|
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
Hello everyone
And like i already don't have enough problems with my computer, another decides to worm in! A virus! win32.desktophijack...no idea how i got it...but i have tried everything, followed the norton sight on how to repair it, but the thing is, norton could not repair wininet.dll, nor could it be deleted, nor could i replace it with a healthy one from a friend's computer, trying to do it in dos mode did not work...and i know that such a thread has been created with the same virus, that's why i already have all the programs downloaded, ready to go;)
Anyway here is my log thing from hijack this, don't really know what most of it is trying to tell me. Help would be appreciated a lot! Also i have XP Pro, SP1 and i do not want to formatt!;) Also my desk top is completely depressing, red background and in a black box in the middle there is in caps, 'Danger: Spyware' constantly flashing then says i should download razespyware....ugh.
Logfile of HijackThis v1.99.1
Scan saved at 8:13:42 AM, on 9/20/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\LimeWire\LimeWire.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Dejan & Aneta\My Documents\Unzipped\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {A3567342-F52D-E42A-57ed-EDA392644311} - C:\WINDOWS\System32\msdocpy.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O16 - DPF: ConferenceRoom Java Client - http://irc.albasoul.com:8081/java/cr.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://media.licenseacquisition.org/cab/MediaAccessVerisign/ie/bridge-c424.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1126953879609
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {BE5A7132-329F-4319-B781-2A83BFE51534} - http://akamai.downloadv3.com/binaries/P2EClient/EGAUTH_1045_EN_XP.cab
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} (VacPro.internazionale_ver15) - http://advnt01.com/dialer/internazionale_ver15.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\NVIDIA\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - Unknown owner - C:\NVIDIA\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
Edited by deki (Mon Sep 19 2005 11:14 PM)
|
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
Welcome to the Webuser forum. 
Can you please post ALL of your log including the top piece
that tells us the version of HJT that you are using and your OS version.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
 
When the only tool you own is a hammer, every problem begins to look like a nail. 
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
Ok done:)
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
Welcome to the Webuser forum.
Step 1
Configure Windows to Show all hidden files & folders and ensure you're familiar with rebooting into Safe Mode.
Download SmitRem.zip and save the file to your desktop.
Right click on the file and extract it to it's own folder on the desktop.
Place a shortcut to Panda ActiveScan on your desktop.
Download and install the trial version of Ewido Security Suite from here.
Configure the program correctly by following the instructions here and then close the program after updating the reference files.
Do NOT run a scan yet.
If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions here.
Otherwise, check for updates and download any new reference files before closing the program. We'll use it in Safe Mode later.
Step 2
Next, please reboot your computer in Safe Mode - Very Important !!
Run HJT again and checkmark the boxes next to the following:-
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {A3567342-F52D-E42A-57ed-EDA392644311} - C:\WINDOWS\System32\msdocpy.dll
Close ALL OPEN WINDOWS/BROWSERS and click Fix Checked
Step 3
Open the SmitRem folder and double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.
Step 4
Open Ad-aware and do a full system scan. Remove all it finds.
Step 5
Now open Ewido Security Suite:
Click on Scanner
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK
When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report.
Click Save report.
Save the report .txt file to your desktop.
Now close ewido security suite.
Warning: While the scan is in progress, do NOT open any folders or the Windows Control Panel !!
Step 6
Next go to your Control Panel and click Display | Desktop | Customise Desktop | Website | Uncheck "Security Info" if present.
Reboot back into Windows and click the Panda ActiveScan shortcut, and do a full system scan.
Download WINPFIND.ZIP and extract it to your C:\ folder. This will create a folder called WinPFind
in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe.
Double-click on this file to launch the program. Once it is launched,
click on the Start Scan button and wait for it to finish.
This program will scan large amounts of files on your computer
for known patterns so please be patient while it works as it can
take a while.
When it is done, it will show the results of the scan.
Click on the Copy to Clipboard button and then paste the contents of the log in your next post.
Save the scan log and post it along with a new WINPFIND LOG and Ewido Log in your next reply to THIS thread. Let me know if any problems persist.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
Thanks a lot! So i've done that all, should it be removed? Or not yet?
About Panda Activescan...it found quite a malicious files, but i wasn't given an option to remove?? I'll post the log file of that too.
Panda
Incident Status Location
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\GLF9GLF9.EXE
Dialer:Dialer.BKJ No disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\ICD1.tmp\internazionale_ver15.INF
Adware:adware/sahagent No disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\isearchtech1007.sah
Adware:adware/adsmart No disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\pi.sys
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\1FR7L9SE\jrfWfAlSogNjzKsjAid8[1].chm
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\1FR7L9SE\VLlXm07Q5hg_f4PZ1onb[1].chm
Virus:Trj/Downloader.EVH Disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\GP4NW70B\html[1].chm
Virus:Trj/Downloader.EVH Disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\GP4NW70B\html[2].chm
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\INYN6HYF\7KMff1blVEztCHtqPXlS[1].chm
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\TKC31L4P\5mVCr8ueBfCe20Dd9U8g[1].chm
Virus:Exploit/Mhtredir.gen Disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\UBU7Y12V\CAAZG9IJ.HTM
Virus:VBS/Psyme.C Disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\UD07UHM5\mGdE1mrqaBIuKFWju4Tm[1].chm
Adware:adware/ncase No disinfected C:\temp\salmau.dat
Dialer:Dialer.B No disinfected C:\WINDOWS\Downloaded Program Files\EGAUTH.inf
Dialer:Dialer.BKJ No disinfected C:\WINDOWS\Downloaded Program Files\internazionale_ver15.INF
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\50CTKQC3\log[1].rar
Adware:adware/wupd No disinfected C:\WINDOWS\system32\ide21201.vxd
Spyware:spyware/smitfraud No disinfected C:\WINDOWS\system32\oleext.dll
Adware:adware/searchforit No disinfected C:\WINDOWS\system32\SYSsfitb.dll
Adware:Adware/IST.ISTBar No disinfected C:\WINDOWS\system32\tsuninst.exe
Dialer:dialer.b No disinfected C:\WINDOWS\tmlpcert2005
EWIDO
HKLM\SOFTWARE\AKSoft -> Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\AKSoft\X-Tractor -> Spyware.AkSoft : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\.DEFAULT\Software\salm -> Spyware.180Solutions : Cleaned with backup
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Spyware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-18\Software\salm -> Spyware.180Solutions : Cleaned with backup
[720] C:\WINDOWS\System32\birdihuy32.dll -> TrojanProxy.Small.ct : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@112.2o7[1].txt[/Email] -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@ad.yieldmanager[1].txt[/Email] -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@burstnet[1].txt[/Email] -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@com[2].txt[/Email] -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@cz3.clickzs[2].txt[/Email] -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@cz5.clickzs[2].txt[/Email] -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@forum.statcounter[1].txt[/Email] -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@goldenpalace[1].txt[/Email] -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@grandonline[2].txt[/Email] -> Spyware.Cookie.Grandonline : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@image.masterstats[1].txt[/Email] -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@ivwbox[2].txt[/Email] -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@rotator.adjuggler[2].txt[/Email] -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@sales.liveperson[2].txt[/Email] -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@www.grandonline[1].txt[/Email] -> Spyware.Cookie.Grandonline : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & [Email]aneta@ysbweb[1].txt[/Email] -> Spyware.Cookie.Ysbweb : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar.lq : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\PLOOHDHF.dll -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\sahagent.exe -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\update.exe -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\H8ONPHWD\WinAntiVirus2005ProInstall[1].cab/UWA5PLP_0001_0721NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\UBU7Y12V\ysb_regular[1].cab/ysbactivex.dll -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Local Settings\Temporary Internet Files\Content.IE5\ZF17BXWW\ibar[1].js -> TrojanDownloader.IstBar.ad : Cleaned with backup
C:\ied_s7.cab/ied_s7_c_28.exe -> TrojanDownloader.Mediket.r : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\UWA5PLP_0001_0721NetInstaller.exe -> Not-A-Virus.Downloader.Agent.c : Cleaned with backup
C:\WINDOWS\system32\70tovmto.ini -> Adware.SAHA : Cleaned with backup
C:\WINDOWS\system32\birdihuy.dll -> Spyware.AdultStore : Cleaned with backup
C:\WINDOWS\system32\birdihuy32.dll -> TrojanProxy.Small.ct : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\50CTKQC3\sfbho13[1].dll -> Spyware.SideFind : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\C5ABKHEF\istbar_mainstream[1].dll -> TrojanDownloader.IstBar.ge : Cleaned with backup
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\GDINOLQN\sidefind[1].exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\WINDOWS\system32\msclock32.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\system32\msfwe1.exe -> Trojan.MulDrop.1732 : Cleaned with backup
WinPFind
Checking %WinDir% folder...
PECompact2 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
qoologic 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
SAHAgent 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
UPX! 5/3/2005 11:44:44 AM 25157 C:\WINDOWS\RMAgentOutput.dll
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
qoologic 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
SAHAgent 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
Checking %System% folder...
UPX! 9/2/2004 12:49:56 AM 284672 C:\WINDOWS\SYSTEM32\avisynth.dll
SAHAgent 5/5/2005 6:50:34 PM 35 C:\WINDOWS\SYSTEM32\bln02nqv.ini
PEC2 8/23/2001 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/27/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/27/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
SAHAgent 5/5/2005 8:27:18 PM 2907 C:\WINDOWS\SYSTEM32\gah95on6.ini
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
SAHAgent 9/10/2005 4:51:26 PM 35 C:\WINDOWS\SYSTEM32\ocsk4qja.ini
SAHAgent 9/10/2005 4:51:26 PM 35 C:\WINDOWS\SYSTEM32\ohrg6f6s.ini
UPX! 8/29/2002 3:41:18 AM 16384 C:\WINDOWS\SYSTEM32\oleext.dll
Umonitor 8/29/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
SAHAgent 9/10/2005 4:55:22 PM 3007 C:\WINDOWS\SYSTEM32\ur5qgss3.ini
winsync 8/23/2001 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/20/2005 10:58:40 PM S 2048 C:\WINDOWS\bootstat.dat
9/18/2005 12:37:00 PM H 54156 C:\WINDOWS\QTFont.qfn
7/28/2005 11:43:12 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
9/18/2005 11:04:22 AM H 0 C:\WINDOWS\inf\oem17.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxbda.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxbda.PNF
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxdllreg.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxdllreg.PNF
9/18/2005 9:25:04 PM H 0 C:\WINDOWS\LastGood\INF\dxxp.inf
9/18/2005 9:25:04 PM H 0 C:\WINDOWS\LastGood\INF\dxxp.PNF
9/2/2005 8:39:00 PM H 0 C:\WINDOWS\LastGood\INF\oem16.inf
9/2/2005 8:39:00 PM H 0 C:\WINDOWS\LastGood\INF\oem16.PNF
9/18/2005 11:04:22 AM H 0 C:\WINDOWS\LastGood\INF\oem17.inf
9/18/2005 11:04:24 AM H 0 C:\WINDOWS\LastGood\INF\oem17.PNF
9/18/2005 9:18:44 PM H 0 C:\WINDOWS\LastGood\INF\oem18.inf
9/18/2005 9:18:44 PM H 0 C:\WINDOWS\LastGood\INF\oem18.PNF
7/30/2005 3:09:42 PM HS 11690 C:\WINDOWS\system32\KGyGaAvL.sys
9/19/2005 3:36:02 PM RHS 12288 C:\WINDOWS\system32\shdocnv.dll
9/20/2005 10:59:08 PM H 948 C:\WINDOWS\system32\vsconfig.xml
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem16.CAT
9/20/2005 11:54:32 PM H 1024 C:\WINDOWS\system32\config\default.LOG
9/20/2005 10:58:42 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/20/2005 10:59:30 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/20/2005 11:53:28 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/20/2005 11:51:38 PM H 1024 C:\WINDOWS\system32\config\system.LOG
8/1/2005 7:17:14 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\6c31e89a-7a94-443c-b6a5-d61ec4bced23
8/1/2005 7:17:14 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\CX_25203.CAT
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\CX_25203.CAT
9/20/2005 10:58:42 PM H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 8/23/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 5/26/2003 5:12:14 AM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 10/3/2003 3:14:30 PM 314880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
2/1/2005 6:54:38 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/1/2005 7:13:40 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/2/2005 2:46:56 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
2/1/2005 6:54:38 PM HS 84 C:\Documents and Settings\Dejan & Aneta\Start Menu\Programs\Startup\desktop.ini
8/25/2005 7:09:00 PM 1536 C:\Documents and Settings\Dejan & Aneta\Start Menu\Programs\Startup\LimeWire On Startup.lnk
Checking files in %USERPROFILE%\Application Data folder...
2/2/2005 2:46:56 AM HS 62 C:\Documents and Settings\Dejan & Aneta\Application Data\desktop.ini
8/15/2005 9:58:04 PM 24072 C:\Documents and Settings\Dejan & Aneta\Application Data\GDIPFONTCACHEV1.DAT
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EncodeDivXExt
{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
EpsonToolBandKicker Class = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ATIPTA "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
OK, so after all that...i did another ad aware smart scan, and still i get some malicious stuff, like 'Malware.Psguard' so does this mean not everything is entirely removed?? Coz i removed that desktop...also Norton still tells me i have the virus?? Something called World Antispy keeps on installing itself on my computer too.
Edited by deki (Tue Sep 20 2005 04:26 PM)
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
Download Killbox from here.
Double-click killbox.exe on your desktop.
Select the option "Delete on reboot".
Now highlight and 'copy' the entire list of filepaths below:
C:\WINDOWS\Downloaded Program Files\EGAUTH.inf
C:\WINDOWS\Downloaded Program Files\internazionale_ver15.INF
C:\WINDOWS\system32\ide21201.vxd
C:\WINDOWS\system32\oleext.dll
C:\WINDOWS\system32\SYSsfitb.dll
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\tmlpcert2005
C:\WINDOWS\RMAgentOutput.dll
C:\WINDOWS\SYSTEM32\bln02nqv.ini
C:\WINDOWS\SYSTEM32\gah95on6.ini
C:\WINDOWS\SYSTEM32\ocsk4qja.ini
C:\WINDOWS\SYSTEM32\ohrg6f6s.ini
C:\WINDOWS\SYSTEM32\ur5qgss3.ini
Open 'file' in the killbox menu at the top and choose 'Paste from clipboard'
Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines should be there together!
Then press the red button with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.
Click YES
When it asks if you would like to Reboot now, click YES
If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.
then run the panda scan again and post the log from it. and a fresh winpfind log.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
I done all that....with Panda Active scan, i only scan my C: drive because it always stop when i try to scan My Computer...
Panda log
Incident Status Location
Dialer:Dialer.B No disinfected C:\!Submit\EGAUTH.inf
Dialer:Dialer.BKJ No disinfected C:\!Submit\internazionale_ver15.INF
Adware:Adware/IST.ISTBar No disinfected C:\!Submit\tsuninst.exe
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\GLF9GLF9.EXE
Dialer:Dialer.BKJ No disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\ICD1.tmp\internazionale_ver15.INF
Adware:adware/sahagent No disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\isearchtech1007.sah
Adware:adware/adsmart No disinfected C:\Documents and Settings\Dejan & Aneta\Local Settings\Temp\pi.sys
Adware:adware/ncase No disinfected C:\temp\salmau.dat
Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\50CTKQC3\log[1].rar
Virus:W32/Smitfraud.D Disinfected C:\WINDOWS\system32\wininet.dll
WinPFind
Checking %WinDir% folder...
PECompact2 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
qoologic 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
SAHAgent 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\lpt$vpn.849
UPX! 1/10/2005 4:17:24 PM 170053 C:\WINDOWS\tsc.exe
PECompact2 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
qoologic 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
SAHAgent 9/19/2005 2:43:30 PM 15851025 C:\WINDOWS\VPTNFILE.849
UPX! 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
aspack 2/18/2005 6:40:14 PM 1044560 C:\WINDOWS\vsapi32.dll
Checking %System% folder...
UPX! 9/2/2004 12:49:56 AM 284672 C:\WINDOWS\SYSTEM32\avisynth.dll
PEC2 8/23/2001 10:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PEC2 10/27/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PECompact2 10/27/2004 8:38:24 AM 716800 C:\WINDOWS\SYSTEM32\DivX.dll
PTech 8/29/2005 1:27:12 PM 520968 C:\WINDOWS\SYSTEM32\LegitCheckControl.DLL
Umonitor 8/29/2002 3:41:10 AM 631808 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 10:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
Checking %System%\Drivers folder and sub-folders...
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
9/21/2005 12:36:26 PM S 2048 C:\WINDOWS\bootstat.dat
9/18/2005 12:37:00 PM H 54156 C:\WINDOWS\QTFont.qfn
7/28/2005 11:43:12 PM RHS 227 C:\WINDOWS\assembly\Desktop.ini
9/18/2005 11:04:22 AM H 0 C:\WINDOWS\inf\oem17.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxbda.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxbda.PNF
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxdllreg.inf
9/18/2005 9:25:24 PM H 0 C:\WINDOWS\LastGood\INF\dxdllreg.PNF
9/18/2005 9:25:04 PM H 0 C:\WINDOWS\LastGood\INF\dxxp.inf
9/18/2005 9:25:04 PM H 0 C:\WINDOWS\LastGood\INF\dxxp.PNF
9/2/2005 8:39:00 PM H 0 C:\WINDOWS\LastGood\INF\oem16.inf
9/2/2005 8:39:00 PM H 0 C:\WINDOWS\LastGood\INF\oem16.PNF
9/18/2005 11:04:22 AM H 0 C:\WINDOWS\LastGood\INF\oem17.inf
9/18/2005 11:04:24 AM H 0 C:\WINDOWS\LastGood\INF\oem17.PNF
9/18/2005 9:18:44 PM H 0 C:\WINDOWS\LastGood\INF\oem18.inf
9/18/2005 9:18:44 PM H 0 C:\WINDOWS\LastGood\INF\oem18.PNF
7/30/2005 3:09:42 PM HS 11690 C:\WINDOWS\system32\KGyGaAvL.sys
9/19/2005 3:36:02 PM RHS 12288 C:\WINDOWS\system32\shdocnv.dll
9/21/2005 12:36:56 PM H 948 C:\WINDOWS\system32\vsconfig.xml
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem16.CAT
9/21/2005 2:16:30 PM H 1024 C:\WINDOWS\system32\config\default.LOG
9/21/2005 12:36:28 PM H 1024 C:\WINDOWS\system32\config\SAM.LOG
9/21/2005 12:37:38 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
9/21/2005 2:16:54 PM H 1024 C:\WINDOWS\system32\config\software.LOG
9/21/2005 2:14:00 PM H 1024 C:\WINDOWS\system32\config\system.LOG
8/1/2005 7:17:14 AM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\6c31e89a-7a94-443c-b6a5-d61ec4bced23
8/1/2005 7:17:14 AM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\ReinstallBackups\0000\DriverFiles\CX_25203.CAT
8/13/2005 6:31:24 AM S 75078 C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\CX_25203.CAT
9/21/2005 12:36:28 PM H 6 C:\WINDOWS\Tasks\SA.DAT
Checking for CPL files...
Microsoft Corporation 8/23/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 578560 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 129024 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 5/26/2003 5:12:14 AM 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 292352 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 121856 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems, Inc. 12/6/2004 9:31:48 PM 49265 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 10/3/2003 3:14:30 PM 314880 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/29/2002 3:41:28 AM 268288 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/29/2002 3:41:00 AM 208896 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 10:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
2/1/2005 6:54:38 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
2/1/2005 7:13:40 PM 1730 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
9/21/2005 11:39:02 AM 0 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\think.lgo
Checking files in %ALLUSERSPROFILE%\Application Data folder...
2/2/2005 2:46:56 AM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
2/1/2005 6:54:38 PM HS 84 C:\Documents and Settings\Dejan & Aneta\Start Menu\Programs\Startup\desktop.ini
8/25/2005 7:09:00 PM 1536 C:\Documents and Settings\Dejan & Aneta\Start Menu\Programs\Startup\LimeWire On Startup.lnk
Checking files in %USERPROFILE%\Application Data folder...
2/2/2005 2:46:56 AM HS 62 C:\Documents and Settings\Dejan & Aneta\Application Data\desktop.ini
8/15/2005 9:58:04 PM 24072 C:\Documents and Settings\Dejan & Aneta\Application Data\GDIPFONTCACHEV1.DAT
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\EncodeDivXExt
{E9F5B111-CACC-4FD4-81FD-4EB4FD6765A3} = C:\Program Files\DivX\Dr.DivX\EncodeDivXExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Yahoo! Mail
{5464D816-CF16-4784-B9F3-75C0DB52B499} = C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0 CE\Reader\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}
EpsonToolBandKicker Class = C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
&Yahoo! Messenger = C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{EE5D279F-081B-4404-994D-C6B60AAEBA6D} = EPSON Web-To-Page : C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
NeroCheck C:\WINDOWS\system32\NeroCheck.exe
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
Zone Labs Client C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
ATIPTA "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
SSC_UserPrompt C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
Panda_cleaner_41898 C:\WINDOWS\System32\ActiveScan\pavdr.exe 41898
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MsnMsgr "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 0
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent
= Ati2evxx.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
Btw, Norton still found the Virus in my wininet.dll file, this time it showed them twice!
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
This process will clean out your Temp files and your Temporary Internet Files. Please do both steps:
Step 1:Delete Temp Files
To clean out your temp files, click on Start and then run, and type %temp% and press the ok button.
This should open up the temp directory that your machine uses. Please delete all files that are found there. If you get an error when deleting a file, skip that file and delete all the others. If you had trouble deleting a file, reboot into Safe Mode and follow this step again. You should now be able to delete all the files.
Step 2: Delete Temporary Internet Files
Now I want you to open up Internet Explorer, and click on the Tools menu and then Internet Options. At the General tab, which should be the first tab you are currently on, click on the Delete Files button and put a checkmark in Delete offline content. Then press the OK button. This may take quite a while, so do not be alarmed with how long it takes. When it is done, your Temporary Internet Files will now be deleted.
Download CCLEANER
then run the scan under the windows tab.
then DEFRAG your C:\ drive.
to help speed up your system.
then let us know how the computer is running.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
I did all that:)
Norton hasn't given me any messages....ad aware found a malware psguard though?? I get only one pop up advertisement as opposed to the two.
Glad i did that defrag, everything looks great:D Thanks a lot for your help really appreciate it! *thumbs up*
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
if you are still getting psguard showing, delete the copy of SMITREM.ZIP that you d/loaded earlier and download it again from the same link, it has been updated yesterday.
and run the smitrem.zip again in SAFE MODE.
let us know how you go.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
Well i clicked that link for smitrem....did the safe mode thing, and still now i get some pop ups for spy ware scans, casino stuff....and something error notification but then it has something about a scan...?
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
please download and run HOSTER.ZIP
unpack the hoster.zip
Press 'Restore Original Hosts' and press 'OK'
Exit Program.
then run EWIDO in SAFE MODE again, save the log and post it back here.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
Here it is!
Also i've been having problems with my internet broadband (256k) .....lately it's been very slow, and most of the times it would just load half way and stop (which is why i'm replying late:p) i don't know what the problem is...i rang my ISP, and i was told to disable all the programs in msconfig/start up which i did, then restarted, it seemed to be working fine....i enabled only a few programs like MSN....then the same problem again, very slow....sometimes if i click on refresh the site will load but other times nothing....i rang ISP again and they said it could be that i have Spyware in my computer?? What do you think?
Anyway here is the Ewido log. Btw, i had to remove the stuff it found, most of what is below here.
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@a.tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@banner.goldenpalace[2].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@casalemedia[1].txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@citi.bridgetrack[1].txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@com[2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@fastclick[2].txt -> Spyware.Cookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@grandonline[2].txt -> Spyware.Cookie.Grandonline : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@tribalfusion[2].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@www.casinotropez[1].txt -> Spyware.Cookie.Casinotropez : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@www.goldenpalace[1].txt -> Spyware.Cookie.Goldenpalace : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@www.grandonline[1].txt -> Spyware.Cookie.Grandonline : Cleaned with backup
C:\Documents and Settings\Dejan & Aneta\Cookies\dejan & aneta@z1.adserver[1].txt -> Spyware.Cookie.Adserver : Cleaned with backup
C:\WINDOWS\system32\msclock32.dll -> Dialer.Generic : Cleaned with backup
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
Internet seems to be working fine now....but still just to be sure!
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
ewido only found and removed a few things, the rest are just cookies.
are you still getting popups.?
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
Not anymore:D
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
DISABLE SYSTEM RESTORE run your anti virus, when you get the all clear
restart your system restore.(same page).then create a new restore point :-
click START\ALL PROGRAMS\ACCESSORIES\SYSTEM TOOLS\SYSTEM RESTORE. click on "create new restore point"
click on NEXT and follow the prompts.
this is to ensure that if you have to do a system restore in the future that you don't get all the nasties reinstalled again.
Then :-
Download CCLEANER
then run the scan under the windows tab.
then DEFRAG your C:\ drive.
to help speed up your system.
then let us know how the computer is running.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
deki
new user
Reg'd: Mon
Posts: 10
|
|
Everything seems fine now:)
Thanks a lot bricat for your help, thank you very much!
|
bricat
HijackThis Helper
Reg'd: Wed
Posts: 31987
Loc: belfast
|
|
you're welcome.
glad you are sorted.
--------------------
IF I HAVE SAVED YOU MONEY, PLEASE CONSIDER GIVING A DONATION TO HELP IN MY FIGHT AGAINST MALWARE.
When the only tool you own is a hammer, every problem begins to look like a nail.
|
Previous
Index
Next
Threaded
Edit
Reply
Quote
