Win32.ConHook.k
C:\WINDOWS\SYSTEM32\pmkhf.dll Infected: Trojan-Downloader.Win32.Agent.yf

Scan process completed.



it just pointed the above out but dosnt delete i guess you will teach me how to delete the above cuz by the looks of it i have lotsa trogans :/

Edited by usafreedom, 31 October 2005 - 10:31 PM.

  • 0

#14
Wizard

Wizard

    Retired Staff

  • Retired Staff
  • 5,661 posts
I must be losing it!

I didnt even notice you have no Active Antivirus or Firewall installed

If you will,please install the Free Trial of Kasperskys AntiVirus Software

Use the link below to install and update Kaspersky Antivirus

Make sure to get the Extended Database Updates.

Use the Instructions in the link to Scan in Safe Mode also

Kaspersky Trial
http://www.bleepingc...rvs-t11662.html

Just follow the detailed instructions for Downloading,Installing and Scanning in Safe Mode!

Make sure to Clean or Delete everything the Scan finds!

Restart Normal and install this free firewall,it will take some getting use to but it will be better than getting reinfected constantly!

Sygate Personal Firewall:
http://smb.sygate.co...pf_standard.htm


Now the emails that the Online Scanner IDed,tell me,you best check with you bank and credit card companies to be sure no illegal activity is going on! (Trojan-Spy.HTML.Bayfraud.hn)
  • 0

#15
usafreedom

usafreedom

    Member

  • Topic Starter
  • Member
  • PipPip
  • 76 posts
how do i delete the files the above log found?
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP