Computer deeply infected; HJT log

Mukanshin · 07-26-2006, 09:03 PM

PLEASE DON'T NOT READ THIS BECAUSE OF THE HIGHLY DETAILED CONTENT. I understand that you guys do this for free, and I highly appreciate all and/or any help I can get.

I am not an expert, but I know alot about computers just by playing with it and surfing the net. Everything that happens to a computer when I'm on it, I know what I did and how to fix it, but this problem lies on my fathers laptop where at least 10 people accessed it without me around. First, my sister managed to get viruses, adware, and spyware on it for she's stupid, along with the other people. It was later that I went on and realized the infections on the computer were routing my ip to bad places where things got worse. After following General Cleaning Instructions multiple times (2-3 truthfully), ZoneAlarm firewall still gave me alerts of my computer directly connecting to strange ip addresses (4 noted in mind, not written down), along with svchost.exe running with 100%. With Process Explorer from http://www.sysinternals.com I've managed to close it, although I have to do it everytime I log on, and this is on a laptop. ONE MORE THING: (dwwin.exe) appears everytime (iexplorer.exe) stays open for at least 15 mins. Error reporting is too complecated for me and this post is big enough. Sorry for the immense detail, I couldn't imagine giving too little so I ended up giving too much. >< Here's the HijackThis log. Located in (C:/HJT/hijackthis.exe). (msconfig.exe) configured in Normal startup so everything is loaded (which I disliked for all the crap they put on here). THANK YOU FOR READING TILL HERE!!

(HijackThis copied EXACTLY as it was saved)

Logfile of HijackThis v1.99.1
Scan saved at 11:23:51 PM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\System32\ofps.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\--Computer Fixers--\3. Firewall - not too important, but good to have\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
c:\progra~1\common~1\instal~1\update~1\isuspm.exe
C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.244.149.25:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {249e2583-6642-4987-a6c5-f8254fd248b4} - C:\WINDOWS\system32\mfcCHE.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\--COMP~1\65719~1.BAS\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - blank (file missing)
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\compstuid.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00310} - C:\WINDOWS\system32\compstuid.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\--Computer Fixers--\3. Firewall - not too important, but good to have\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WinTasks Traybar] C:\Program Files\--Computer Fixers--\WinTasks\wintasks.exe traybar
O4 - HKLM\..\Run: [websearch] javaw -cp "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
O4 - HKLM\..\Run: [WebRebates] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [monitor1a] C:\Windows\monitor1a.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [clc] C:\WINDOWS\system32\clc.exe
O4 - HKCU\..\Run: [5e69735e.exe] C:\Documents and Settings\Sonia\Local Settings\Application Data\5e69735e.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://rmlsfl.mlxchange.com/Control/...ctComboBox.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ghettoprincess1866.spaces.msn...d/MsnPUpld.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://rmlsfl.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C34BF9B-8ECC-489B-B056-B28923EE3202}: NameServer = 200.244.149.26,200.244.149.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{D805F1F2-5A84-4CCF-9D42-F64FCCEF5E9A}: NameServer = 200.244.149.26,200.244.149.20
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - blank (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - blank
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g29394086.dll
O20 - Winlogon Notify: mfcCHE - C:\WINDOWS\SYSTEM32\mfcCHE.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbae32 - winbae32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\System32\ofps.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Vikesrock8411 · 07-28-2006, 02:47 PM

Hello and welcome to TSF. I apologize for the delay, we have been very busy lately. I assure you it is not becauese you gave too much detail

I recommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.

Downloads(make sure to save these in a permanent location)
Cleanup!- Install it. You will use this later.
*NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups.
Ewido Anti-Malware

Install Ewido Anti-Malware
Double-click the icon on Desktop to launch Ewido

You will need to update Ewido to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.
I also recommend changing the "Update interval" to something more reasonable like 12 hours.

If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.
win32delfkil.exe-Save it on your desktop.

Double click on win32delfkil.exe and install it. This creates a new folder on your desktop called win32delfkil.
Close all windows and open the win32delfkil folder and double click on fix.bat.
Once the tool has finished the computer will reboot automatically. If it does not reboot...please do so manually.
Include the contents of the logfile c:\windelf.txt in your next reply.

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

Add/Remove
Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs:
Websearch
WebRebates
Viewpoint

HijackThis!
Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {249e2583-6642-4987-a6c5-f8254fd248b4} - C:\WINDOWS\system32\mfcCHE.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - blank (file missing)
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\compstuid.dll
O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00310} - C:\WINDOWS\system32\compstuid.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [websearch] javaw -cp "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch"
O4 - HKLM\..\Run: [WebRebates] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe
O4 - HKLM\..\Run: [monitor1a] C:\Windows\monitor1a.exe
O4 - HKCU\..\Run: [clc] C:\WINDOWS\system32\clc.exe
O4 - HKCU\..\Run: [5e69735e.exe] C:\Documents and Settings\Sonia\Local Settings\Application Data\5e69735e.exe
O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - blank
O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g29394086.dll
O20 - Winlogon Notify: mfcCHE - C:\WINDOWS\SYSTEM32\mfcCHE.dll
O20 - Winlogon Notify: winbae32 - winbae32.dll (file missing)

Please remember to close all other windows, including browsers then click Fix checked.

File and Folder Deletions
Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.
p2pnetworking.exe <Find via Start>Search
C:\Windows\monitor1a.exe
C:\WINDOWS\g29394086.dll
C:\WINDOWS\system32\5e69735e.exe
C:\WINDOWS\system32\clc.exe
C:\WINDOWS\system32\mfcCHE.dll
C:\Documents and Settings\Sonia\Local Settings\Application Data\5e69735e.exe
C:\Program Files\Viewpoint
C:\Program Files\websearch

Tools
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked.

Click OK
Press the CleanUp! button to start the program. If prompted to reboot, click No.

Run Ewido with it's updated definitions:(...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
When the scan is complete click Recommended Action and change it to Quarantine
Then click Apply all actions

Once finished, click the Save report button, then click Save Report As and save it to your desktop.

Reboot your system in Normal Mode.

Online Scans
Perform an online scan with Internet Explorer with Panda ActiveScan
** click on "Free use ActiveScan" located on the top right hand corner

Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
Click Scan Now
Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls

Begin the scan by selecting My Computer

If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually.

At the end of the scan click on see report. Then click Save report

Please post that log in your next reply.

In your next post please include:

C:\Windelf.txt
Ewido Log
Panda Activescan Log
A new Hijackthis! Log

Mukanshin · 07-30-2006, 11:17 PM

Sorry took long to reply... lol I was in Sao Paulo for the last three days, just came back into Rio de Janeiro. Anyways, I did all I could, "mcfCHE.dll" gave me problems but with hijackthis I deleted it before startup and got rid of it. Also with the files you told me to take out, I found variations of the "g--numbers--.dll" and removed them too. I know they were variations by the date created and alike names, also how they weren't recognized as important files. Only problem I actually had is with that Panda scan. Not only didn't it scan, but when I allowed the activex to run, it downloaded some virus into my WINDOWS, but my avast! got rid of it as soon as it came up. After that, the scan just wouldn't start, probaly cause of my firewall but I was too mad so I didn't try too hard lol. I'm traumatized from ActiveX related material.

Is it too big of a problem that I don't have that Panda scan? Here are the other scans you asked for.

Ewido Scan:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:01:36 AM 7/31/2006

+ Scan result:

