Tech Support Forum - View Single Post

kikithesilly · 04-13-2006, 09:12 AM

I ran through the steps you asked, I really appreciate it. There are much less popups now, hardly any at all. However, Panda scan found some issues as you will see in the log. Also, I cannot use MLEXCHANGE which I use for my appraisal business, I keep getting a java handler error when trying to do searches. It is an online tool. Well, here is the rest of my information. Thank you very much, I feel like it's close.

I ran Brute Force.

Brute Force uninstaller log:

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 10:35:44 PM, on 4/12/2006

Failed: DllUnregister C:\WINNT\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork

(key not found)
Failed: RegDelValue

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRisk

FileTypes (key not found)
Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr

entVersion\Explorer\SharedTaskScheduler|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0

F} (key not found)
Failed: RegDelValue

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU1 (key not

found)
Failed: RegDelValue

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|CU2 (key not

found)
Failed: RegDelValue

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices|services32 (key

not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe

(operation failed)
Failed: FileDelete C:\Program Files\Common Files\Download\mc-*-*.exe

(operation failed)
Failed: FolderDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\hsperfdata_Kellee

(operation failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\Perflib_Perfdata_f44.dat

(operation failed)
Failed: FolderDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\Temporary Internet

Files (operation failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF249C.tmp (operation

failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF3540.tmp (operation

failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF48B0.tmp (operation

failed)
Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DFACBB.tmp (operation

failed)
Failed: FolderDelete C:\Documents and Settings\Kellee\Local

Settings\Temporary Internet Files\Content.IE5\6W846F6T (operation failed)
Failed: FolderDelete C:\Documents and Settings\Kellee\Local

Settings\Temporary Internet Files\Content.IE5\F1H3YKFG (operation failed)
Failed: FolderDelete C:\Documents and Settings\Kellee\Local

Settings\Temporary Internet Files\Content.IE5\F7RQPIFE (operation failed)
Failed: FolderDelete C:\Documents and Settings\Kellee\Local

Settings\Temporary Internet Files\Content.IE5\ZLAL33UU (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not

found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not

found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not

found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not

found)
Failed: FolderDelete C:\Program Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not

found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINNT\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderCreate C:\bintheredunthat (folder already exists)
Failed: FileMove C:\WINNT\win*-*.exe|C:\bintheredunthat (source file not

found)
Script completed.

I unplugged the ethernet cable, closed all windows, and ran

Look2me-Destroyer:

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 4/12/2006 10:45:05 PM

Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl

l
Infected! C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl

l

Attempting to delete infected files...

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl

l Deleted successfully!

Attempting to delete: C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl

l
C:\System Volume

Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl

l Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\Setup
Removing: HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad
Removing: HKLM\Software\Microsoft\Windows

NT\CurrentVersion\Winlogon\Notify\SideBySide

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved "{7DCA383D-597B-4E39-9A03-C278ED1E0C2C}"
HKCR\Clsid\{7DCA383D-597B-4E39-9A03-C278ED1E0C2C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved "{7C158695-601C-4102-B33A-F919CD445B2F}"
HKCR\Clsid\{7C158695-601C-4102-B33A-F919CD445B2F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell

Extensions\Approved "{72679689-55EB-40D8-B76D-67708C72EE08}"
HKCR\Clsid\{72679689-55EB-40D8-B76D-67708C72EE08}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file

Restoring SeDebugPrivilege for Administrators - Succeeded

I rebooted in safe mode, made the explorer changes, and ran Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 11:09:14 PM, on 4/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\Documents and Settings\Kellee\Desktop\Real fix\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [w001fb2c.dll] RUNDLL32.EXE w001fb2c.dll,I2

0000207c0001fb2c
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe"

--logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [a la mode Scheduler Tool] C:\Program Files\a la

mode\sched\eSched.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) -

http://mreis.mlxchange.com/Control/M...ctComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) -

http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program

Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty

Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

Ewido scan report:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 8:44:51 AM, 4/13/2006
+ Report-Checksum: 80578DB5

+ Scan result:

C:\bintheredunthat\w001fb2c.dll -> Downloader.Agent.ahv : Cleaned

with backup
C:\windows\keyboard10.exe -> Downloader.Adload.am : Cleaned with

backup
C:\windows\keyboard7.exe -> Downloader.VB.zg : Cleaned with backup
C:\windows\keyboard9.exe -> Downloader.VB.aaf : Cleaned with backup
C:\windows\mousepad10.exe -> Hijacker.VB.ly : Cleaned with backup
C:\windows\mousepad7.exe -> Downloader.VB.zw : Cleaned with backup
C:\windows\mousepad9.exe -> Downloader.VB.aaf : Cleaned with backup
C:\windows\newname10.exe -> Downloader.Adload.ae : Cleaned with

backup

::Report End

I ran another hijack this report after rebooting normally, and ran panda

scan:

Logfile of HijackThis v1.99.1
Scan saved at 9:14:34 AM, on 4/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\a la mode\sched\eSched.exe
C:\PROGRA~1\SPYWAR~1\swdoctor.exe
C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINNT\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\Network Associates\VirusScan\VsStat.exe
C:\Program Files\Network Associates\VirusScan\Avconsol.exe
C:\Program Files\Network Associates\VirusScan\Webscanx.exe
C:\WINNT\System32\alg.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kellee\Desktop\Real fix\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} -

C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe"

--logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [a la mode Scheduler Tool] C:\Program Files\a la

mode\sched\eSched.exe
O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} -

C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet

Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) -

http://mreis.mlxchange.com/Control/M...ctComboBox.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) -

http://mreis.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program

Files\Network Associates\VirusScan\Avsynmgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program

Files\ewido anti-malware\ewidoguard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -

C:\WINNT\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty

Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

PANDA SCAN LOG:

Incident

Status Location

Potentially unwanted tool:application/myway

Not disinfected C:\PROGRAM FILES\MyWay

Potentially unwanted tool:application/altnet

Not disinfected

HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP

MANAGEMENT\ARPCACHE\ALTNETDM

Adware:adware/powerstrip

Not disinfected Windows Registry

Spyware:Cookie/Statcounter

Not disinfected C:\Documents and

Settings\Kellee\Cookies\kellee@statcounter[1].txt

Adware:Adware/IST.ISTBar

Not disinfected C:\Documents and

Settings\Kellee\Desktop\New Folder\[Full Version] frontend

zer0.zip[YSB_toolBar.exe]

Virus:Bck/IRCBot.WJ

Not disinfected C:\WINNT\system32\rar.exe

04-13-2006, 09:12 AM	#3 (permalink)
kikithesilly Registered User Join Date: Mar 2006 Posts: 4 OS: xp	I ran throught the steps you asked I ran through the steps you asked, I really appreciate it. There are much less popups now, hardly any at all. However, Panda scan found some issues as you will see in the log. Also, I cannot use MLEXCHANGE which I use for my appraisal business, I keep getting a java handler error when trying to do searches. It is an online tool. Well, here is the rest of my information. Thank you very much, I feel like it's close. I ran Brute Force. Brute Force uninstaller log: BFU v1.00.9 Windows XP SP2 (WinNT 5.01.2600 SP2) Script started at 10:35:44 PM, on 4/12/2006 Failed: DllUnregister C:\WINNT\DH.dll\|1 (file not found) Failed: ServiceStop Network Monitor (service not found) Failed: ServiceStop cmdService (service not found) Failed: ServiceDisable Network Monitor (service not found) Failed: ServiceDisable cmdService (service not found) Failed: ServiceDelete Network Monitor (service not found) Failed: ServiceDelete cmdService (service not found) Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa\|p2pnetwork (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\|LowRisk FileTypes (key not found) Failed: RegDelValue HKLM\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\SharedTaskScheduler\|{4F141CBA-1457-6CCA-03A7-7AA21B61EA0 F} (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\|CU1 (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\|CU2 (key not found) Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices\|services32 (key not found) Option pause between commands: 300 ms Option pause between commands: 50 ms Failed: FolderDelete C:\Program Files\MsConfigs (folder not found) Failed: FolderDelete C:\Program Files\winupdates (folder not found) Failed: FolderDelete C:\Program Files\winupdate (folder not found) Failed: FolderDelete C:\Program Files\winsupdater (folder not found) Failed: FolderDelete C:\Program Files\MsUpdate (folder not found) Failed: FolderDelete C:\Program Files\MsMovies (folder not found) Failed: FolderDelete C:\Program Files\wmplayer (folder not found) Failed: FolderDelete C:\Program Files\outlook (folder not found) Failed: FileDelete C:\Program Files\Common Files\Windows\mc--.exe (operation failed) Failed: FileDelete C:\Program Files\Common Files\Download\mc--.exe (operation failed) Failed: FolderDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\hsperfdata_Kellee (operation failed) Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\Perflib_Perfdata_f44.dat (operation failed) Failed: FolderDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\Temporary Internet Files (operation failed) Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF249C.tmp (operation failed) Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF3540.tmp (operation failed) Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DF48B0.tmp (operation failed) Failed: FileDelete C:\DOCUME~1\Kellee\LOCALS~1\Temp\~DFACBB.tmp (operation failed) Failed: FolderDelete C:\Documents and Settings\Kellee\Local Settings\Temporary Internet Files\Content.IE5\6W846F6T (operation failed) Failed: FolderDelete C:\Documents and Settings\Kellee\Local Settings\Temporary Internet Files\Content.IE5\F1H3YKFG (operation failed) Failed: FolderDelete C:\Documents and Settings\Kellee\Local Settings\Temporary Internet Files\Content.IE5\F7RQPIFE (operation failed) Failed: FolderDelete C:\Documents and Settings\Kellee\Local Settings\Temporary Internet Files\Content.IE5\ZLAL33UU (operation failed) Failed: FolderDelete C:\Program Files\Maxifiles (folder not found) Failed: FolderDelete C:\Program Files\DNS (folder not found) Failed: FolderDelete C:\Program Files\EQAdvice (folder not found) Failed: FolderDelete C:\Program Files\FCAdvice (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet (folder not found) Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\InetGet2 (folder not found) Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found) Failed: FolderDelete C:\Program Files\Network Monitor (folder not found) Failed: FolderDelete C:\WINNT\inet20001 (folder not found) Failed: FolderDelete C:\Program Files\Update06 (folder not found) Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found) Failed: FolderDelete C:\temp (folder not found) Failed: FolderCreate C:\bintheredunthat (folder already exists) Failed: FileMove C:\WINNT\win-.exe\|C:\bintheredunthat (source file not found) Script completed. I unplugged the ethernet cable, closed all windows, and ran Look2me-Destroyer: Look2Me-Destroyer V1.0.12 Scanning for infected files..... Scan started at 4/12/2006 10:45:05 PM Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl l Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl l Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl l Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl l Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl l Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl l Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl l Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl l Infected! C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl l Attempting to delete infected files... Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP554\A0262439.dl l Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272774.dl l Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272785.dl l Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272786.dl l Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP564\A0272789.dl l Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273014.dl l Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0273044.dl l Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274046.dl l Deleted successfully! Attempting to delete: C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl l C:\System Volume Information\_restore{C8AFD0EB-295C-4DEE-8442-A38BF1F80DC0}\RP566\A0274103.dl l Deleted successfully! Making registry repairs. Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Setup Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ShellServiceObjectDelayLoad Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SideBySide Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7DCA383D-597B-4E39-9A03-C278ED1E0C2C}" HKCR\Clsid\{7DCA383D-597B-4E39-9A03-C278ED1E0C2C} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7C158695-601C-4102-B33A-F919CD445B2F}" HKCR\Clsid\{7C158695-601C-4102-B33A-F919CD445B2F} Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{72679689-55EB-40D8-B76D-67708C72EE08}" HKCR\Clsid\{72679689-55EB-40D8-B76D-67708C72EE08} Restoring Windows certificates. Replaced hosts file with default windows hosts file Restoring SeDebugPrivilege for Administrators - Succeeded I rebooted in safe mode, made the explorer changes, and ran Hijack this: Logfile of HijackThis v1.99.1 Scan saved at 11:09:14 PM, on 4/12/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\Explorer.EXE C:\WINNT\system32\NOTEPAD.EXE C:\Documents and Settings\Kellee\Desktop\Real fix\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R3 - Default URLSearchHook is missing F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [w001fb2c.dll] RUNDLL32.EXE w001fb2c.dll,I2 0000207c0001fb2c O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [a la mode Scheduler Tool] C:\Program Files\a la mode\sched\eSched.exe O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/M...ctComboBox.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe Ewido scan report: --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 8:44:51 AM, 4/13/2006 + Report-Checksum: 80578DB5 + Scan result: C:\bintheredunthat\w001fb2c.dll -> Downloader.Agent.ahv : Cleaned with backup C:\windows\keyboard10.exe -> Downloader.Adload.am : Cleaned with backup C:\windows\keyboard7.exe -> Downloader.VB.zg : Cleaned with backup C:\windows\keyboard9.exe -> Downloader.VB.aaf : Cleaned with backup C:\windows\mousepad10.exe -> Hijacker.VB.ly : Cleaned with backup C:\windows\mousepad7.exe -> Downloader.VB.zw : Cleaned with backup C:\windows\mousepad9.exe -> Downloader.VB.aaf : Cleaned with backup C:\windows\newname10.exe -> Downloader.Adload.ae : Cleaned with backup ::Report End I ran another hijack this report after rebooting normally, and ran panda scan: Logfile of HijackThis v1.99.1 Scan saved at 9:14:34 AM, on 4/13/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINNT\System32\smss.exe C:\WINNT\system32\csrss.exe C:\WINNT\system32\winlogon.exe C:\WINNT\system32\services.exe C:\WINNT\system32\lsass.exe C:\WINNT\system32\svchost.exe C:\WINNT\system32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\spoolsv.exe C:\WINNT\Explorer.EXE C:\Program Files\ClamWin\bin\ClamTray.exe C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe C:\Program Files\a la mode\sched\eSched.exe C:\PROGRA~1\SPYWAR~1\swdoctor.exe C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe C:\Program Files\ewido anti-malware\ewidoctrl.exe C:\Program Files\ewido anti-malware\ewidoguard.exe C:\WINNT\System32\nvsvc32.exe C:\Program Files\Spyware Doctor\sdhelp.exe C:\WINNT\System32\svchost.exe C:\WINNT\system32\wdfmgr.exe C:\Program Files\Network Associates\VirusScan\VsStat.exe C:\Program Files\Network Associates\VirusScan\Avconsol.exe C:\Program Files\Network Associates\VirusScan\Webscanx.exe C:\WINNT\System32\alg.exe C:\WINNT\system32\NOTEPAD.EXE C:\WINNT\system32\wscntfy.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\Kellee\Desktop\Real fix\HijackThis.exe F2 - REG:system.ini: UserInit=userinit.exe O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe O4 - HKCU\..\Run: [a la mode Scheduler Tool] C:\Program Files\a la mode\sched\eSched.exe O4 - HKCU\..\Run: [Spyware Doctor] C:\PROGRA~1\SPYWAR~1\swdoctor.exe /Q O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mreis.mlxchange.com/Control/M...ctComboBox.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mreis.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\Network Associates\VirusScan\Avsynmgr.exe O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe PANDA SCAN LOG: Incident Status Location Potentially unwanted tool:application/myway Not disinfected C:\PROGRAM FILES\MyWay Potentially unwanted tool:application/altnet Not disinfected HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\APP MANAGEMENT\ARPCACHE\ALTNETDM Adware:adware/powerstrip Not disinfected Windows Registry Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Kellee\Cookies\kellee@statcounter[1].txt Adware:Adware/IST.ISTBar Not disinfected C:\Documents and Settings\Kellee\Desktop\New Folder\[Full Version] frontend zer0.zip[YSB_toolBar.exe] Virus:Bck/IRCBot.WJ Not disinfected C:\WINNT\system32\rar.exe