Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

UCMore, Probably others? [CLOSED]

Started by tWp - (Rob) , Nov 26 2005 07:19 AM

  • This topic is locked This topic is locked

#1
tWp - (Rob)
Posted 26 November 2005 - 07:19 AM

tWp - (Rob)

    New Member

  • Member
  • Pip
  • 2 posts
As much as I've had some success in the past getting rid of malware/virii/etc - This has got me stumped...

I've run Adaware, MS Beta, CWS Shredder, Ewido... All of which achieved something - Ewido most recently giving the log down below...

Still getting a few errors and a redirect to a page ending in "yyy102.html"

I've got a HJT log and I'll post the Ewido log from tonight as well - but if anyone has any suggestions - I'd really appreciate it.

There's a UCMore folder under C:\ that I'm sure I've deleted before - and an "install.bat" file in C:\ that has commands to start eula.htm and thanks.exe... (I think Ewido may have gotten rid of those files though)


Here's my HJT log...

Logfile of HijackThis v1.99.1
Scan saved at 11:56:46 PM, on 26/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\tp4serv.exe
C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\WINDOWS\Servces32.exe
C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\QCONSVC.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY_1\TpScrex.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 216.180.239.154 www.halifax-online.co.uk
O1 - Hosts: 216.180.239.154 ibank.barclays.co.uk
O1 - Hosts: 216.180.239.154 online.lloydstsb.co.uk
O1 - Hosts: 216.180.239.154 online-business.lloydstsb.co.uk
O1 - Hosts: 216.180.239.154 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 216.180.239.154 www.nwolb.com
O1 - Hosts: 216.180.239.154 banesnet.banesto.es
O1 - Hosts: 216.180.239.154 extranet.banesto.es
O1 - Hosts: 216.180.239.154 ebanking.bccbrescia.it
O1 - Hosts: 216.180.239.154 www.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 216.180.239.154 www.rbsdigital.com
O1 - Hosts: 216.180.239.154 oi.cajamadrid.es
O1 - Hosts: 216.180.239.154 bancae.caixapenedes.com
O1 - Hosts: 216.180.239.154 banking.postbank.de
O1 - Hosts: 216.180.239.154 meine.deutsche-bank.de
O1 - Hosts: 216.180.239.154 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 216.180.239.154 ibank.cahoot.com
O1 - Hosts: 216.180.239.154 webbank.openplan.co.uk
O1 - Hosts: ound.net
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\yaywt.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [QCWLICON] C:\Program Files\ThinkPad\ConnectUtilities\QCWLICON.EXE
O4 - HKLM\..\Run: [BMMGAG] RunDll32 C:\PROGRA~1\ThinkPad\UTILIT~1\pwrmonit.dll,StartPwrMonitor
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Tgcmd] "C:\Program Files\Support.com\bin\tgcmd.exe /server"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [Windows Services] C:\WINDOWS\Servces32.exe
O4 - HKLM\..\Run: [QCTray] C:\PROGRA~1\ThinkPad\CONNEC~1\QCTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1130580841373
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1131974354811
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\lv4409hqe.dll
O20 - Winlogon Notify: yaywt - C:\WINDOWS\SYSTEM32\yaywt.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF0dA\command.exe (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QCONSVC - Unknown owner - C:\WINDOWS\System32\QCONSVC.EXE





and EWIDO:
---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:11:31 PM, 26/11/2005
+ Report-Checksum: 66D34A1E

+ Scan result:

[308] C:\WINDOWS\system32\olbc32.dll -> Spyware.Look2Me : Error during cleaning
[680] C:\WINDOWS\system32\olbc32.dll -> Spyware.Look2Me : Error during cleaning
[1360] C:\windows\adtech2005.exe -> Trojan.VB.afn : Cleaned with backup
[2064] C:\WINDOWS\system32\msniq.exe -> Backdoor.Rbot : Cleaned with backup
C:\31t.exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
:mozilla.10:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.12:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.13:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.14:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.15:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.16:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.17:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.18:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.19:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.20:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.21:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.34:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.36:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.40:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.49:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
:mozilla.51:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\0kiw0btt.default\cookies.txt -> Spyware.Cookie.Realtracker : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01K3DW6G\mte3ndi6odoxng[1].exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\01K3DW6G\picture_22[1].com -> Backdoor.Rbot : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DH3MEI1Q\thanks[1].exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\DH3MEI1Q\timessquare[1].exe -> Spyware.Hijacker.StartPage.aw : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWR483\mg[1].exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\EXAWR483\thanks[1].exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FSB9GH0M\adtech2005[1].exe -> Trojan.VB.afn : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FSB9GH0M\drsmartload[1].exe -> Spyware.SmartLoad : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\FSB9GH0M\installer[1].exe -> Spyware.Look2Me : Cleaned with backup
:mozilla.6:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.7:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.8:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.9:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.10:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.11:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.13:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.14:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.15:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.16:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.17:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.22:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Paypopup : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Matt\Application Data\Mozilla\Firefox\Profiles\xwzxezt0.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Matt\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temp\393834_11684_2704_11728_78.41.tmp -> Trojan.EliteBar.g : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temp\k_3F08.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temp\k_7769.tmp -> Trojan.EliteBar.a : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temp\Temporary Internet Files\Content.IE5\40OTURA6\thanks[1].exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temp\Temporary Internet Files\Content.IE5\5A7QMW6L\mg[1].exe -> Spyware.WinAD : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\RS2CMWFY\AppWrap[1].exe -> Spyware.Zestyfind : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\XGZIAK3D\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\XGZIAK3D\silent_setup[1].exe -> TrojanDropper.Agent.za : Cleaned with backup
C:\Documents and Settings\Matt\Local Settings\Temporary Internet Files\Content.IE5\ZI1KLVN6\AppWrap[1].exe -> Spyware.AdURL : Cleaned with backup
C:\drsmartload1.exe -> Spyware.SmartLoad : Cleaned with backup
C:\installer.exe -> Spyware.Look2Me : Cleaned with backup
C:\m1t.exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\m31g.exe -> Backdoor.Rbot : Cleaned with backup
C:\m31t.exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\mg.exe -> Spyware.WinAD : Cleaned with backup
C:\mte3ndi6odoxng.exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Program Files\Common Files\orrr\orrra.exe -> TrojanDownloader.TSUpdate.l : Cleaned with backup
C:\Program Files\Common Files\orrr\orrrm.exe -> TrojanDownloader.TSUpdate.n : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\0ADA4393-496B-4D03-920B-015C20\A0570CC9-A6C4-48DC-8B88-EA2924 -> Adware.CommAd : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0005097.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0005103.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0005106.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0005113.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0005114.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006108.dll -> Trojan.EliteBar.g : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006114.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006115.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006116.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006123.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006124.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006126.dll -> Trojan.EliteBar.g : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006132.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006133.exe -> TrojanDropper.Agent.za : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006134.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006135.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006142.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006145.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0006146.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0007142.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP14\A0007145.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP15\A0007173.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP18\A0007256.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP18\A0007276.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP18\A0007277.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP18\A0007282.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP18\A0007285.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP24\A0007479.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007674.dll -> Trojan.EliteBar.g : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007693.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007834.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007843.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007845.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007856.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007862.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007871.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007877.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007887.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007890.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007906.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007913.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007918.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007921.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0007994.dll -> Trojan.EliteBar.g : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008001.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008002.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008003.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008006.dll -> Trojan.EliteBar.g : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008011.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008014.exe -> Spyware.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008015.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008019.dll -> Trojan.EliteBar.h : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008020.exe -> Trojan.EliteBar : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008026.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008028.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008047.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008052.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008053.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008063.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008066.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008073.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008074.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008084.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008085.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008094.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008095.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008104.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP27\A0008106.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP28\A0008119.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP28\A0008120.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP28\A0008140.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP28\A0008142.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP29\A0008167.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP29\A0008169.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP29\A0008175.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP29\A0008177.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP29\A0008182.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP29\A0008185.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008194.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008195.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008203.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008205.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008211.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008212.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008224.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008226.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008241.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008245.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008254.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008256.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008267.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP30\A0008271.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008279.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008281.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008291.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008293.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008304.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008306.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008311.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008315.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008323.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008325.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008330.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP31\A0008332.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP32\A0008339.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP32\A0008341.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP34\A0008386.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP34\A0008388.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP34\A0008394.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP34\A0008396.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP34\A0008402.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP34\A0008404.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP35\A0008780.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP35\A0008782.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP35\A0008811.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP35\A0008812.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP36\A0008918.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP36\A0008920.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP36\A0008925.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP36\A0008927.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP36\A0008932.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP36\A0008934.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008943.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008948.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008949.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008951.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008955.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008957.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008958.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008959.exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0008961.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP37\A0009118.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009289.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009290.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009334.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009335.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009336.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009337.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009338.exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009340.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP39\A0009341.exe -> Spyware.AdURL : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0012442.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0012447.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0012468.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0012476.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0012481.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0012485.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0013485.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0013492.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0013497.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0013500.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014497.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014500.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014502.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014506.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014508.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014512.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014516.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014518.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014520.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014525.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP41\A0014526.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014534.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014538.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014540.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014547.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014551.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014553.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014566.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014570.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014572.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014581.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014585.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014587.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014610.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014615.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014616.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014624.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014628.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014630.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014632.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014636.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP42\A0014638.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014640.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014644.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014646.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014648.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014652.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014654.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014657.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014661.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014663.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014665.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014669.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014672.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014684.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014688.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014690.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014707.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014711.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP43\A0014713.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014715.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014719.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014721.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014727.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014731.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014733.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014738.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014742.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014744.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014767.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014771.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014773.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014786.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014790.sys -> Trojan.Rootkit.k : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014793.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014795.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014797.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014798.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014800.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014803.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014808.bat -> Trojan.Zapchast : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014809.exe -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014810.exe/thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014812.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014814.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014815.exe -> Spyware.AdURL : Cleaned with backup
C:\System Volume Information\_restore{DBEEC43F-1F58-49C3-A089-09F1DA3D9397}\RP44\A0014817.exe -> Spyware.Zestyfind : Cleaned with backup
C:\thanks.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\WINDOWS\adtech2005.exe -> Trojan.VB.afn : Cleaned with backup
C:\WINDOWS\icont.exe -> Spyware.AdURL : Cleaned with backup
C:\WINDOWS\iconu.exe -> Spyware.Zestyfind : Cleaned with backup
C:\WINDOWS\system32\apiiiexx.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\aydiosrv.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\bvtsprx2.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\ckiconfg.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dqkquota.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dYd8.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\dzrgui.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\g4220efoeh2c0.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\h8n00i5me8.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kadycc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kldbr.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kndmlt48.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\system32\kudir.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOW
  • 0

Advertisements

#2
Crustyoldbloke
Posted 26 November 2005 - 09:01 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello Rob and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and Trojans that need to be eradicated including VX2 and ConHook. With luck like that, don’t bother buying lottery tickets and be very careful when out walking and crossing roads. Let’s see what we can do with the first sweep of a few..

Firstly could you please disable Microsoft Antispyware from running during the fix, it may just hinder our attempts to change anything. Right click on the icon (looks like an archery target) in the task bar and click on Security Agents Status (Enabled) then click on Disable Real-time Protection. To re enable it, you follow the same steps but click on Enable Real-time Protection.

Please also disable Ewido Guard for the same reason. Open Ewido and remove the guard option. You may have to reboot for the change to take affect.

When your PC has been declared clean, please only enable one of those two programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

You do not appear to have any antivirus programme running on your PC; we must correct that immediately.

Download:
AVG ANTIVIRUS FREE EDITION

Install AVG, update its virus definitions and perform a full system scan before proceeding any further.

To start please download the following programmes, we will run them later. Please save it/them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
Hoster
.

Go to Start>Run and type Services.msc then hit OK
Scroll down and find this service:

Command Service (cmdService)

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then OK.

Run HiJackThis. Click on None of the above, just start the program. Now, click on the Config button (bottom right), then click on Misc Tools, then click on Delete an NT Service a window will pop up. Enter this item into that field (copy and paste):

cmdService

Click OK.

It should pull up information about the service, when it asks if you want to reboot now click YES