C:\Documents and Settings\monique.HIBREALTY1\Start Menu\Programs\EARN -> Adware.eZula : Cleaned with backup (quarantined).
C:\Documents and Settings\monique.HIBREALTY1\Start Menu\Programs\EARN\EARN website.url -> Adware.eZula : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\LMSetup.exe.tcf -> Adware.MDH : Cleaned with backup (quarantined).
C:\Program Files\filesubmit\autumn123.zip\NNWDAC638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\themexp\Themexp.org File\NNWDAB638.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Documents and Settings\monique.HIBREALTY1\Start Menu\Programs\Power Scan -> Adware.PowerScan : Cleaned with backup (quarantined).
C:\Documents and Settings\monique.HIBREALTY1\Start Menu\Programs\Power Scan\Power Scan.lnk -> Adware.PowerScan : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer.1 -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CLSID -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Installer\CurVer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller.1 -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CLSID -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\ScreensaversInstaller.Sinstaller\CurVer -> Adware.Screensavers : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ScreensaversInstaller -> Adware.Screensavers : Cleaned with backup (quarantined).
C:\Program Files\MaxSpeed -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Documents and Settings\-Frank-\Local Settings\Application Data\5e69735e.exe.tcf -> Adware.SmartSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\Adilson\Local Settings\Application Data\5e69735e.exe.tcf -> Adware.SmartSearch : Cleaned with backup (quarantined).
C:\Documents and Settings\monique.HIBREALTY1\Local Settings\Application Data\5e69735e.exe.tcf -> Adware.SmartSearch : Cleaned with backup (quarantined).
C:\Downloads\Chainz2_Setup-dm[1].exe.tcf -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\ChuzzleSetup-dm[1].exe.tcf -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\Downloads\GoldMinerSetup-dm[1].exe.tcf -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\HJT\backups\backup-20060730-223559-572.dll -> Downloader.ConHook.aa : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026572.dll -> Downloader.ConHook.aa : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ddaba.exe -> Downloader.ConHook.ab : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ursrrop.dll -> Downloader.ConHook.ab : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0025571.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0025638.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026790.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026791.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026793.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026794.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026795.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026796.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026797.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026798.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026799.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026800.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026801.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026802.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026804.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026805.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026806.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026807.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026808.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026809.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026810.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026811.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026812.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026813.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026814.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026815.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026816.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026817.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026818.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026819.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026820.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026821.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026822.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026823.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026824.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026825.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026826.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026827.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026828.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026829.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026830.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026831.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026832.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026833.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026834.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026835.dll -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\cpblpbc25.log -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\cpblpbc26.log -> Downloader.Delf.aeo : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\admparsel.dll.tcf -> Downloader.Delf.ako : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026803.dll -> Downloader.Delf.amb : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ld100.tmp -> Downloader.Zlob.vr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ld101.tmp -> Downloader.Zlob.vr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ld102.tmp -> Downloader.Zlob.vr : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ld104.tmp -> Downloader.Zlob.vr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP26\A0022299.dll -> Hijacker.Agent.ct : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\clbcatix.dll -> Hijacker.Agent.ct : Cleaned with backup (quarantined).
C:\WINDOWS\wisterd.exe -> Logger.Banker.bjs : Cleaned with backup (quarantined).
C:\WINDOWS\brad.exe -> Logger.Banker.bkq : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll.tcf -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@247realmedia[1].txt.bak -> TrackingCookie.247realmedia : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@247realmedia[2].txt.bak -> TrackingCookie.247realmedia : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ads.addynamix[1].txt.bak -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@ads.addynamix[1].txt.bak -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@ads.addynamix[2].txt.bak -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@z1.adserver[1].txt.bak -> TrackingCookie.Adserver : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@z1.adserver[1].txt.bak -> TrackingCookie.Adserver : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@z1.adserver[2].txt.bak -> TrackingCookie.Adserver : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@adtech[1].txt.bak -> TrackingCookie.Adtech : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@advertising[2].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@servedby.advertising[1].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@servedby.advertising[2].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@advertising[1].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@advertising[2].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@servedby.advertising[1].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@servedby.advertising[2].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\sonia@advertising[2].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\sonia@servedby.advertising[2].txt.bak -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@atdmt[2].txt.bak -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@atdmt[1].txt.bak -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@atdmt[2].txt.bak -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\sonia@atdmt[2].txt.bak -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@bfast[1].txt.bak -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@bfast[2].txt.bak -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@bfast[1].txt.bak -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@bfast[2].txt.bak -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\sonia@bfast[2].txt.bak -> TrackingCookie.Bfast : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@bluestreak[1].txt.bak -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@bluestreak[2].txt.bak -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@bluestreak[1].txt.bak -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@bluestreak[2].txt.bak -> TrackingCookie.Bluestreak : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@casalemedia[1].txt.bak -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@casalemedia[2].txt.bak -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@casalemedia[1].txt.bak -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@casalemedia[2].txt.bak -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\sonia@casalemedia[2].txt.bak -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@centrport[1].txt.bak -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@centrport[1].txt.bak -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@centrport[2].txt.bak -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@clickagents[1].txt.bak -> TrackingCookie.Clickagents : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@clickagents[2].txt.bak -> TrackingCookie.Clickagents : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@commission-junction[1].txt.bak -> TrackingCookie.Commission-junction : Cleaned.
C:\Program Files\SpyHunter\Backup\sonia@commission-junction[2].txt.bak -> TrackingCookie.Commission-junction : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@data.coremetrics[1].txt.bak -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@twci.coremetrics[1].txt.bak -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@data.coremetrics[1].txt.bak -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@data.coremetrics[2].txt.bak -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@test.coremetrics[1].txt.bak -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@twci.coremetrics[1].txt.bak -> TrackingCookie.Coremetrics : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@www.directnetadvertising[1].txt.bak -> TrackingCookie.Directnetadvertising : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@doubleclick[1].txt.bak -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@doubleclick[2].txt.bak -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@doubleclick[1].txt.bak -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@doubleclick[2].txt.bak -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\sonia@doubleclick[1].txt.bak -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@fastclick[1].txt.bak -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@fastclick[2].txt.bak -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@fastclick[1].txt.bak -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@fastclick[2].txt.bak -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\SpyHunter\Backup\sonia@fastclick[1].txt.bak -> TrackingCookie.Fastclick : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@gator[1].txt.bak -> TrackingCookie.Gator : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@webpdp.gator[1].txt.bak -> TrackingCookie.Gator : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@ehg-ati.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-ati.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-cafepress.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-fxcm.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-newegg.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-newegg.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-sigames.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-sonycomputer.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-technuity.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-techtarget.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-tigerdirect.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-tigerdirect.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@ehg-tigerdirect2.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@hg1.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-affinitynet.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-affinitynet.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-aha.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-aol.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-bcstore.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-bestbuy.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-comcast.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-commjun.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-dig.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-foxsports.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-gbcsign.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-ingersollrand.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-interlandinc.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-interval.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-lioninc.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-lioninc.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-lowermybills.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-realtytimes.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-realtytimes.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-realtytrac.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-sonycomputer.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-vonage.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-wachovia.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-z57.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@ehg-zoomerang.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@hg1.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@hg1.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@phg.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@phg.hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\sonia@ehg-bestbuy.hitbox[1].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\sonia@hitbox[2].txt.bak -> TrackingCookie.Hitbox : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@counter2.hitslink[2].txt.bak -> TrackingCookie.Hitslink : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@linksynergy[1].txt.bak -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@linksynergy[2].txt.bak -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\sonia@linksynergy[2].txt.bak -> TrackingCookie.Linksynergy : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@mediaplex[1].txt.bak -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@mediaplex[1].txt.bak -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@mediaplex[2].txt.bak -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\SpyHunter\Backup\sonia@mediaplex[1].txt.bak -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@qksrv[1].txt.bak -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@qksrv[2].txt.bak -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\sonia@qksrv[1].txt.bak -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@ads.realcastmedia[2].txt.bak -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@ads.realcastmedia[1].txt.bak -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@ads.realcastmedia[2].txt.bak -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\adilson@www.realcastmedia[2].txt.bak -> TrackingCookie.Realcastmedia : Cleaned with backup (quarantined).
C:\Program Files\SpyHunter\Backup\-frank-@revenue[1].txt.bak -> TrackingCookie.Revenue : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@revenue[1].txt.bak -> TrackingCookie.Revenue : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@revenue[2].txt.bak -> TrackingCookie.Revenue : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@spylog[2].txt.bak -> TrackingCookie.Spylog : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@spylog[1].txt.bak -> TrackingCookie.Spylog : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@spylog[2].txt.bak -> TrackingCookie.Spylog : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@targetnet[2].txt.bak -> TrackingCookie.Targetnet : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@targetnet[1].txt.bak -> TrackingCookie.Targetnet : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@targetnet[2].txt.bak -> TrackingCookie.Targetnet : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@trafficmp[2].txt.bak -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@trafficmp[1].txt.bak -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@trafficmp[2].txt.bak -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@valueclick[1].txt.bak -> TrackingCookie.Valueclick : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@valueclick[2].txt.bak -> TrackingCookie.Valueclick : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@valueclick[1].txt.bak -> TrackingCookie.Valueclick : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@valueclick[2].txt.bak -> TrackingCookie.Valueclick : Cleaned.
C:\Program Files\SpyHunter\Backup\-frank-@statse.webtrendslive[2].txt.bak -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@statse.webtrendslive[1].txt.bak -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\SpyHunter\Backup\adilson@statse.webtrendslive[2].txt.bak -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\SpyHunter\Backup\sonia@ads.x10[1].txt.bak -> TrackingCookie.X10 : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\winbae32.dll.tcf -> Trojan.Agent.vg : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\1024 -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

"C:\Windelf.txt" scan:

************************
* WIN32DELFKIL LOGFILE *
************************
by Marckie

BEFORE RUNNING WIN32DELFKIL
***************************

File(s) found in Windows directory
----------------------------------
g12705419.dll
g13906246.dll
g1404229.dll
g15107513.dll
g18657437.dll
g18714259.dll
g19915597.dll
g199887.dll
g22263022.dll
g23464790.dll
g24665437.dll
g29394086.dll
g31919407.dll
g33120154.dll
g34320730.dll
g37922549.dll
g38748988.dll
g39125319.dll
g39949514.dll
g40323672.dll
g41150100.dll
g43926833.dll
g44752320.dll
g45128281.dll
g45953267.dll
g47153403.dll
g5004115.dll
g50755712.dll
g51613486.dll
g51955788.dll
g52814232.dll
g54014759.dll
g57617529.dll
g58819598.dll
g60053732.dll
g6208016.dll
g63650063.dll
g64851922.dll
g66054751.dll
g69661527.dll
g70862564.dll
g72067527.dll
g81196674.dll
g86244222.dll
g87445520.dll
g93169460.dll
compstuid.dll

File(s) found in system32 folder
--------------------------------
compstuid.dll

Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"
"{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}"="Master Browseui"

sharedtaskkey: 259BA022-2005-45E9-A965-10EDB9C00605
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}]
@="C:\\WINDOWS\\g29394086.dll"
"ThreadingModel"="Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InprocServer32]
@="C:\\WINDOWS\\g29394086.dll"
"ThreadingModel"="Apartment"

sharedtaskkey: 0B5F7FDF-0717-45BF-B49D-695F3168C7FE
---------------------------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B5F7FDF-0717-45BF-B49D-695F3168C7FE}]

Notify key
----------
subkey cfgmngr32 is present!

AFTER RUNNING WIN32DELFKIL
**************************

File(s) found in Windows directory
----------------------------------
g12705419.dll
g13906246.dll
g1404229.dll
g15107513.dll
g18657437.dll
g18714259.dll
g19915597.dll
g199887.dll
g22263022.dll
g23464790.dll
g24665437.dll
g29394086.dll
g31919407.dll
g33120154.dll
g34320730.dll
g37922549.dll
g38748988.dll
g39125319.dll
g39949514.dll
g40323672.dll
g41150100.dll
g43926833.dll
g44752320.dll
g45128281.dll
g45953267.dll
g47153403.dll
g5004115.dll
g50755712.dll
g51613486.dll
g51955788.dll
g52814232.dll
g54014759.dll
g57617529.dll
g58819598.dll
g60053732.dll
g6208016.dll
g63650063.dll
g64851922.dll
g66054751.dll
g69661527.dll
g70862564.dll
g72067527.dll
g81196674.dll
g86244222.dll
g87445520.dll
g93169460.dll

File(s) found in system32 folder
--------------------------------
Export SharedTaskScheduler key
------------------------------
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

Notify key
----------

And Hijackthis! scan:

Logfile of HijackThis v1.99.1
Scan saved at 1:56:44 AM, on 7/31/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\--Computer Fixers--\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\Program Files\--Computer Fixers--\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\-Frank-\Desktop\CTL+ALT+DEL.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.244.149.25:3128
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\--COMP~1\65719~1.BAS\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\--Computer Fixers--\ewido anti-spyware 4.0\ewido.exe" /minimized
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://rmlsfl.mlxchange.com/Control/...ctComboBox.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ghettoprincess1866.spaces.msn...d/MsnPUpld.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://rmlsfl.mlxchange.com/Control/IRCSharc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C34BF9B-8ECC-489B-B056-B28923EE3202}: NameServer = 200.244.149.26,200.244.149.20
O17 - HKLM\System\CCS\Services\Tcpip\..\{D805F1F2-5A84-4CCF-9D42-F64FCCEF5E9A}: NameServer = 200.244.149.26,200.244.149.20
O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - blank (file missing)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\--Computer Fixers--\ewido anti-spyware 4.0\guard.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Thanks for the help you've given so far. There was a ton of adware and spyware that ewido took out. Also, so far the Spooler Subsystem App didn't fail this time it started up, and svchost.exe didn't run at 100%, two threads in it I mean. lol I don't think I mentioned the Spooler service failing before, but I just remembered. Sorry if that causes inconvienience. I'm looking forward for your next post Vikesrock8411!

(p.s.- This thread has been suscribed since the start.

)

Vikesrock8411 · 07-31-2006, 12:56 AM

The "Virus" that Avast detected was Panda's definition file. Panda does not encrypt the file containing their virus definitions so some AVs including Avast detect it as a virus. Let's run this alternate online scan.

