Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Exsplorer [CLOSED]


  • This topic is locked This topic is locked

#16
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Well you do have another Adobe, which I suppose it could be. Let's try this:

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

Photoshop Elements Device Connect

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

Photoshop Elements Device Connect

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe 7.0\ActiveX\AcroIEHelper.dll
O4 - HKCU\..\Run: [updateMgr] D:\Programs\Adobe 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3
O23 - Service: Photoshop Elements Device Connect (PhotoshopElementsDeviceConnect) - Unknown owner - D:\Programs\Adobe\PhotoshopElementsDeviceConnect.exe


Click on Fix Checked when finished and exit HijackThis.

Reboot normally.

Any better?
  • 0

Advertisements


#17
Thonie

Thonie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Exsplorer came back again. I used the same file on the first thread. It works but it came out again. I deleted all the files that starts with exsplorer using search. Then, used the same file again.

If exsplorer will show up again, I will post my Hijack log. I won't do anything yet

Thanks.
  • 0

#18
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Please delete your temporary files.

Double Click My Computer (WinXP: Navigate to Start >My Computer)

You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the bottom of the fly out window.

On the very first tab (General) you will see a button labelled "Disk Cleanup"...click that button.

Make sure the following are checked:Downloaded Program Files
Temporary Internet Files and
Recycle Bin

Click OK and Disk Cleanup will delete those files for you.

Next, go to Start>Run>type in %temp% hit Enter and delete the content of all the temp folders shown (only the content, not the folder). There may be a couple of files in use, this is normal.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download AproposFix from here:AproposFix
Save it to your desktop but do NOT run it yet.

Then please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

Once in Safe Mode, please double-click aproposfix.exe and unzip it to the desktop. Open the aproposfix folder on your desktop and run RunThis.bat. Follow the prompts.

When the tool is finished, please reboot back into normal mode, and post a new HijackThis log, along with the entire contents of the log.txt file in the aproposfix folder.
  • 0

#19
Thonie

Thonie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Crusty,

Thanks again for coming to help me.




Logfile of HijackThis v1.99.1
Scan saved at 12:47:57 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Nero\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\VM_STI.EXE
D:\Programs\DVD\PDVDServ.exe
D:\Programs\Nero\InCD\InCD.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\QuickTime\qttask.exe
D:\Programs\WinAmp 5.09\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
D:\Programs\Adobe\PhotoshopElementsDeviceConnect.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Motherboard Monitor 5\DLL\display.dll
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Multimedia Control Center\MCC.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Multimedia Control Center\VisMP.exe
D:\Downloads\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Programs\Adobe 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [RemoteControl] D:\Programs\DVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Programs\Nero\InCD\InCD.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESmart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Programs\WinAmp 5.09\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] D:\Programs\Adobe 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_3
O4 - Startup: Multimedia Control Center.LNK = C:\Program Files\Multimedia Control Center\MCC.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Programs\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Programs\Nero\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe

Log of AproposFix v1

************

Running from directory:
C:\Documents and Settings\Thonie\Desktop\aproposfix

************

Registry entries found:


************

No service found!

Removing hidden folder:
No folder found!

Deleting files:


Backing up files:
Done!

Removing registry entries:

REGEDIT4


Done!

Finished!
  • 0

#20
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

Well we ruled out Apropos - good.

I have just looked critically at your HJT log and there are two entries which can on occasions be Trojans. They are:

C:\Program Files\Daily Weather Forecast\weather.exe
D:\Programs\WinAmp 5.09\Winamp\winampa.exe

There is no way for me to check visually, nor can I just trust your knowledge of them. We will have to submit both for assessment.

Please visit Kaspersky for an online file scan.

Browse to each file and submit it, wait for the response and post the information in your reply. You have to do them one at a time.

I'm fairly certain that the daily Weather Forecast is adware, so you'll get unwanted things arriving with that file, but the Wimamp could be legitimate or bogus.
  • 0

#21
Thonie

Thonie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I went to Kapersky site, among the 2 files you've mentioned, weather.exe is detected infected with Trojan. I don't know how how it got there in the first place, I never installed it.

Anyways, what would be the next step? Should I uninstall it or use the Kapersky anti-virus?

Please advise.

Thanks.

P.S.

I have a clean boot up now. Thanks for the Photoshop eLEMNTS solution.
  • 0

#22
Thonie

Thonie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Geez, here we go again. I have the exsplorer again as we speak. I'm not going to do anything until I hear from you. On my previous reply, I tried deleting the weather.exe but wasn't able to ( access is denied ).
Below is my HJT log and probably, you will see the skymasters.biz & weather.exe running together, could these be the culprits?


Logfile of HijackThis v1.99.1
Scan saved at 7:00:04 PM, on 11/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\Programs\Nero\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
C:\WINDOWS\VM_STI.EXE
D:\Programs\DVD\PDVDServ.exe
D:\Programs\Nero\InCD\InCD.exe
C:\Program Files\Daily Weather Forecast\weather.exe
C:\Program Files\QuickTime\qttask.exe
D:\Programs\WinAmp 5.09\Winamp\winampa.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Motherboard Monitor 5\MBM5.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\CTsvcCDA.exe
D:\Program Files\Ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Hewlett-Packard\Toolbox2.0\Javasoft\JRE\1.3.1\bin\javaw.exe
C:\Program Files\Multimedia Control Center\MCC.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Motherboard Monitor 5\DLL\display.dll
C:\Program Files\Multimedia Control Center\VisMP.exe
C:\WINDOWS\system32\HPBPRO.EXE
D:\Downloads\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.skymasters.biz?4289
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IYBookmarkHO Class - {8B11A219-80C8-4B42-B558-B8C14D1AA8C4} - C:\Program Files\Yahoo!\browser\ybmho.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [StatusClient] C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup] C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
O4 - HKLM\..\Run: [OrderReminder] C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE lebeca web camera driver
O4 - HKLM\..\Run: [RemoteControl] D:\Programs\DVD\PDVDServ.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] D:\Programs\Nero\InCD\InCD.exe
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O4 - HKLM\..\Run: [SmartGuardian] C:\Program Files\ITE\Smart Guardian\ITESmart.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] D:\Programs\WinAmp 5.09\Winamp\winampa.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [MBM 5] "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [VGAUtil] C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [RemoteCenter] C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
O4 - HKCU\..\Run: [RHSI SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [Update Manager] "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SHS] "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Multimedia Control Center.LNK = C:\Program Files\Multimedia Control Center\MCC.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\Programs\MICROS~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Rogers Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra 'Tools' menuitem: Rogers &Yahoo! Sidebar - {51085E3D-A958-42A2-A6BE-A6A9B0BAF276} - C:\Program Files\Yahoo!\browser\ysidebarIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\Programs\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - D:\Program Files\Ewido\security suite\ewidoctrl.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - D:\Programs\Nero\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - D:\Programs\Overclock Programs\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
  • 0

#23
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again

I feel that we have gone full circle and not found the real culprit. Let’s do a fix based upon what I can see and then go looking a lot deeper and see what turns up there.

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Install Ewido Security Suite.
  • Install Ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
    • You will need to update Ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display "Update successful")
If you are having problems with the updater, you can use this link to manually update Ewido.
Ewido manual updates
Do NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

Launch Ewido, there should be an icon on your desktop, double-click it.
  • The programme will now open to the main screen.
  • When you run Ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Once the updates are installed do the following:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop and include it in your reply.
Now close Ewido security suite.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.skymasters.biz?4289
O4 - HKLM\..\Run: [Daily Weather Forecast] C:\Program Files\Daily Weather Forecast\weather.exe
O15 - Trusted Zone: www.archiviosex.net
O15 - Trusted Zone: www.redfunny.com
O15 - Trusted Zone: www.skymasters.biz

Now close all windows other than HiJackThis, then click Fix Checked.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete this folder (if present) using Windows Explorer:

C:\Program Files\Daily Weather Forecast\

Close Windows Explorer and Reboot normally

Now we must hide the files we revealed earlier by reversing the process, this is an important safeguard to stop important system files being deleted by accident.

Download:WinPFind

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Reboot into Safe Mode: please see here if you are not sure how to do this.

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder.

Restart normally and post the contents of WinPFind.txt (and Ewido log too)
  • 0

#24
Thonie

Thonie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
What about those exsplorer files that does still exist in documents & settings, do u want me to delete them all now or later?