Please run Hoster (just double click it to open). Choose the Restore Original Hosts button and press OK.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O1 - Hosts: 216.180.239.154 www.halifax-online.co.uk
O1 - Hosts: 216.180.239.154 ibank.barclays.co.uk
O1 - Hosts: 216.180.239.154 online.lloydstsb.co.uk
O1 - Hosts: 216.180.239.154 online-business.lloydstsb.co.uk
O1 - Hosts: 216.180.239.154 www.ukpersonal.hsbc.co.uk
O1 - Hosts: 216.180.239.154 www.nwolb.com
O1 - Hosts: 216.180.239.154 banesnet.banesto.es
O1 - Hosts: 216.180.239.154 extranet.banesto.es
O1 - Hosts: 216.180.239.154 ebanking.bccbrescia.it
O1 - Hosts: 216.180.239.154 www.bankofscotlandhalifax-online.co.uk
O1 - Hosts: 216.180.239.154 www.rbsdigital.com
O1 - Hosts: 216.180.239.154 oi.cajamadrid.es
O1 - Hosts: 216.180.239.154 bancae.caixapenedes.com
O1 - Hosts: 216.180.239.154 banking.postbank.de
O1 - Hosts: 216.180.239.154 meine.deutsche-bank.de
O1 - Hosts: 216.180.239.154 myonlineaccounts2.abbeynational.co.uk
O1 - Hosts: 216.180.239.154 ibank.cahoot.com
O1 - Hosts: 216.180.239.154 webbank.openplan.co.uk
O1 - Hosts: ound.net
O2 - BHO: (no name) - {00DBDAC8-4691-4797-8E6A-7C6AB89BC441} - C:\WINDOWS\system32\yaywt.dll
O4 - HKLM\..\Run: [Windows Services] C:\WINDOWS\Servces32.exe
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\lv4409hqe.dll
O20 - Winlogon Notify: yaywt - C:\WINDOWS\SYSTEM32\yaywt.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF0dA\command.exe (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.
  • Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.
  • In the Killbox programme, select the Delete on Reboot option.
  • Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\yaywt.dll
C:\WINDOWS\Servces32.exe
C:\WINDOWS\system32\lv4409hqe.dll
C:\WINDOWS\TWF0dA\command.exe
  • Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
  • Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, update it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!
  • 0

#3
tWp - (Rob)
Posted 26 November 2005 - 06:23 PM

tWp - (Rob)

    New Member

  • Topic Starter
  • Member
  • Pip
  • 2 posts

You have quite a mixture of malware and Trojans that need to be eradicated including VX2 and ConHook. With luck like that, don’t bother buying lottery tickets and be very careful when out walking and crossing roads.


You should have seen it before I started trying to fix it.

I think I've run everything in the above post - I may have had some issues with Killbox though - It didn't seem to run properly at all - I never saw a "delete on reboot" prompt... So I entered all the filenames, hit delete and then rebooted.

And when using HJT - the following no longer existed...
* O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWF0dA\command.exe (file missing)
* The list of Host Files

I assume because they had been fixed by the earlier steps.


Here's the log from LM2FIX:
(and As I wrote that I got hijacked to another "yyy102.html" page - So I realise I"m not out of the woods yet)


L2MFIX find log 1.99
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\NetCache]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\en06l1ds1.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yaywt]
"Asynchronous"=dword:00000001
"DllName"="yaywt.dll"
"Impersonate"=dword:00000000
"Logon"="Logon"
"Logoff"="Logoff"


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Read BUILTIN\Power Users
(ID-IO) ALLOW Read BUILTIN\Power Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER


**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{4E59B94A-D846-5C60-A970-2BA75FCABAEE}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{00020D75-0000-0000-C000-000000000046}"="Microsoft Office Outlook Desktop Icon Handler"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Office Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{FE67A3AD-9178-48A9-BAB8-CAF9E9EF3154}"=""
"{48B2428A-86A4-4D6B-9E07-AFC498A5F5D9}"=""
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"="AVG7 Shell Extension"
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}"="AVG7 Find Extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{48B2428A-86A4-4D6B-9E07-AFC498A5F5D9}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{48B2428A-86A4-4D6B-9E07-AFC498A5F5D9}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{48B2428A-86A4-4D6B-9E07-AFC498A5F5D9}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{48B2428A-86A4-4D6B-9E07-AFC498A5F5D9}\InprocServer32]
@="C:\\WINDOWS\\system32\\wjweb.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Mon 14 Nov 2005 21:03:02 A.... 687,592 671.48 K
browseui.dll Sat 3 Sep 2005 10:52:04 A.... 1,019,904 996.00 K
cdfview.dll Sat 3 Sep 2005 10:52:04 A.... 151,040 147.50 K
cdosys.dll Sat 10 Sep 2005 12:53:42 A.... 2,067,968 1.97 M
danim.dll Sat 3 Sep 2005 10:52:04 A.... 1,053,696 1.00 M
dbeinobj.dll Sun 27 Nov 2005 10:45:08 ..S.R 235,433 229.91 K
dxtrans.dll Sat 3 Sep 2005 10:52:04 A.... 205,312 200.50 K
en06l1~1.dll Sun 27 Nov 2005 10:43:54 ..S.R 236,538 230.99 K
extmgr.dll Sat 3 Sep 2005 10:52:04 ..... 55,808 54.50 K
gdi32.dll Thu 6 Oct 2005 14:09:36 A.... 280,064 273.50 K
gwfspi~1.dll Mon 29 Aug 2005 13:27:06 A.... 23,304 22.76 K
iepeers.dll Sat 3 Sep 2005 10:52:04 A.... 251,392 245.50 K
inseng.dll Sat 3 Sep 2005 10:52:04 A.... 96,256 94.00 K
ivxwan.dll Sun 27 Nov 2005 10:26:52 ..S.R 236,538 230.99 K
khfgh.dll Sat 26 Nov 2005 22:05:58 ..SH. 27,661 27.01 K
legitc~1.dll Mon 29 Aug 2005 13:27:12 A.... 520,968 508.76 K
linkinfo.dll Thu 1 Sep 2005 12:41:54 A.... 19,968 19.50 K
lv0409~1.dll Sun 27 Nov 2005 11:02:08 ..S.R 235,433 229.91 K
mshtml.dll Tue 4 Oct 2005 17:26:00 A.... 3,015,168 2.88 M
mshtmled.dll Sat 3 Sep 2005 10:52:06 A.... 448,512 438.00 K
msrating.dll Sat 3 Sep 2005 10:52:06 A.... 146,432 143.00 K
mstime.dll Sat 3 Sep 2005 10:52:06 A.... 530,432 518.00 K
pngfilt.dll Sat 3 Sep 2005 10:52:06 A.... 39,424 38.50 K
quartz.dll Tue 30 Aug 2005 14:54:26 A.... 1,287,168 1.23 M
shdocvw.dll Sat 3 Sep 2005 10:52:06 A.... 1,483,776 1.41 M
shell32.dll Fri 23 Sep 2005 14:05:30 A.... 8,450,560 8.06 M
shlwapi.dll Sat 3 Sep 2005 10:52:06 A.... 473,600 462.50 K
urlmon.dll Sat 3 Sep 2005 10:52:06 A.... 608,768 594.50 K
wininet.dll Sat 3 Sep 2005 10:52:06 A.... 658,432 643.00 K
winsrv.dll Thu 1 Sep 2005 12:41:54 A.... 291,840 285.00 K
wjweb.dll Sun 27 Nov 2005 11:03:12 ..S.R 236,538 230.99 K
yaywt.dll Sat 26 Nov 2005 21:46:58 ..... 27,661 27.01 K

32 items found: 32 files (6 H/S), 0 directories.
Total of file sizes: 25,103,186 bytes 23.94 M
Locate .tmp files:

No matches found.
**********************************************************************************
Directory Listing of system files:
Volume in drive C is IBM_PRELOAD
Volume Serial Number is 6812-F686

Directory of C:\WINDOWS\System32

27/11/2005 11:03 AM 236,538 wjweb.dll
27/11/2005 11:02 AM 235,433 lv0409dqe.dll
27/11/2005 10:45 AM 235,433 dbeinobj.dll
27/11/2005 10:43 AM 236,538 en06l1ds1.dll
27/11/2005 10:26 AM 236,538 ivxwan.dll
27/11/2005 10:23 AM <DIR> dllcache
26/11/2005 10:05 PM 27,661 khfgh.dll
28/05/2005 10:04 AM <DIR> Microsoft
21/11/2001 03:24 AM 7,168 THUMBS.DB
7 File(s) 1,215,309 bytes
2 Dir(s) 15,417,020,416 bytes free
  • 0

#4
Crustyoldbloke
Posted 26 November 2005 - 06:32 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again Rob

I understand that Killbox is being updated today. Don't worry over it. There's always more than one way to do things.

The VX2 infection on your PC is confirmed.

Close any programmes you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log, and we'll clean up what's left.

IMPORTANT: Do NOT run any other files in the l2mfix folder unless you are asked to do so!

Extra note... after reboot and logging in, normally a screen will pop up and perform the rest of the fix and notepad opens automatically afterwards.
If that doesn't happen, you'll have to do it manually, so open your L2M-folder which is present on your desktop and doubleclick second.bat.
Let it run and notepad (log.txt) will open then. Copy and paste the contents of it in your next reply with a new hijackthislog.
  • 0

#5
Crustyoldbloke
Posted 07 December 2005 - 02:59 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP