Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer running extremely slow...


  • This topic is locked This topic is locked
6 replies to this topic

#1 ChaosIllusion00

ChaosIllusion00

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 10 June 2005 - 06:28 PM

It was in the morning of a particular day that i burned of info on my computer, a music cd and then when i was finished i shut it off. When i returned later in the day i start my computer only to find that it is running really really slowly when I open aps and move throughout my computer. There are a couple popups that show up when i search the internet, the same ones and for some reason when i start my computer and it goes through it's thing, my internet pops up automatically with my homepage as if i said it to start on startup like some programs do. It also runs slowly on the internet which is why i think it might be spyware, but not too sure. I dont know what is wrong with it, maybe someone will know? I am not sure if it is spyware or not but here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:27:12 PM, on 6/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\system32\addkh.exe
C:\WINDOWS\appmi.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Download\SpywareRemovers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {7CF346FC-27AE-F456-5086-8933F47E7215} - C:\WINDOWS\d3eo.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {D596D1F8-059F-F74E-FC61-AC991196BA9D} - C:\WINDOWS\d3eo.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [addkh.exe] C:\WINDOWS\system32\addkh.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\appmi.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya5.0\docs/Wrapper.conf (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


m

#2 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:24 AM

Posted 11 June 2005 - 12:45 PM

Could I see a fresh HJT log please?

#3 ChaosIllusion00

ChaosIllusion00
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 16 June 2005 - 12:13 PM

sure..things have actually increased by me doing nothing. Now about:blank has hijacked my homepage..yay... here is the HJT log..

Logfile of HijackThis v1.99.1
Scan saved at 12:12:26 PM, on 6/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\WINDOWS\mscn32.exe
C:\WINDOWS\appmi.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Download\SpywareRemovers\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zymkd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zymkd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\zymkd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\zymkd.dll/sp.html#37049
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\zymkd.dll/sp.html#37049
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zymkd.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\zymkd.dll/sp.html#37049
R3 - Default URLSearchHook is missing
O2 - BHO: Class - {461B6EFD-230C-BCDF-DDF3-63EE7DCC6733} - C:\WINDOWS\system32\mshq32.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Class - {F8DDF512-628B-C53E-4663-3C73A0A7220B} - C:\WINDOWS\atlxf32.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\PROGRA~1\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O4 - HKLM\..\Run: [addrb32.exe] C:\WINDOWS\addrb32.exe
O4 - HKLM\..\Run: [mscn32.exe] C:\WINDOWS\mscn32.exe
O4 - HKLM\..\Run: [sdkux32.exe] C:\WINDOWS\sdkux32.exe
O4 - HKLM\..\Run: [winxj32.exe] C:\WINDOWS\winxj32.exe
O4 - HKLM\..\Run: [addkq.exe] C:\WINDOWS\system32\addkq.exe
O4 - HKLM\..\Run: [ieli32.exe] C:\WINDOWS\system32\ieli32.exe
O4 - HKLM\..\Run: [apiub32.exe] C:\WINDOWS\apiub32.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Workstation NetLogon Service ( 11F#`I) - Unknown owner - C:\WINDOWS\appmi.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya5.0\docs/Wrapper.conf (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:24 AM

Posted 17 June 2005 - 08:17 AM

Yep.. you got the nasty one too.

PLEASE PRINT OUT THESE INSTRUCTIONS BEFORE PROCEEDING.
(Click on Printer Icon in the upper LH corner next to the Post Reply button)


Please continue with the next step if you run into a problem with the current one. Just be sure to let me know if any problems occured for each step when you reply.

STEP 1:
Please make sure that you can view all hidden files. Instructions on how to do this can be found here: http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/


STEP 2:
Please download CWShredder Version 2.1 here. http://cwshredder.net/bin/CWShredder.exe

Save it to its own folder named CWShredder and place it at the root of your C:\drive along with HijackThis.
Don't run it yet, we will use it later.

STEP 3:
Download AboutBuster from RubbeR DuckY here
http://www.malwarebytes.biz/AboutBuster5.zip



Save it to its own folder named AboutBuster and place it at the root of your C:\drive along with HijackThis.

Double-click AboutBuster.exe and press Update to make sure you have the latest reference file version.

NOTE: You might want to view this AboutBuster tutorial here http://www.besttechie.net/forums/index.php?showtopic=1488
first before running the tool.

Don't run it yet, we will use it later.

STEP 4:
Download and install the latest version of Ad-Aware SE here
.
Please configure the program by following these instructions here. http://www.bleepingcomputer.com/tutorials/use-ad-aware-2007-to-remove-spyware/

Before scanning click on "Check for updates now" to make sure you have the latest reference file.
Don't run it yet, we will use it later.

STEP 5:
Download the eScan Antivirus Toolkit here.
http://www.spywareinfo.dk/download/mwav.exe

Save it to the desktop. This program is 10MB in size.
Don't run it yet, we will use it later.

STEP 6:
Download and install the Ewido Security Suite 3.0

NOTE: The Ewido Security Suite 3.0 utility will not install on Windows 95, 98, ME, or NT. The minimum system requirements for Ewido Security Suite 3.0 is: Windows 2000 or Windows XP. 1.)

Download and install the Ewido Security Suite 3.0 here
http://download.ewido.net/ewido-setup.exe

2.) Double-click on the new Ewido shortcut on the desktop to open the program.
3.) On the upper LH side column, click on the Update button.
(This will update the program with all the latest signature files.)
Don't run it yet, we will use it later.

STEP 7:

You must first STOP and DISABLE the rogue Service:

There are different Display Names to look for:

Workstation NetLogon Service
Remote Procedure Call (RPC) Helper
Remote Access Service
Network Security Service (NSS)


Go to Start => Run and type "Services.msc" (without quotes) then click Ok.

1.) Scroll down and find one of the bad services described above such as: Remote Procedure Call (RPC) Helper
2.) When you find it, double-click on it.
3.) In the next window that opens, click the Stop button, then click on Properties and under the General Tab, change the Startup Type to Disabled.
4.) Now hit Apply and then Ok and close any open windows.

STEP 8:
copy the contents of the Quote Box below to Notepad. Name the file as cwsresfix.reg.
Change the Save as Type to All Files, Save this file on the desktop.
Please DO NOT include the word QUOTE when saving the file.


Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HSA]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SE]

[-HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SW]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F?? #????`I] 

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_O.#?´]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F?? #????`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F#`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\11F #`I]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\?%AF]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O?rtȲ$]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\O.#?´]





STEP 9:
Please reboot into Safe Mode. For instructions click here
http://www.bleepingcomputer.com/tutorials/how-to-start-windows-in-safe-mode/

Get into Safe Mode using the F8 Key on your keyboard:
1.) Locate the F8 key on your keyboard and then reboot your PC. (Start, Shutdown, Restart)
2.) As soon as the monitor screen goes black, immediately start tapping the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
3.) Select the option for Safe Mode using the up down arrow keys.
4.) Then press Enter on your keyboard to boot into Safe Mode.
5.) Perform all the cleaning tasks here and when you are done, reboot PC back into normal mode (Windows).

STEP 10:
From Safe Mode, double-click on CWShredder.exe to open it, click the 'Fix->' button (not 'Scan Only') and you'll be prompted that CWShredder will shutdown any Internet Explorer and Windows Media Player windows, click OK to continue and let it run completely to delete anything it finds.
After its scan, click Next, then Exit.

STEP 11:
From Safe Mode, browse to C:\AboutBuster and double click on aboutbuster.exe.
1.) Click Begin Removal and allow the program to run.
2.) After AboutBuster has finished click OK.
It will now open a new page, click on the Protection tab and follow the instructions for protection on that page.
3.) Now click Exit and then click OK to the Logfile created dialog box.

STEP 12:
From Safe Mode, run the eScan Antivirus Toolkit. Please follow these instructions:
1.) Double-click on the mwav.exe file saved to the desktop.
A WinZip Self-Extractor will appear.
2.) Click Unzip, by default it will extract all the program files to new folder called Kaspersky at the root of the C:\drive. (C:\Kaspersky).
3.) A dialog box stating "168 file(s) unzipped successfully" will appear, click OK.
After clicking ok, the eScan AntiVirus Toolkit Utility interface will appear.
4.) With the eScan interface on your desktop, make sure that the boxes under Scan Option, Memory, Registry, Startup Folders, System Folders, Services, are all checked.
5.) Check the Drive box, this will create a another Drive box below it, check this second Drive box as well, now a large window across from the second Drive box appears.
In this window use the drop-down arrow and choose the drive letter of your hard drive, usually C:\.
6.) Below these boxes, make sure the box Scan All Files is checked, not Program Files.
7.) Click the Scan Clean button and let the utility run until it completes a thorough scan of your hard drive.
eScan will delete any viruses or trojans it finds.
8.) When the scan has finished, the top window will read Scan Completed.
To close the interface, click OK, click Exit, then click Exit again.

STEP 13:
From Safe Mode, run the Ewido Security Suite 3.0.

1.) Double-click on the e Ewido shortcut on the desktop to open the program.
2.) On the upper LH side column, click on Scanner.
3.) Click on the + Everything button.
4.) Click on the Start button.
5.) Have the program delete everything it finds.

STEP 14:
From Safe Mode, run the Ad-Aware SE program you downloaded and configured earlier, make sure "Perform full system scan" is checked, let it scan the hard drive and delete all entries it finds.

Run the program again a second time.

STEP 15:
From Safe Mode, double-click on the cwsresfix.reg
you created earlier and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.
Now reboot the PC back into Normal Mode (Windows).

STEP 16:
Go to Start, Run, type in %temp% click OK.
Click Edit, Select All, click File, Delete, now click Yes to send items to Recycle Bin. Now empty Recycle Bin.

STEP 17:
This infection may delete the Windows shell.dll file and the control.exe file.
Make sure you always perform a Windows search for these files after the cleanup.

Go to Start, Search, For Files or Folders, and type in shell.dll.
For Windows XP, it will be found here:

C:\Windows\System32
C:\Windows\System


Now look for the control.exe file.
For Windows XP it will be found here:

C:\Windows\System32

If any of these files are missing in 2000 or XP, they can be replaced from the dllcache folder.

For Windows XP, a replacement can be found here:

C:\Windows\System32\dllcache

Now copy and paste the file(s) from the dllcache folder into the proper folder (shown above) according to your version of Windows.

The files shell.dll and control.exe can also be downloaded. They can be downloaded from here. http://www.spywareinfo.com/~merijn/winfiles.html

Once the file(s) are downloaded extract the file(s) and copy them into the proper folder (shown above) according to your version of Windows.

Please post your HijackThis log, the About:Buster log, the Ewido log for review .

Be sure to tell me how each steps ran or what problems you had with a step.

#5 ChaosIllusion00

ChaosIllusion00
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 17 June 2005 - 07:36 PM

alright, i did what was said. The log certainly looks better than it was, however about:blank still exists, would just removing it from hijackthis solve the problem? i dunno. Anyway, here are the logs requested: hijackthis, About:buster, and Ewido. In that order.

Logfile of HijackThis v1.99.1
Scan saved at 7:30:26 PM, on 6/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Download\SpywareRemovers\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [IEXPLORE.EXE] C:\Program Files\Internet Explorer\IEXPLORE.EXE
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNOTIFY.EXE
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Alias Wavefront Help Server (AWHelpServer) - Unknown owner - C:\Program Files\AliasWavefront\Maya5.0\docs\Wrapper.exe" -s "C:\Program Files\AliasWavefront\Maya5.0\docs/Wrapper.conf (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

AboutBuster 5.0 reference file 30
Scan started on [6/17/2005] at [1:59:17 PM]
------------------------------------------------
Removed Stream! C:\WINDOWS\Ade001.bin:belnbc
Removed Stream! C:\WINDOWS\Ade001.bin:rnobfz
Removed Stream! C:\WINDOWS\Ade001.bin:tcrvev
Removed Stream! C:\WINDOWS\aucfg.ini:tfdadm
Removed Stream! C:\WINDOWS\aucfg.ini:ulfbpp
Removed Stream! C:\WINDOWS\AuHCcup1.ini:vcilcs
Removed Stream! C:\WINDOWS\bdxft.txt:ozwzrr
Removed Stream! C:\WINDOWS\bdxft.txt:vlhdyb
Removed Stream! C:\WINDOWS\bkkrl.dat:foksqv
Removed Stream! C:\WINDOWS\bkkrl.dat:mmxhjz
Removed Stream! C:\WINDOWS\bkkrl.dat:nwhice
Removed Stream! C:\WINDOWS\bmjxj.dat:wtzued
Removed Stream! C:\WINDOWS\bootstat.dat:kdkfpd
Removed Stream! C:\WINDOWS\btzmi.dat:gdleyn
Removed Stream! C:\WINDOWS\btzmi.dat:gxanwg
Removed Stream! C:\WINDOWS\btzmi.dat:xpuxkg
Removed Stream! C:\WINDOWS\caitn.dat:dectkg
Removed Stream! C:\WINDOWS\cgfoo.dat:zukmbq
Removed Stream! C:\WINDOWS\cjdbp.txt:rvvsvb
Removed Stream! C:\WINDOWS\ckxbg.txt:bfvpst
Removed Stream! C:\WINDOWS\clock.avi:irfigt
Removed Stream! C:\WINDOWS\Coffee Bean.bmp:empfvx
Removed Stream! C:\WINDOWS\dskxf.dat:pnaqsj
Removed Stream! C:\WINDOWS\dutya.txt:cbjbkh
Removed Stream! C:\WINDOWS\dutya.txt:rpjacl
Removed Stream! C:\WINDOWS\dwhya.txt:aqpzph
Removed Stream! C:\WINDOWS\eoelg.dat:holvmu
Removed Stream! C:\WINDOWS\eoelg.dat:qdobkr
Removed Stream! C:\WINDOWS\EPSON Stylus CX5400.ini:sqhejs
Removed Stream! C:\WINDOWS\EPSON Stylus CX5400.ini:zybgvr
Removed Stream! C:\WINDOWS\eReg.dat:lhldqs
Removed Stream! C:\WINDOWS\explorer.scf:lrajlu
Removed Stream! C:\WINDOWS\Gone Fishing.bmp:dkkizf
Removed Stream! C:\WINDOWS\Greenstone.bmp:gdfzie
Removed Stream! C:\WINDOWS\Greenstone.bmp:qgndpk
Removed Stream! C:\WINDOWS\klfkg.dat:zhtqwa
Removed Stream! C:\WINDOWS\kxpke.dat:itjenm
Removed Stream! C:\WINDOWS\lmsuz.dat:voqtof
Removed Stream! C:\WINDOWS\lxcdm.dat:npigqp
Removed Stream! C:\WINDOWS\lzjet.dat:lvotym
Removed Stream! C:\WINDOWS\mcjay.dat:cjxjsn
Removed Stream! C:\WINDOWS\mnmqf.log:vkpomy
Removed Stream! C:\WINDOWS\mrhtu.dat:reqsez
Removed Stream! C:\WINDOWS\msdfmap.ini:gpptxp
Removed Stream! C:\WINDOWS\msdfmap.ini:tzywlx
Removed Stream! C:\WINDOWS\mwdwk.txt:rxcemz
Removed Stream! C:\WINDOWS\nafjz.log:zbjiuh
Removed Stream! C:\WINDOWS\ntbtlog.txt:jyvsgj
Removed Stream! C:\WINDOWS\n_jyeaki.txt:kcmbqt
Removed Stream! C:\WINDOWS\n_kauxxc.dat:qlaxrx
Removed Stream! C:\WINDOWS\n_oeqqjq.txt:cdfgse
Removed Stream! C:\WINDOWS\ODBC.INI:dsgpul
Removed Stream! C:\WINDOWS\ODBCINST.INI:gukgup
Removed Stream! C:\WINDOWS\ODBCINST.INI:ynhyeh
Removed Stream! C:\WINDOWS\odbctrp.ini:bikhln
Removed Stream! C:\WINDOWS\odbctrp.ini:hqvpwl
Removed Stream! C:\WINDOWS\onaiw.log:psqztc
Removed Stream! C:\WINDOWS\oqqsa.dat:kjklnv
Removed Stream! C:\WINDOWS\ozlid.dat:arguyv
Removed Stream! C:\WINDOWS\pi2000.ini:jozegs
Removed Stream! C:\WINDOWS\pi2000.ini:qfimsx
Removed Stream! C:\WINDOWS\pi2000.ini:ujdnnp
Removed Stream! C:\WINDOWS\PI_setup.ini:nlacmn
Removed Stream! C:\WINDOWS\PI_setup.ini:yidcyu
Removed Stream! C:\WINDOWS\PowerReg.dat:almzxz
Removed Stream! C:\WINDOWS\PowerReg.dat:cjdypf
Removed Stream! C:\WINDOWS\PowerReg.dat:gmcfki
Removed Stream! C:\WINDOWS\PowerReg.dat:jgasuz
Removed Stream! C:\WINDOWS\Prairie Wind.bmp:ronzqk
Removed Stream! C:\WINDOWS\prolc.txt:qqnkfr
Removed Stream! C:\WINDOWS\QTFont.qfn:bozhem
Removed Stream! C:\WINDOWS\qxeum.log:rofxgv
Removed Stream! C:\WINDOWS\REGLOCS.OLD:pdylen
Removed Stream! C:\WINDOWS\REGLOCS.OLD:uhekqu
Removed Stream! C:\WINDOWS\REGLOCS.OLD:zzxary
Removed Stream! C:\WINDOWS\Rhododendron.bmp:bcyaor
Removed Stream! C:\WINDOWS\rihyo.txt:brzdum
Removed Stream! C:\WINDOWS\rihyo.txt:kxpkec
Removed Stream! C:\WINDOWS\rihyo.txt:mqkasz
Removed Stream! C:\WINDOWS\River Sumida.bmp:rzpnti
Removed Stream! C:\WINDOWS\rnobf.dat:fivfuj
Removed Stream! C:\WINDOWS\Santa Fe Stucco.bmp:dyaphn
Removed Stream! C:\WINDOWS\Setup8a.ini:crabmc
Removed Stream! C:\WINDOWS\tlknw19.ini:gwmwqz
Removed Stream! C:\WINDOWS\tlknw19.ini:khgzhm
Removed Stream! C:\WINDOWS\tmupdate.ini:hshiho
Removed Stream! C:\WINDOWS\tsc.ini:yxfbkc
Removed Stream! C:\WINDOWS\Tw561a.ini:ciqecw
Removed Stream! C:\WINDOWS\Tw561a.ini:sjzalx
Removed Stream! C:\WINDOWS\Tw561a.ini:zlavjy
Removed Stream! C:\WINDOWS\ufkzj.txt:lrhsix
Removed Stream! C:\WINDOWS\vbaddin.ini:rnjltu
Removed Stream! C:\WINDOWS\vbaddin.ini:vjjrez
Removed Stream! C:\WINDOWS\vumen.dat:umbllt
Removed Stream! C:\WINDOWS\win.ini:mnmqfd
Removed Stream! C:\WINDOWS\win.ini:wzfkdj
Removed Stream! C:\WINDOWS\winamp.ini:gqbbxt
Removed Stream! C:\WINDOWS\winamp.ini:jouqne
Removed Stream! C:\WINDOWS\winnt.bmp:cpmwqh
Removed Stream! C:\WINDOWS\winnt.bmp:ozyyxm
Removed Stream! C:\WINDOWS\winnt.bmp:qoizqm
Removed Stream! C:\WINDOWS\winnt256.bmp:yrmgzd
Removed Stream! C:\WINDOWS\WMSysPr8.prx:itovxt
Removed Stream! C:\WINDOWS\WMSysPr8.prx:mpfjkr
Removed Stream! C:\WINDOWS\WMSysPr9.prx:nyeubw
Removed Stream! C:\WINDOWS\xeohw.dat:jyflhq
Removed Stream! C:\WINDOWS\xjlzd.txt:weuobe
Removed Stream! C:\WINDOWS\xqwgh.dat:zlgjxd
Removed Stream! C:\WINDOWS\yacs.log:hddzal
Removed Stream! C:\WINDOWS\ycluy.dat:dwktwq
Removed Stream! C:\WINDOWS\ycluy.dat:pfntvo
Removed Stream! C:\WINDOWS\yxfbk.log:uarwdl
Removed Stream! C:\WINDOWS\yxfbk.log:vwcyqa
Removed Stream! C:\WINDOWS\zgidq.txt:ykkptz
Removed Stream! C:\WINDOWS\zqxqq.dat:cwqteb
Removed Stream! C:\WINDOWS\zzxar.dat:qkdvnk
Removed Stream! C:\WINDOWS\{89E47CB0-B8BF-4CF3-8924-3CB58DB07D8F}.dat:ffriru
Removed Stream! C:\WINDOWS\{89E47CB0-B8BF-4CF3-8924-3CB58DB07D8F}.dat:znbvao
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:agjsbl
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:anfhfu
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:anlndx
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:aqmido
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:auagwy
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:axgmwn
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:axszeq
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:bbypcl
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:begnjx
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:bhpack
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:cgfooj
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:cnpjfr
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:cqnflx
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ctkann
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:cvdztk
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:dfaixo
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:dmxyan
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:dnlzuf
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:drhlkh
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:eiqhor
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:evzcqs
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:fbeuzy
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:fddddt
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:fhudii
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:fkyrbm
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:fmythx
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:fsxupt
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:fwbjqu
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:fxmgbc
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:gakppf
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ggknua
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:gqmrvy
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:gwrqdp
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:hbhbun
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:hbvyrq
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:hhtzfh
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:hmucdk
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:iaocib
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:icgzze
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ifzbtq
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:igujyu
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:iyiyda
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:izojov
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jguiuy
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jihfew
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jjkqop
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jpvsrn
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jrsdct
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jsezfn
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jsrvkc
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jtabac
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:jznxqm
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:kbecnk
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:kcirao
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:kilvnv
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:kmwdlh
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:lrgzkk
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:mfrygr
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:mhswgx
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:nrmpnr
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:nvvzzz
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:nxgspf
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:oarknd
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ofszzp
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ogbcuw
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:pknuxu
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:pojzro
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:pwghhd
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:pwkvmf
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:pwvbaa
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:pxfvda
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:pzedmk
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:qasxnz
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:qehuqa
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:qeowzo
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:qfynzb
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:qgusoh
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:qgxndk
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:qrzyaj
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:qxpliq
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:rhaisl
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:riolqw
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:rleyjw
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:rrmudc
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:rrxbrt
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:rsazli
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:rvtgi
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:scodlt
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:sefxji
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:smagtv
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:tqnlqa
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:tulrrg
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:tzymkd
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ubqqmz
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:uhhrmm
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:uianev
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ulvwyg
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:uuluxx
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:vezgxa
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:vgsoaz
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:vmiduq
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:voenwi
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:vozohu
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:vsaynr
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:vvykjn
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:wbjxzy
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:wjimqu
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:wkjjhx
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:wyoxel
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:xffggn
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:xgeabz
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:xjdhdk
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:xlppma
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:xnrmpe
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:xyxmee
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:xzmjct
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ygkntx
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:yhvgwm
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:yrfwxj
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:ytpzje
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:yzislo
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:zbcujq
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:zgidqa
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:zieezs
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:zliays
Removed Stream! C:\WINDOWS\{F6E76407-1FE4-4DB3-B5E8-D783668BAEB6}.dat:zmvodo
------------------------------------------------
Removed File! : C:\Windows\aahoi.dat
Removed File! : C:\Windows\adddr.exe
Removed File! : C:\Windows\adddz32.exe
Removed File! : C:\Windows\addht32.exe
Removed File! : C:\Windows\addju32.exe
Removed File! : C:\Windows\addki32.exe
Removed File! : C:\Windows\addkq32.exe
Removed File! : C:\Windows\addmh32.exe
Removed File! : C:\Windows\addnd32.exe
Removed File! : C:\Windows\addsa32.exe
Removed File! : C:\Windows\addvo32.exe
Removed File! : C:\Windows\addxw.exe
Removed File! : C:\Windows\afnpz.dll
Removed File! : C:\Windows\apiag32.exe
Removed File! : C:\Windows\apier32.exe
Removed File! : C:\Windows\apinx32.exe
Removed File! : C:\Windows\apior32.exe
Removed File! : C:\Windows\apith32.exe
Removed File! : C:\Windows\apizb32.exe
Removed File! : C:\Windows\apizj.exe
Removed File! : C:\Windows\apizl32.exe
Removed File! : C:\Windows\appci.exe
Removed File! : C:\Windows\appmi.exe
Removed File! : C:\Windows\appqb.exe
Removed File! : C:\Windows\appuj32.exe
Removed File! : C:\Windows\appxp32.exe
Removed File! : C:\Windows\appzb.exe
Removed File! : C:\Windows\appzy32.exe
Removed File! : C:\Windows\atldl32.exe
Removed File! : C:\Windows\atlhi.exe
Removed File! : C:\Windows\atlir.exe
Removed File! : C:\Windows\atllv32.exe
Removed File! : C:\Windows\atlys32.exe
Removed File! : C:\Windows\bkkrl.dat
Removed File! : C:\Windows\bmjxj.dat
Removed File! : C:\Windows\btzmi.dat
Removed File! : C:\Windows\cres32.exe
Removed File! : C:\Windows\crhv32.exe
Removed File! : C:\Windows\crhx.exe
Removed File! : C:\Windows\crpl.exe
Removed File! : C:\Windows\crvg.exe
Removed File! : C:\Windows\crza.exe
Removed File! : C:\Windows\cypet.dat
Removed File! : C:\Windows\d3dm.exe
Removed File! : C:\Windows\d3fh32.exe
Removed File! : C:\Windows\d3fu.exe
Removed File! : C:\Windows\d3li32.exe
Removed File! : C:\Windows\d3ma32.exe
Removed File! : C:\Windows\d3mn32.exe
Removed File! : C:\Windows\d3tv32.exe
Removed File! : C:\Windows\d3va32.exe
Removed File! : C:\Windows\d3wk.exe
Removed File! : C:\Windows\d3wr32.exe
Removed File! : C:\Windows\d3yy32.exe
Removed File! : C:\Windows\ddddt.dll
Removed File! : C:\Windows\dskxf.dat
Removed File! : C:\Windows\ejbjq.dll
Removed File! : C:\Windows\ejxci.dat
Removed File! : C:\Windows\eoelg.dat
Removed File! : C:\Windows\ffmuh.dat
Removed File! : C:\Windows\gujst.dat
Removed File! : C:\Windows\iejp.exe
Removed File! : C:\Windows\ietb.exe
Removed File! : C:\Windows\iflku.dll
Removed File! : C:\Windows\ipal32.exe
Removed File! : C:\Windows\ipdu.exe
Removed File! : C:\Windows\ipdx.exe
Removed File! : C:\Windows\ipeh.exe
Removed File! : C:\Windows\ipgi.exe
Removed File! : C:\Windows\ipok32.exe
Removed File! : C:\Windows\ipun.exe
Removed File! : C:\Windows\javafe32.exe
Removed File! : C:\Windows\javagf32.exe
Removed File! : C:\Windows\javakq32.exe
Removed File! : C:\Windows\javall32.exe
Removed File! : C:\Windows\javayr32.exe
Removed File! : C:\Windows\jhnyq.dat
Removed File! : C:\Windows\kdkfp.dat
Removed File! : C:\Windows\khpcw.dll
Removed File! : C:\Windows\klfkg.dat
Removed File! : C:\Windows\kxpke.dat
Removed File! : C:\Windows\lmsuz.dat
Removed File! : C:\Windows\lsgik.dll
Removed File! : C:\Windows\lxcdm.dat
Removed File! : C:\Windows\lzjet.dat
Removed File! : C:\Windows\mfcdq.exe
Removed File! : C:\Windows\mfcic32.exe
Removed File! : C:\Windows\mfcii.exe
Removed File! : C:\Windows\mfcik32.exe
Removed File! : C:\Windows\mfciz32.exe
Removed File! : C:\Windows\mfclc.exe
Removed File! : C:\Windows\mfclj32.exe
Removed File! : C:\Windows\mfclp.exe
Removed File! : C:\Windows\mfcpz32.exe
Removed File! : C:\Windows\mfcuq32.exe
Removed File! : C:\Windows\mfczm.exe
Removed File! : C:\Windows\misty.dat
Removed File! : C:\Windows\mrhtu.dat
Removed File! : C:\Windows\msal.exe
Removed File! : C:\Windows\mscn32.exe
Removed File! : C:\Windows\mshi32.exe
Removed File! : C:\Windows\mstv.exe
Removed File! : C:\Windows\netan32.exe
Removed File! : C:\Windows\netaq32.exe
Removed File! : C:\Windows\netbj.exe
Removed File! : C:\Windows\netyi32.exe
Removed File! : C:\Windows\ntfz32.exe
Removed File! : C:\Windows\ntga.exe
Removed File! : C:\Windows\ntip.exe
Removed File! : C:\Windows\ntrj32.exe
Removed File! : C:\Windows\ntto.exe
Removed File! : C:\Windows\ntya.exe
Removed File! : C:\Windows\ormcm.dll
Removed File! : C:\Windows\ozlid.dat
Removed File! : C:\Windows\pfntv.dat
Removed File! : C:\Windows\pvdfo.dat
Removed File! : C:\Windows\qsiks.dat
Removed File! : C:\Windows\sdkcm32.exe
Removed File! : C:\Windows\sdkoe32.exe
Removed File! : C:\Windows\sdkqi32.exe
Removed File! : C:\Windows\sdkqs32.exe
Removed File! : C:\Windows\sdktf.exe
Removed File! : C:\Windows\sdkuz.exe
Removed File! : C:\Windows\sdkvn32.exe
Removed File! : C:\Windows\sdkxm32.exe
Removed File! : C:\Windows\skwsc.dat
Removed File! : C:\Windows\sysmj.exe
Removed File! : C:\Windows\sysqm.exe
Removed File! : C:\Windows\syssd32.exe
Removed File! : C:\Windows\syswh.exe
Removed File! : C:\Windows\sysya32.exe
Removed File! : C:\Windows\szjru.dat
Removed File! : C:\Windows\uaxvk.dll
Removed File! : C:\Windows\uqmnt.dat
Removed File! : C:\Windows\vumen.dat
Removed File! : C:\Windows\winht.exe
Removed File! : C:\Windows\winia.exe
Removed File! : C:\Windows\winwi.exe
Removed File! : C:\Windows\winxj32.exe
Removed File! : C:\Windows\winxr.exe
Removed File! : C:\Windows\winyl32.exe
Removed File! : C:\Windows\wzgaj.dll
Removed File! : C:\Windows\xeohw.dat
Removed File! : C:\Windows\xqwgh.dat
Removed File! : C:\Windows\ycluy.dat
Removed File! : C:\Windows\yvehw.dat
Removed File! : C:\Windows\yywoj.dat
Removed File! : C:\Windows\zqxqq.dat
Removed File! : C:\Windows\zymkd.dll
Removed File! : C:\Windows\zzxar.dat
Removed File! : C:\Windows\System32\aayzw.dll
Removed File! : C:\Windows\System32\addbk.exe
Removed File! : C:\Windows\System32\addgt32.exe
Removed File! : C:\Windows\System32\addkh.exe
Removed File! : C:\Windows\System32\addko32.exe
Removed File! : C:\Windows\System32\addog.exe
Removed File! : C:\Windows\System32\addpg32.exe
Removed File! : C:\Windows\System32\addpm.exe
Removed File! : C:\Windows\System32\addpu.exe
Removed File! : C:\Windows\System32\addsl.exe
Removed File! : C:\Windows\System32\adduh.exe
Removed File! : C:\Windows\System32\addxg32.exe
Removed File! : C:\Windows\System32\apidm.exe
Removed File! : C:\Windows\System32\apihs.exe
Removed File! : C:\Windows\System32\apikg.exe
Removed File! : C:\Windows\System32\apisp.exe
Removed File! : C:\Windows\System32\apisq.exe
Removed File! : C:\Windows\System32\apiyx.exe
Removed File! : C:\Windows\System32\appcd32.exe
Removed File! : C:\Windows\System32\appcs.exe
Removed File! : C:\Windows\System32\appga32.exe
Removed File! : C:\Windows\System32\appkc.exe
Removed File! : C:\Windows\System32\applj.exe
Removed File! : C:\Windows\System32\apptt32.exe
Removed File! : C:\Windows\System32\atlif.exe
Removed File! : C:\Windows\System32\atlln32.exe
Removed File! : C:\Windows\System32\atlue.exe
Removed File! : C:\Windows\System32\bhpac.dat
Removed File! : C:\Windows\System32\bjiuh.dll
Removed File! : C:\Windows\System32\crja32.exe
Removed File! : C:\Windows\System32\crjo32.exe
Removed File! : C:\Windows\System32\crjy32.exe
Removed File! : C:\Windows\System32\crkp32.exe
Removed File! : C:\Windows\System32\crmp32.exe
Removed File! : C:\Windows\System32\crqm.exe
Removed File! : C:\Windows\System32\crrf.exe
Removed File! : C:\Windows\System32\crwp32.exe
Removed File! : C:\Windows\System32\crzo.exe
Removed File! : C:\Windows\System32\d3ah.exe
Removed File! : C:\Windows\System32\d3ax.exe
Removed File! : C:\Windows\System32\d3es.exe
Removed File! : C:\Windows\System32\d3li.exe
Removed File! : C:\Windows\System32\d3nl.exe
Removed File! : C:\Windows\System32\d3pe32.exe
Removed File! : C:\Windows\System32\d3zd.exe
Removed File! : C:\Windows\System32\dggbh.dat
Removed File! : C:\Windows\System32\ebhtu.dll
Removed File! : C:\Windows\System32\ffrir.dat
Removed File! : C:\Windows\System32\fnqml.dat
Removed File! : C:\Windows\System32\fwnjm.dat
Removed File! : C:\Windows\System32\gakpp.dat
Removed File! : C:\Windows\System32\gaqdz.dat
Removed File! : C:\Windows\System32\hcrtv.dat
Removed File! : C:\Windows\System32\hxflw.dat
Removed File! : C:\Windows\System32\iebk32.exe
Removed File! : C:\Windows\System32\iebz32.exe
Removed File! : C:\Windows\System32\iecm32.exe
Removed File! : C:\Windows\System32\iedd.exe
Removed File! : C:\Windows\System32\iejz32.exe
Removed File! : C:\Windows\System32\ielj.exe
Removed File! : C:\Windows\System32\ievv.exe
Removed File! : C:\Windows\System32\iezd32.exe
Removed File! : C:\Windows\System32\iplf.exe
Removed File! : C:\Windows\System32\ipow.exe
Removed File! : C:\Windows\System32\ipqm.exe
Removed File! : C:\Windows\System32\iptj32.exe
Removed File! : C:\Windows\System32\ipuh32.exe
Removed File! : C:\Windows\System32\ipvn.exe
Removed File! : C:\Windows\System32\iries.dat
Removed File! : C:\Windows\System32\javaat32.exe
Removed File! : C:\Windows\System32\javaaw.exe
Removed File! : C:\Windows\System32\javabh.exe
Removed File! : C:\Windows\System32\javaiy.exe
Removed File! : C:\Windows\System32\javann32.exe
Removed File! : C:\Windows\System32\jjwrt.dat
Removed File! : C:\Windows\System32\jriug.dat
Removed File! : C:\Windows\System32\kdfng.dat
Removed File! : C:\Windows\System32\mfcot32.exe
Removed File! : C:\Windows\System32\mfcte.exe
Removed File! : C:\Windows\System32\mfcve.exe
Removed File! : C:\Windows\System32\msbn.exe
Removed File! : C:\Windows\System32\msew.exe
Removed File! : C:\Windows\System32\msys.exe
Removed File! : C:\Windows\System32\ndqpp.dll
Removed File! : C:\Windows\System32\netis32.exe
Removed File! : C:\Windows\System32\netnb.exe
Removed File! : C:\Windows\System32\netpb32.exe
Removed File! : C:\Windows\System32\netqe32.exe
Removed File! : C:\Windows\System32\netqp32.exe
Removed File! : C:\Windows\System32\nettr32.exe
Removed File! : C:\Windows\System32\ntbr32.exe
Removed File! : C:\Windows\System32\ntkn32.exe
Removed File! : C:\Windows\System32\ntrq32.exe
Removed File! : C:\Windows\System32\ntyy.exe
Removed File! : C:\Windows\System32\reegm.dll
Removed File! : C:\Windows\System32\rixak.dat
Removed File! : C:\Windows\System32\rxcem.dat
Removed File! : C:\Windows\System32\sdkdz.exe
Removed File! : C:\Windows\System32\sdkgq32.exe
Removed File! : C:\Windows\System32\sdkjo32.exe
Removed File! : C:\Windows\System32\sdklz.exe
Removed File! : C:\Windows\System32\sdkoq32.exe
Removed File! : C:\Windows\System32\sdkwe.exe
Removed File! : C:\Windows\System32\sdkxw32.exe
Removed File! : C:\Windows\System32\sdkzv.exe
Removed File! : C:\Windows\System32\sdwfq.dat
Removed File! : C:\Windows\System32\sysbd.exe
Removed File! : C:\Windows\System32\sysbu.exe
Removed File! : C:\Windows\System32\syscu.exe
Removed File! : C:\Windows\System32\sysht32.exe
Removed File! : C:\Windows\System32\sysmq32.exe
Removed File! : C:\Windows\System32\sysnb.exe
Removed File! : C:\Windows\System32\sysof.exe
Removed File! : C:\Windows\System32\sysqy.exe
Removed File! : C:\Windows\System32\syswq.exe
Removed File! : C:\Windows\System32\sysxb32.exe
Removed File! : C:\Windows\System32\sysyd32.exe
Removed File! : C:\Windows\System32\ttpcv.dat
Removed File! : C:\Windows\System32\uhxtr.dat
Removed File! : C:\Windows\System32\uoare.dat
Removed File! : C:\Windows\System32\voenw.dat
Removed File! : C:\Windows\System32\winbf.exe
Removed File! : C:\Windows\System32\winem.exe
Removed File! : C:\Windows\System32\winho.exe
Removed File! : C:\Windows\System32\winly32.exe
Removed File! : C:\Windows\System32\winnd32.exe
Removed File! : C:\Windows\System32\winul32.exe
Removed File! : C:\Windows\System32\winwd.exe
Removed File! : C:\Windows\System32\ycwvq.dat
Removed File! : C:\Windows\System32\yeubw.dll
Removed File! : C:\Windows\System32\yyiid.dll
------------------------------------------------
Scan was COMPLETED SUCCESSFULLY at 2:00:32 PM


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:02:39 PM, 6/17/2005
+ Report-Checksum: FA032A11

+ Date of database: 6/17/2005
+ Version of scan engine: v3.0

+ Duration: 137 min
+ Scanned Files: 381538
+ Speed: 46.29 Files/Second
+ Infected files: 42
+ Removed files: 30
+ Files put in quarantine: 30
+ Files that could not be opened: 0
+ Files that could not be cleaned: 12

+ Binder: Yes
+ Crypter: Yes
+ Archives: Yes

+ Scanned items:
C:\
C:\

+ Scan result:
C:\Documents and Settings\Steve\Cookies\steve@abcsearch[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@as1.falkag[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@bilbo.counted[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@fastclick[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@outster[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@realmedia[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@xxxcounter[2].txt -> Spyware.Tracking-Cookie -> Cleaned with backup
C:\Download\ACID Pro Loops Library.exe.rar/ACID Pro Loops Library.exe -> Dialer.Generic -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.RB0/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/BDEData2.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.RB0/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/BDEFdi.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.RB0/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEInsNS.jar/BDEData2.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.RB0/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEInsNS.jar/BDEFdi.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/BDEData2.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/BDEFdi.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEInsNS.jar/BDEData2.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEInsNS.jar/BDEFdi.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Cleaned with backup
C:\temp\sahagent-cdt1004.exe -> Spyware.Sahat.m -> Cleaned with backup
C:\Documents and Settings\Steve\Cookies\steve@abcsearch[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@adknowledge[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@as1.falkag[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@bilbo.counted[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@fastclick[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@outster[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@realmedia[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@tradedoubler[1].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@tribalfusion[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Documents and Settings\Steve\Cookies\steve@xxxcounter[2].txt -> Spyware.Tracking-Cookie -> Error during cleaning
C:\Download\ACID Pro Loops Library.exe.rar/ACID Pro Loops Library.exe -> Dialer.Generic -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.RB0/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/BDEData2.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.RB0/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/BDEFdi.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.RB0/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEInsNS.jar/BDEData2.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.RB0/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEInsNS.jar/BDEFdi.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/BDEData2.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/BDEFdi.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEInsNS.jar/BDEData2.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Download\Rars\AliasWavefront Maya4 Final.zip/tempdat/Virtual Reality/Maya 4 Final/PLUGINS/B3D/COMMON/BDEINSTA/BDEInsNS.jar/BDEFdi.dll -> Spyware.BrillianDigital -> Cleaned with backup
C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Spyware.Wheaterbug.a -> Error during cleaning
C:\temp\sahagent-cdt1004.exe -> Spyware.Sahat.m -> Error during cleaning


::Report End

#6 groovicus

groovicus

  • Security Colleague
  • 9,963 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Centerville, SD
  • Local time:02:24 AM

Posted 18 June 2005 - 09:01 AM

About:Buster removed the hijacked start-up page. It has to set it to something, so it sets it to a blank page. You wil need to reset it in IE.

You can fix these lines with HJT:
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - Default URLSearchHook is missing

Other than that, you did a good job. Your log is clean. :thumbsup:

#7 ChaosIllusion00

ChaosIllusion00
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:03:24 AM

Posted 18 June 2005 - 04:55 PM

yeah i did that after I sent a reply to you, so all is well. Thanks a bunch. :thumbsup:




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users