Here's the WinPFind scan report.

WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...
PEC2 7/9/2004 1:17:16 PM 13265040 C:\Program Files\dxnt.cab

Checking %WinDir% folder...
UPX! 9/3/2005 1:25:14 AM 65536 C:\WINDOWS\IFinst27.exe

Checking %System% folder...
aspack 3/18/2005 4:19:58 PM 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
PEC2 8/23/2001 10:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 8/9/2005 5:14:00 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 8/9/2005 5:14:00 PM 692736 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 7/12/2005 5:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/3/2004 11:56:38 PM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/3/2004 11:56:46 PM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 10:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/3/2004 9:41:38 PM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/15/2005 2:40:26 AM S 2048 C:\WINDOWS\bootstat.dat
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 5:17:42 PM S 21737 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 10:53:30 AM S 17402 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/15/2005 2:40:24 AM H 8192 C:\WINDOWS\system32\config\default.LOG
11/15/2005 2:40:30 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
11/15/2005 2:40:26 AM H 12288 C:\WINDOWS\system32\config\SECURITY.LOG
11/15/2005 2:40:30 AM H 94208 C:\WINDOWS\system32\config\software.LOG
11/15/2005 2:40:28 AM H 1253376 C:\WINDOWS\system32\config\system.LOG
11/11/2005 1:42:16 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
11/9/2005 2:57:26 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\e9c23564-fe96-46ca-96b0-fbfe7ce290e5
11/9/2005 2:57:26 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
11/15/2005 2:39:46 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Creative Technology Ltd. 5/28/2001 12:47:00 PM 32768 C:\WINDOWS\SYSTEM32\AudioHQU.cpl
Broadcom Corporation 7/9/2004 8:41:34 AM 1237095 C:\WINDOWS\SYSTEM32\BCMWLCPL.CPL
Microsoft Corporation 8/3/2004 11:56:58 PM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/23/2001 10:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 5/11/2005 11:34:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/23/2001 10:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 9/23/2004 5:57:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 10:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/3/2004 11:56:58 PM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 10:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
8/11/2005 2:58:36 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/11/2005 10:57:32 AM 1646 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/10/2005 10:51:46 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/11/2005 2:58:36 AM HS 84 C:\Documents and Settings\Thonie\Start Menu\Programs\Startup\desktop.ini
9/3/2005 1:25:18 AM 1758 C:\Documents and Settings\Thonie\Start Menu\Programs\Startup\Multimedia Control Center.LNK

Checking files in %USERPROFILE%\Application Data folder...
8/10/2005 10:51:46 PM HS 62 C:\Documents and Settings\Thonie\Application Data\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =
YPC 3.2.0 = Yahoo! Parental Controls

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programs\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRAMS\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\Program Files\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programs\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRAMS\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = D:\Programs\WinRAR\rarext.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = D:\PROGRAMS\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= D:\Programs\Adobe 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}
Yahoo! Companion BHO = C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= D:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8B11A219-80C8-4B42-B558-B8C14D1AA8C4}
IYBookmarkHO Class = C:\Program Files\Yahoo!\browser\ybmho.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}
Google Toolbar Helper = c:\program files\google\googletoolbar2.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}
SidebarAutoLaunch Class = C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll
{2318C2B1-4965-11d4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2499216C-4BA5-11D5-BD9C-000103C116D5}
ButtonText = Yahoo! Login :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{51085E3D-A958-42A2-A6BE-A6A9B0BAF276}
ButtonText = Rogers Yahoo! Sidebar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{2318C2B1-4965-11D4-9B18-009027A5CD4F} = &Google : c:\program files\google\googletoolbar2.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Companion : C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_20_0.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
CTSysVol C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
CTDVDDET C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
CTHelper CTHELPER.EXE
SBDrvDet C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
UpdReg C:\WINDOWS\UpdReg.EXE
NVRTCLK C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
PathNvidiaTV C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
StatusClient C:\Program Files\Hewlett-Packard\Toolbox2.0\Apache Tomcat 4.0\webapps\Toolbox\StatusClient\StatusClient.exe /auto
TomcatStartup C:\Program Files\Hewlett-Packard\Toolbox2.0\hpbpsttp.exe
OrderReminder C:\Program Files\Hewlett-Packard\OrderReminder\OrderReminder\OrderReminder.exe
BigDogPath C:\WINDOWS\VM_STI.EXE lebeca web camera driver
RemoteControl D:\Programs\DVD\PDVDServ.exe
NeroFilterCheck C:\WINDOWS\system32\NeroCheck.exe
InCD D:\Programs\Nero\InCD\InCD.exe
SmartGuardian C:\Program Files\ITE\Smart Guardian\ITESmart.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
WinampAgent D:\Programs\WinAmp 5.09\Winamp\winampa.exe
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
MBM 5 "C:\Program Files\Motherboard Monitor 5\MBM5.EXE"
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
VGAUtil C:\Program Files\GigaByte\VGA Utility Manager\G-VGA.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
RemoteCenter C:\Program Files\Creative\MediaSource\RemoteControl\RCMan.EXE
RHSI SHS "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
Update Manager "C:\Program Files\Rogers\Update Manager\UpdateManager.exe" /background
Yahoo! Pager C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
SHS "C:\Program Files\Rogers\SelfHealing\SHS.exe" /background
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 11/15/2005 2:46:01 AM

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 2:20:19 AM, 11/15/2005
+ Report-Checksum: BD9B95C7

+ Scan result:

C:\Documents and Settings\Abuding\Local Settings\Temp\12876.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Abuding\Local Settings\Temp\23026.exe -> Dialer.Generic : Cleaned with backup
C:\Documents and Settings\Abuding\Local Settings\Temp\4369.exe -> Dialer.Generic : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Esomniture : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Tradedoubler : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Etracker : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.78:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.105:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Thonie\Application Data\Mozilla\Firefox\Profiles\py9oiojv.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
  • 0

#25
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Thonie

What about those exsplorer files that does still exist in documents & settings, do u want me to delete them all now or later?

What files are they? Can you tell me the names of them please?

Research is telling me that Exsplorer is a Dialer which changes your MSIE start page and that AV programmes updated since mid October 2005 should be able to deal with it. So I want you to go for an online scan and clean up.

But before doing that, let me tell you that WinPfind resulted in one bad file for removal. Let's do that now and see if that stops the Exsplorer files. If not, please do the online scan before replying.

Download
Killbox by Option^Explicit

Please install Killbox by Option^Explicit.
  • Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
  • In the Killbox programme, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\IFinst27.exe
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

That's the file out of the way. Here's the online scan address:

Please visit Kaspersky for an online scan. Please post the log it produces.
  • 0

Advertisements


#26
Thonie

Thonie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
I followed your instructions. As per Kapersky online scanner, it found a lot of viruses & trojans in my PC but it only did scan. I downloaded the Kapersky AV personal ed., & was able to delete those nasty files. It makes me wonder how Norton AV wasn't able to scan them in the first place. I have to uninstall the AV afterwards because it slowed down my computer & most of the time, it hangs. I guess, bec I did not unistall Norton AV as it says during the Kapersky installation, my bad.

Do you want me to perform the online scanning again since Kapersky AV performed some deletion? I'm attaching a doc file about the exsplorer files I was telling you about.

Thanks.




-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 16, 2005 03:00:52
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/11/2005
Kaspersky Anti-Virus database records: 150342
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 55459
Number of viruses found: 12
Number of infected objects: 146
Number of suspicious objects: 9
Duration of the scan process: 2196 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <identdep_op64928138@ebay.com>][Date Sun, 13 Nov 2005 19:28:13 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <identdep_op64928138@ebay.com>][Date Sun, 13 Nov 2005 19:28:13 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <support_refnum_37663@ebay.com>][Date Wed, 05 Oct 2005 15:04:09 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <support_refnum_37663@ebay.com>][Date Wed, 05 Oct 2005 15:04:09 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Thonie\Local Settings\Temp\list141.exe Infected: Trojan-Downloader.Win32.Centim.an
C:\Program Files\Norton AntiVirus\Quarantine\00357BE1.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\009C2520.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\00FA47A1.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\01BD1D8F.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\023601E9.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\02DF3B91.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\0962792D.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\09F61A4A.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\0AA11385.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\0AFC2DC2.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\0D661A25.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\0DD53537.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\0E581C48.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\0E9D1939.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\0FCD45E6.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\10AD1855.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\13C460A4.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\14526000.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\15EF0B1E.tmp Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\15FF5D0D.tmp/[From noemail@buysellzone.com][Date Mon, 3 Oct 2005 19:25:33 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\15FF5D0D.tmp/[From noemail@buysellzone.com][Date Mon, 3 Oct 2005 19:25:33 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\15FF5D0D.tmp Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\17390F10.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\18C40D1D.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\19A50A35.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\1A243886.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\1A855CA4.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\1B624DF3.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\1B6B4E8A.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\1CB42828.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\1CE645BE.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\1EEA541C.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\210A7F67.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\227B2D90.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\229F328B.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\23843EAC.tmp/ist1.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\Program Files\Norton AntiVirus\Quarantine\23843EAC.tmp Infected: Trojan-Downloader.Win32.IstBar.is
C:\Program Files\Norton AntiVirus\Quarantine\244D4F05.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\24A2073F.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\26B60E49.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\272240AF.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\27C50450.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\2AD51BC5.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\2E024DED.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\2E0577EA.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\2E0921E6.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\2E0F75DF.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\2E121FDB.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\2E1649D8.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\2ECF17F9.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\2EFD5AFF.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\2F7F2057.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\30294359.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\30CE5304.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\318172C1.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\33A366BD.tmp Infected: Trojan-Downloader.Win32.INService.gen
C:\Program Files\Norton AntiVirus\Quarantine\33FE68ED.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\34A70C1B.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\354702A1.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\367461DD.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\37E207C1.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\38A00850.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\38FF411F.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\3BC44CAB.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\3C7D6ADC.tmp/ist1.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\Program Files\Norton AntiVirus\Quarantine\3C7D6ADC.tmp Infected: Trojan-Downloader.Win32.IstBar.is
C:\Program Files\Norton AntiVirus\Quarantine\3CBC66B8.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\3CC52A06.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\3DBC5D59.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\3EAA57BA.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\41B04E1B.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\424B7568.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\44064C72.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\440B65C4.tmp Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\441C37B2.tmp/[From deandarrigan@invis.ca][Date Mon, 10 Oct 2005 12:52:34 -0400]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\441C37B2.tmp/[From deandarrigan@invis.ca][Date Mon, 10 Oct 2005 12:52:34 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\441C37B2.tmp Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\469300B4.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\478D4DB0.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\482321E8.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\48714A1B.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\48BD045F.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\48EC745B.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\49AC579A.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\4A003FC1.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\4AE106C7.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\4E612F4B.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\4F113CC1.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\50DC3B0F.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\523F1075.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\52E33859.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\53CB5C1F.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\5443407A.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\549F51C3.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\561442D9.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\56BC7A0B.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\57DF3373.exe Infected: Trojan-Downloader.Win32.INService.gen
C:\Program Files\Norton AntiVirus\Quarantine\58C1093C.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\5C0702D7.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\5CC15969.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\5D7935C0.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\5FDC1FCF.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\61E1586F.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\62BE00E1.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\65DB38E6.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\6662488C.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\66FF2A81.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\67F3714E.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\67F94547.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\67FC6F43.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\6800193F.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\68066D38.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\680A1735.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\680D4131.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\6813152A.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\68173F26.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\681D131F.exe Infected: Trojan.Win32.Dialer.hz
C:\Program Files\Norton AntiVirus\Quarantine\68203D1C.exe Infected: Trojan.Win32.Dialer.hh
C:\Program Files\Norton AntiVirus\Quarantine\68246718.exe Infected: Trojan.Win32.Dialer.hh
C:\Program Files\Norton AntiVirus\Quarantine\68271114.exe Infected: Trojan.Win32.Dialer.hh
C:\Program Files\Norton AntiVirus\Quarantine\682A3B11.exe Infected: Trojan.Win32.Dialer.hh
C:\Program Files\Norton AntiVirus\Quarantine\6AA9542F.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\6AB1177D.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\6ACF40C7.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\6BC96EAC.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\6C00014D.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\6C7D7170.tmp/ist1.exe Infected: Trojan-Downloader.Win32.IstBar.is
C:\Program Files\Norton AntiVirus\Quarantine\6C7D7170.tmp Infected: Trojan-Downloader.Win32.IstBar.is
C:\Program Files\Norton AntiVirus\Quarantine\6D20415F.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\6D6B0FFF.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\6E2110DA.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\7177499B.tmp Infected: Email-Worm.Win32.NetSky.q
C:\Program Files\Norton AntiVirus\Quarantine\718A4585.tmp/[From kerrys@mcptri.com][Date Wed, 9 Nov 2005 16:15:14 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\718A4585.tmp/[From kerrys@mcptri.com][Date Wed, 9 Nov 2005 16:15:14 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\718A4585.tmp Suspicious: Exploit.HTML.Iframe.FileDownload
C:\Program Files\Norton AntiVirus\Quarantine\71A93671.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\721607C2.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\73183DF7.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\74FE0C28.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\763B5A49.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\76B36FCC.dll Infected: Trojan-Downloader.Win32.Delf.wp
C:\Program Files\Norton AntiVirus\Quarantine\77EF5735.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Program Files\Norton AntiVirus\Quarantine\78CA20D2.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\RECYCLER\S-1-5-21-2052111302-179605362-725345543-1003\Dc1\weather.exe Infected: Trojan-Downloader.Win32.Centim.an
C:\System Volume Information\_restore{D22438BA-7F44-4566-8EA2-E40272D3EBF8}\RP5\A0001606.exe Infected: Trojan-Downloader.Win32.Centim.an
D:\Downloads\Ewido%20Security%20Suite%203.5.zip/crack.exe Infected: Trojan-Downloader.Win32.Adload.j
D:\Downloads\Ewido%20Security%20Suite%203.5.zip Infected: Trojan-Downloader.Win32.Adload.j
D:\RECYCLER\S-1-5-21-2052111302-179605362-725345543-1003\Dd69.exe/WISE0015.BIN Infected: Trojan-Downloader.Win32.Small.bke
D:\RECYCLER\S-1-5-21-2052111302-179605362-725345543-1003\Dd69.exe Infected: Trojan-Downloader.Win32.Small.bke