Please open IE and go to
Kaspersky WebScanner

Next Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
- Extended
- Scan Options:
- Scan Archives
  Scan Mail Bases
Click OK
Now under select a target to scan:
- Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Mukanshin · 07-31-2006, 09:33 AM

My bad then, about before. Anyways here's the Kapersky Scan.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 31, 2006 12:31:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/07/2006
Kaspersky Anti-Virus database records: 210985
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 85649
Number of viruses found: 16
Number of infected objects: 21 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:19:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\-Frank-\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\-Frank-\Desktop\The_Melancholy_of_Suzumiya_Haruhi_v01_c01[EBL].zip Object is locked skipped
C:\Documents and Settings\-Frank-\Desktop\[ASH_&_Shi-Fa]_Cluster_Edge_-_01_[2236B8EB].avi Object is locked skipped
C:\Documents and Settings\-Frank-\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\-Frank-\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\-Frank-\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\-Frank-\Local Settings\History\History.IE5\MSHist012006072420060731\index.dat Object is locked skipped
C:\Documents and Settings\-Frank-\Local Settings\History\History.IE5\MSHist012006073120060801\index.dat Object is locked skipped
C:\Documents and Settings\-Frank-\Local Settings\Temp\Perflib_Perfdata_998.dat Object is locked skipped
C:\Documents and Settings\-Frank-\Local Settings\Temp\~DFBD0E.tmp Object is locked skipped
C:\Documents and Settings\-Frank-\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\-Frank-\ntuser.dat Object is locked skipped
C:\Documents and Settings\-Frank-\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Adilson\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2b111ab0eda16bd9fcacbdae8a92157b_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3698b1562418b43409a39f13516ca426_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\87c7469c0ae839acbac182b37a78c61c_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eeb704270e38206cdfb80f09087b8bdf_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\monique.HIBREALTY1\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\LimeWire\Incomplete\T-3218956-Wicked Remix.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped
C:\Program Files\SpyHunter\Backup\eZinstall[1].exe.bak/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak skipped
C:\Program Files\SpyHunter\Backup\eZinstall[1].exe.bak WiseSFX: infected - 1 skipped
C:\Program Files\SpyHunter\Backup\MY2NS.EXE.bak Infected: not-a-virus:AdWare.Win32.MyWay.b skipped
C:\Program Files\SpyHunter\Backup\whInstaller.exe.bak Infected: not-a-virus:AdWare.Win32.WebHancer.290 skipped
C:\Program Files\themexp\Themexp.org File\atoolbar400135.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Program Files\themexp\Themexp.org File\atoolbar400135.exe WiseSFX: infected - 1 skipped
C:\Program Files\themexp\Themexp.org File\atoolbar400135.exe WiseSFX Dropper: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0022325.exe Infected: Trojan-Dropper.Win32.WinAD.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0025572.dll Infected: Trojan-Downloader.Win32.Delf.aeo skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026838.dll Infected: Trojan-Downloader.Win32.ConHook.aa skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026839.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026840.dll Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026841.exe Infected: Trojan-Spy.Win32.Banker.bkq skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026842.exe Infected: Trojan-Downloader.Win32.ConHook.ac skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026843.dll Infected: Trojan-Downloader.Win32.ConHook.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026844.exe Infected: Trojan-Spy.Win32.Banker.bjs skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026846.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026847.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026848.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026849.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\THEREALTYBRANCH.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bak Infected: Trojan.Win32.Qhost skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_108.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT00085.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT00088.TMP Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Vikesrock8411 · 07-31-2006, 11:55 AM

Don;t worry about the Panda thing, you are much better off safe then sorry.

Delete the following files:
C:\Program Files\LimeWire\Incomplete\T-3218956-Wicked Remix.wma
C:\Program Files\SpyHunter\Backup\eZinstall[1].exe.bak
C:\Program Files\SpyHunter\Backup\MY2NS.EXE.bak
C:\Program Files\SpyHunter\Backup\whInstaller.exe.bak
C:\Program Files\themexp\Themexp.org File\atoolbar400135.exe
C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bak

How is the PC running now?

Mukanshin · 07-31-2006, 01:07 PM

A hell lot better than before. Spooler service doesn't seem to fail anymore, svchost.exe running normal, firewalls not telling me about strange ips my trying to connect with my pc, and yeah, it's great. Thanks alot. Now I can access my bank in peace knowing my computer is safe. Thanks again. Hopefully we won't be meeting each other again too soon.

Vikesrock8411 · 07-31-2006, 01:38 PM

Ewido removed 2 trojans known as Trojan.banker It is very possible that your Firewall caught all activity attmepted by these trojans, but I would closely examine any bank and credit card statements and change all passwrods on these sites.

Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved.

Setting a new Restore Point
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.

Tick the checkbox - Turn off System Restore on all drives
Click Apply
Turn it back 'On' by unticking the same checkbox & click OK

Windows Update
Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site.

Prevention
A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include:
AVG Free
Avast! Home Edition (Antivirus & Firewall)
AntiVir

A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are:
Zone Alarm
Outpost
Tiny Personal Firewall
Sunbelt Kerio Personal Firewall

Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed.

Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses.

IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC.

The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed.

Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all.

Alternative Programs
Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

Desktop Weather - Free taskbar weather program that is free, malware free, and resource light.

Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

Mukanshin · 07-31-2006, 09:19 PM

Yep, thought about changing it, guess I will since I was told by a professional. Thanks for all your hard work, and the extra sites you put in there. Thanks a million.

EDIT: Thread resolved.

07-26-2006, 09:03 PM	#1 (permalink)
Mukanshin Registered User Join Date: Jul 2006 Posts: 6 OS: Windows XP Home Edition SP2	Computer deeply infected; HJT log PLEASE DON'T NOT READ THIS BECAUSE OF THE HIGHLY DETAILED CONTENT. I understand that you guys do this for free, and I highly appreciate all and/or any help I can get. I am not an expert, but I know alot about computers just by playing with it and surfing the net. Everything that happens to a computer when I'm on it, I know what I did and how to fix it, but this problem lies on my fathers laptop where at least 10 people accessed it without me around. First, my sister managed to get viruses, adware, and spyware on it for she's stupid, along with the other people. It was later that I went on and realized the infections on the computer were routing my ip to bad places where things got worse. After following General Cleaning Instructions multiple times (2-3 truthfully), ZoneAlarm firewall still gave me alerts of my computer directly connecting to strange ip addresses (4 noted in mind, not written down), along with svchost.exe running with 100%. With Process Explorer from http://www.sysinternals.com I've managed to close it, although I have to do it everytime I log on, and this is on a laptop. ONE MORE THING: (dwwin.exe) appears everytime (iexplorer.exe) stays open for at least 15 mins. Error reporting is too complecated for me and this post is big enough. Sorry for the immense detail, I couldn't imagine giving too little so I ended up giving too much. >< Here's the HijackThis log. Located in (C:/HJT/hijackthis.exe). (msconfig.exe) configured in Normal startup so everything is loaded (which I disliked for all the crap they put on here). THANK YOU FOR READING TILL HERE!! (HijackThis copied EXACTLY as it was saved) Logfile of HijackThis v1.99.1 Scan saved at 11:23:51 PM, on 7/26/2006 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe C:\WINDOWS\system32\brsvc01a.exe C:\WINDOWS\system32\LEXBCES.EXE C:\WINDOWS\system32\brss01a.exe C:\WINDOWS\system32\LEXPPS.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\WINDOWS\System32\ofps.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\wltrysvc.exe C:\WINDOWS\System32\bcmwltry.exe C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\Program Files\--Computer Fixers--\3. Firewall - not too important, but good to have\Zone Labs\ZoneAlarm\zlclient.exe C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Synaptics\SynTP\SynTPLpr.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe C:\Program Files\QuickTime\qttask.exe C:\Program Files\Dell\Media Experience\PCMService.exe C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe C:\Program Files\iTunes\iTunesHelper.exe C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\System32\DSentry.exe C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe C:\Program Files\Creative\Shared Files\CAMTRAY.EXE C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe C:\WINDOWS\BCMSMMSG.exe C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe c:\progra~1\common~1\instal~1\update~1\isuspm.exe C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe C:\HJT\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/ R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 200.244.149.25:3128 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {249e2583-6642-4987-a6c5-f8254fd248b4} - C:\WINDOWS\system32\mfcCHE.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\--COMP~1\65719~1.BAS\SPYBOT~1\SDHelper.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - blank (file missing) O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\compstuid.dll O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00310} - C:\WINDOWS\system32\compstuid.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\--Computer Fixers--\3. Firewall - not too important, but good to have\Zone Labs\ZoneAlarm\zlclient.exe" O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [WinTasks Traybar] C:\Program Files\--Computer Fixers--\WinTasks\wintasks.exe traybar O4 - HKLM\..\Run: [websearch] javaw -cp "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch" O4 - HKLM\..\Run: [WebRebates] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe" O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe O4 - HKLM\..\Run: [monitor1a] C:\Windows\monitor1a.exe O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [ISUSScheduler] "C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\issch.exe" -start O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe -startup O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKCU\..\Run: [clc] C:\WINDOWS\system32\clc.exe O4 - HKCU\..\Run: [5e69735e.exe] C:\Documents and Settings\Sonia\Local Settings\Application Data\5e69735e.exe O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://rmlsfl.mlxchange.com/Control/...ctComboBox.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ghettoprincess1866.spaces.msn...d/MsnPUpld.cab O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://rmlsfl.mlxchange.com/Control/MLXClientUtils.cab O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://rmlsfl.mlxchange.com/Control/IRCSharc.cab O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yaho...ymmapi_416.dll O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{6C34BF9B-8ECC-489B-B056-B28923EE3202}: NameServer = 200.244.149.26,200.244.149.20 O17 - HKLM\System\CCS\Services\Tcpip\..\{D805F1F2-5A84-4CCF-9D42-F64FCCEF5E9A}: NameServer = 200.244.149.26,200.244.149.20 O18 - Protocol: bt2 - {1730B77B-F429-498F-9B15-4514D83C8294} - blank (file missing) O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - blank O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g29394086.dll O20 - Winlogon Notify: mfcCHE - C:\WINDOWS\SYSTEM32\mfcCHE.dll O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll O20 - Winlogon Notify: winbae32 - winbae32.dll (file missing) O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing) O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing) O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: OmniForm Printer - Unknown owner - C:\WINDOWS\System32\ofps.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

07-28-2006, 02:47 PM	#2 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Hello and welcome to TSF. I apologize for the delay, we have been very busy lately. I assure you it is not becauese you gave too much detail I recommend you Subscribe to this thread so you are notified of any replies via email. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions. Downloads(make sure to save these in a permanent location) Cleanup!- Install it. You will use this later. NOTE Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Ewido Anti-Malware Install Ewido Anti-Malware Double-click the icon on Desktop to launch Ewido You will need to update Ewido to the latest definition files. On the top of the main screen click Shield Click the word active to change it to inactive On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed. I also recommend changing the "Update interval" to something more reasonable like 12 hours. If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. win32delfkil.exe-Save it on your desktop. Double click on win32delfkil.exe and install it. This creates a new folder on your desktop called win32delfkil. Close all windows and open the win32delfkil folder and double click on fix.bat. Once the tool has finished the computer will reboot automatically. If it does not reboot...please do so manually. Include the contents of the logfile c:\windelf.txt in your next reply. Next, please reboot your computer in Safe Mode by doing the following: Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, press F8. Instead of Windows loading as normal, a menu should appear Select the first option, to run Windows in Safe Mode. Add/Remove Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Websearch WebRebates Viewpoint HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: (no name) - {249e2583-6642-4987-a6c5-f8254fd248b4} - C:\WINDOWS\system32\mfcCHE.dll O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file) O2 - BHO: ADefaultSearch Class - {944864A5-3916-46E2-96A9-A2E84F3F1208} - blank (file missing) O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00309} - C:\WINDOWS\compstuid.dll O2 - BHO: (no name) - {A4F94C0C-54A7-4DB1-9AF3-B22E63D00310} - C:\WINDOWS\system32\compstuid.dll O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - blank (file missing) O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file) O4 - HKLM\..\Run: [websearch] javaw -cp "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch" O4 - HKLM\..\Run: [WebRebates] wjview /cp:p "C:\Program Files\websearch\System\Code" Main lp: "C:\Program Files\websearch O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe O4 - HKLM\..\Run: [p2pnetworking] p2pnetworking.exe O4 - HKLM\..\Run: [monitor1a] C:\Windows\monitor1a.exe O4 - HKCU\..\Run: [clc] C:\WINDOWS\system32\clc.exe O4 - HKCU\..\Run: [5e69735e.exe] C:\Documents and Settings\Sonia\Local Settings\Application Data\5e69735e.exe O18 - Filter: application/x-bt2 - {6E1DDCE8-76BC-4390-9488-806E8FB1AD77} - blank O20 - Winlogon Notify: cfgmngr32 - C:\WINDOWS\g29394086.dll O20 - Winlogon Notify: mfcCHE - C:\WINDOWS\SYSTEM32\mfcCHE.dll O20 - Winlogon Notify: winbae32 - winbae32.dll (file missing) Please remember to close all other windows, including browsers then click Fix checked. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. p2pnetworking.exe <Find via Start>Search C:\Windows\monitor1a.exe C:\WINDOWS\g29394086.dll C:\WINDOWS\system32\5e69735e.exe C:\WINDOWS\system32\clc.exe C:\WINDOWS\system32\mfcCHE.dll C:\Documents and Settings\Sonia\Local Settings\Application Data\5e69735e.exe C:\Program Files\Viewpoint C:\Program Files\websearch Tools Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows: Click "Options..." Move the arrow down to "Custom CleanUp!" Put a check next to the following: Empty Recycle Bins Delete Cookies Delete Prefetch files Cleanup! All Users Click on the "Temporary Files" and uncheck the box for "Scan drives for file matching" if it’s checked. Click OK Press the CleanUp!* button to start the program. If prompted to reboot, click No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed) Click Scanner Click on the Scan tab Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine Then click Apply all actions Once finished, click the Save report button, then click Save Report As and save it to your desktop. Reboot your system in Normal Mode. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan click on "Free use ActiveScan" located on the top right hand corner Click Scan your PC** & a 'pop up' window shall appear. ensure that your pop up blocker doesn't block it Click Scan Now* Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls Begin the scan by selecting My Computer If it finds any malware, it may ask you to purchase the program, this is not necessary we will take care of the entries manually. At the end of the scan click on see report. Then click Save report Please post that log in your next reply. In your next post please include: C:\Windelf.txt Ewido Log Panda Activescan Log A new Hijackthis! Log __________________

07-31-2006, 12:56 AM	#4 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	The "Virus" that Avast detected was Panda's definition file. Panda does not encrypt the file containing their virus definitions so some AVs including Avast detect it as a virus. Let's run this alternate online scan. Please open IE and go to Kaspersky WebScanner Next Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes. The program will launch and then begin downloading the latest definition files: Once the files have been downloaded click on NEXT Now click on Scan Settings In the scan settings make that the following are selected: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK Now under select a target to scan: Select My Computer This will program will start and scan your system. The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected. Now click on the Save as Text button: Save the file to your desktop. Copy and paste that information in your next post. * Turn off the real time scanner of any existing antivirus program while performing the online scan __________________

07-31-2006, 11:55 AM	#6 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Don;t worry about the Panda thing, you are much better off safe then sorry. Delete the following files: C:\Program Files\LimeWire\Incomplete\T-3218956-Wicked Remix.wma C:\Program Files\SpyHunter\Backup\eZinstall[1].exe.bak C:\Program Files\SpyHunter\Backup\MY2NS.EXE.bak C:\Program Files\SpyHunter\Backup\whInstaller.exe.bak C:\Program Files\themexp\Themexp.org File\atoolbar400135.exe C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bak How is the PC running now? __________________

07-31-2006, 01:38 PM	#8 (permalink)
Vikesrock8411 Analyst, Security Team Join Date: Jun 2005 Posts: 3,065 OS: Windows XP	Ewido removed 2 trojans known as Trojan.banker It is very possible that your Firewall caught all activity attmepted by these trojans, but I would closely examine any bank and credit card statements and change all passwrods on these sites. Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved. Setting a new Restore Point Go to Start >> Run - type control sysdm.cpl,,4 & press Enter. Tick the checkbox - Turn off System Restore on all drives Click Apply Turn it back 'On' by unticking the same checkbox & click OK Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Sunbelt Kerio Personal Firewall Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. __________________

07-31-2006, 09:33 AM	#5 (permalink)
Mukanshin Registered User Join Date: Jul 2006 Posts: 6 OS: Windows XP Home Edition SP2	My bad then, about before. Anyways here's the Kapersky Scan. ------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER REPORT Monday, July 31, 2006 12:31:01 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky Online Scanner version: 5.0.83.0 Kaspersky Anti-Virus database last update: 31/07/2006 Kaspersky Anti-Virus database records: 210985 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: extended Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: C:\ D:\ F:\ Scan Statistics: Total number of scanned objects: 85649 Number of viruses found: 16 Number of infected objects: 21 / 0 Number of suspicious objects: 0 Duration of the scan process: 01:19:11 Infected Object Name / Virus Name / Last Action C:\Documents and Settings\-Frank-\Cookies\index.dat Object is locked skipped C:\Documents and Settings\-Frank-\Desktop\The_Melancholy_of_Suzumiya_Haruhi_v01_c01[EBL].zip Object is locked skipped C:\Documents and Settings\-Frank-\Desktop\[ASH_&_Shi-Fa]_Cluster_Edge_-_01_[2236B8EB].avi Object is locked skipped C:\Documents and Settings\-Frank-\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\-Frank-\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\-Frank-\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\-Frank-\Local Settings\History\History.IE5\MSHist012006072420060731\index.dat Object is locked skipped C:\Documents and Settings\-Frank-\Local Settings\History\History.IE5\MSHist012006073120060801\index.dat Object is locked skipped C:\Documents and Settings\-Frank-\Local Settings\Temp\Perflib_Perfdata_998.dat Object is locked skipped C:\Documents and Settings\-Frank-\Local Settings\Temp\~DFBD0E.tmp Object is locked skipped C:\Documents and Settings\-Frank-\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\-Frank-\ntuser.dat Object is locked skipped C:\Documents and Settings\-Frank-\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Adilson\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2b111ab0eda16bd9fcacbdae8a92157b_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3698b1562418b43409a39f13516ca426_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\87c7469c0ae839acbac182b37a78c61c_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eeb704270e38206cdfb80f09087b8bdf_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\monique.HIBREALTY1\Local Settings\Temporary Internet Files\AntiPhishing\6729BBF9-D54C-48CB-A4D7-AD400339D808.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped C:\Program Files\LimeWire\Incomplete\T-3218956-Wicked Remix.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped C:\Program Files\SpyHunter\Backup\eZinstall[1].exe.bak/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.EZula.ak skipped C:\Program Files\SpyHunter\Backup\eZinstall[1].exe.bak WiseSFX: infected - 1 skipped C:\Program Files\SpyHunter\Backup\MY2NS.EXE.bak Infected: not-a-virus:AdWare.Win32.MyWay.b skipped C:\Program Files\SpyHunter\Backup\whInstaller.exe.bak Infected: not-a-virus:AdWare.Win32.WebHancer.290 skipped C:\Program Files\themexp\Themexp.org File\atoolbar400135.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped C:\Program Files\themexp\Themexp.org File\atoolbar400135.exe WiseSFX: infected - 1 skipped C:\Program Files\themexp\Themexp.org File\atoolbar400135.exe WiseSFX Dropper: infected - 1 skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP27\A0022325.exe Infected: Trojan-Dropper.Win32.WinAD.e skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0025572.dll Infected: Trojan-Downloader.Win32.Delf.aeo skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026838.dll Infected: Trojan-Downloader.Win32.ConHook.aa skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026839.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026840.dll Object is locked skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026841.exe Infected: Trojan-Spy.Win32.Banker.bkq skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026842.exe Infected: Trojan-Downloader.Win32.ConHook.ac skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026843.dll Infected: Trojan-Downloader.Win32.ConHook.ab skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026844.exe Infected: Trojan-Spy.Win32.Banker.bjs skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026846.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026847.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026848.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\A0026849.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP28\change.log Object is locked skipped C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped C:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped C:\WINDOWS\Internet Logs\THEREALTYBRANCH.ldb Object is locked skipped C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts.bak Infected: Trojan.Win32.Qhost skipped C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\Temp\Perflib_Perfdata_108.dat Object is locked skipped C:\WINDOWS\Temp\ZLT00085.TMP Object is locked skipped C:\WINDOWS\Temp\ZLT00088.TMP Object is locked skipped C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped C:\WINDOWS\WIADEBUG.LOG Object is locked skipped C:\WINDOWS\WIASERVC.LOG Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped Scan process completed.

07-31-2006, 01:07 PM	#7 (permalink)
Mukanshin Registered User Join Date: Jul 2006 Posts: 6 OS: Windows XP Home Edition SP2	A hell lot better than before. Spooler service doesn't seem to fail anymore, svchost.exe running normal, firewalls not telling me about strange ips my trying to connect with my pc, and yeah, it's great. Thanks alot. Now I can access my bank in peace knowing my computer is safe. Thanks again. Hopefully we won't be meeting each other again too soon.

07-31-2006, 09:19 PM	#9 (permalink)
Mukanshin Registered User Join Date: Jul 2006 Posts: 6 OS: Windows XP Home Edition SP2	Yep, thought about changing it, guess I will since I was told by a professional. Thanks for all your hard work, and the extra sites you put in there. Thanks a million. EDIT: Thread resolved. Last edited by Mukanshin; 07-31-2006 at 09:20 PM.