Scan process completed.

Attached Files


  • 0

#27
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Hello again Thonie

Thanks for the insight and all the information. I can confirm that having two AV programmes running will slow you down to a crawl and cause conflicts too. Most of the Kaspersky log deals with the Norton Quarantine folder and Restore Points. You can navigate to the Norton Folder and delete all of those bad files being held there without any fear at all, but note that the quarantine folder does not allow the files within to operate.

When your system is clean, we will clear your restore points too. So the only ones you need to look at are the ones below in the quote box. I suggest that you print it out and then go hunting in safe mode and delete them.

Looking at some of the entries in Outlook Express, I must admit that I am very surprised they were allowed in by Norton. Are you sure that your subscription is still current and that you have updated recently? If you need a good free AV programme, use AVG.

I'll let you have fun with virus deleting and wait for you to reply in a dat or two with hopefully good news that Exsplorer has gone. BTW, you can get rid of those entries in the attatchment.

Infected Object Name - Virus Name
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <identdep_op64928138@ebay.com>][Date Sun, 13 Nov 2005 19:28:13 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <identdep_op64928138@ebay.com>][Date Sun, 13 Nov 2005 19:28:13 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <support_refnum_37663@ebay.com>][Date Wed, 05 Oct 2005 15:04:09 +0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <support_refnum_37663@ebay.com>][Date Wed, 05 Oct 2005 15:04:09 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Abuding\Local Settings\Application Data\Identities\{D1C3FA70-A616-4506-A03C-5D71A2D455F1}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Thonie\Local Settings\Temp\list141.exe Infected: Trojan-Downloader.Win32.Centim.an


Good luck.
  • 0

#28
Thonie

Thonie

    Member

  • Topic Starter
  • Member
  • PipPip
  • 17 posts
Thanks for the quick reply.

Once I finish doing some urgent errands, I will work on it.

Should I dump my NAV for Kapersky? Is it a good move or there's a better AV prog I should get?

Please advise.


Cheers!
  • 0

#29
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Now that is a subject I will not get involved in; you must work that out for yourself.

Having said that, I use AVG Free Edition.
  • 0

#30
Crustyoldbloke

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,130 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP