Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

winfixer and search42


  • Please log in to reply
32 replies to this topic

#1 pimfram

pimfram

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 13 July 2005 - 12:27 AM

i have already tried the directions here
heres a fresh hjt log

Logfile of HijackThis v1.99.1
Scan saved at 12:25:51 AM, on 7/13/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{696A533F-37B9-4EE2-995B-114DB9758EDB}: NameServer = 205.188.146.145
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

thanks for your time!

Edited by pimfram, 13 July 2005 - 11:27 PM.


BC AdBot (Login to Remove)

 


#2 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 14 July 2005 - 11:49 PM

Hi pimfram.



You may have the Trojan.Vundo.

Download Symantec Trojan.Vundo Removal Tool 1.2.4
Save FixVundo.exe to a convenient location.
Close any programs that you may have open.
If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

Double-click FixVundo.exe to start the Vundo removal tool.
Click "Start" to begin the removal process. Remember not to have any programs open.
It will scan your computer for signs of Vundo and remove them.
Restart your computer.
Run the tool again to make sure Vundo has been eliminated.
You can reconnect your computer to the network and/or full-time internet connection.
Restart your computer once more.

scan with hijackthis and post the new log.
Posted Image

#3 pimfram

pimfram
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 July 2005 - 01:48 PM

heres the fresh log

Logfile of HijackThis v1.99.1
Scan saved at 1:46:39 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O17 - HKLM\System\CCS\Services\Tcpip\..\{696A533F-37B9-4EE2-995B-114DB9758EDB}: NameServer = 205.188.146.145
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#4 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 July 2005 - 02:50 PM

It looks like the removal tool did not work.
We will need to remove the bad files manually.


Please download Process Explorer by Systernals from here.
Also download KillBox by Option^Explicit from here.
Unzip Pocket Killbox to your desktop.

Copy to notepad the following instructions.
You will need to close this browser window at the end of the hijackthis fix and you can copy/paste the bad file path from notepad to killbox.


Unzip Process Explorer and double click on procexp.exe
In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen.
Click on the Threads tab at the top.

Once you see this screen click on each instance of wineula.dll once and then click the kill button.
After you have killed all of the wineula.dll's under winlogon click ok.

Next, double click on explorer.exe and again click once on each instance of wineula.dll then click the kill button. Click on the Threads tab at the top.
Once you have done that click ok again. Exit from process explorer.

Scan with HijackThis and place a checkmark beside each of the following:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll

O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll

Close all browsers and open windows, except hiackthis, and click fix checked.
Exit from HijackThis.

Please copy the text from within the code box below and paste it into a blank notepad window.
Save it as vundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]

Double click on Killbox.exe and then choose the delete on reboot option.

Enter or copy from notepad and paste the following filepath into the Full path of file to delete box

C:\WINDOWS\repair\wineula.dll

Click the red circle with the white x and allow your computer to reboot.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.
Posted Image

#5 pimfram

pimfram
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 July 2005 - 03:31 PM

still no luck

Logfile of HijackThis v1.99.1
Scan saved at 3:27:39 PM, on 7/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#6 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 15 July 2005 - 05:17 PM

Stubborn, isn't it!

When you ran the FixVundo tool, did it report finding vundo?
If it did, let's try booting into safemode and running it again.
Check in a new hijackthis log for the bad lines.
If they are still there continue with the manual fix, also in safemode.

Copy these instructions to notepad for use while in safemode.

Reboot into safemode
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Close any programs that you may have open.
If you are on a network or if you have a full-time connection to the Internet, disconnect the computer from the network and the Internet.

Double-click FixVundo.exe to start the Vundo removal tool.
Click "Start" to begin the removal process. Remember not to have any programs open.
It will scan your computer for signs of Vundo and remove them.
Restart your computer.
Run the tool again to make sure Vundo has been eliminated.
You can reconnect your computer to the network and/or full-time internet connection.


Continue with the manual fix if the bad lines remain in hijackthis.
Reboot back into safemode.

Open Process Explorer and double click on procexp.exe
In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen.
Click on the Threads tab at the top.

Once you see this screen click on each instance of wineula.dll once and then click the kill button.
After you have killed all of the wineula.dll's under winlogon click ok.

Next, double click on explorer.exe and again click once on each instance of wineula.dll then click the kill button. Click on the Threads tab at the top.
Once you have done that click ok again. Exit from process explorer.

Scan with HijackThis and place a checkmark beside each of the following:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll

O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll

Close all browsers and open windows, except hiackthis, and click fix checked.
Exit from HijackThis.

Please copy the text from within the code box below and paste it into a blank notepad window.
Save it as newvundo.reg and in the save as type box choose all files.

Once you have saved it double click it and allow it to merge with the registry.

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSEvents.MSEvents.1]


Double click on Killbox.exe and then choose the delete on reboot option.

Enter or copy from notepad and paste the following filepath into the Full path of file to delete box

C:\WINDOWS\repair\wineula.dll

Click the red circle with the white x and allow your computer to reboot.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.
Posted Image

#7 pimfram

pimfram
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 23 July 2005 - 02:07 PM

i have already tried the above instructions about 5 times and the little guy still hangs around.

#8 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 23 July 2005 - 03:02 PM

I am working on a slightly different method to remove this hijacker.

If you would, please post a new hijackthis log, then we will give it another try.
Also, were you able to locate wineula.dll in process explorer?

To prepare for the fix, please download and install Advanced Process Manipulation from
DiamondCS.
Posted Image

#9 pimfram

pimfram
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 23 July 2005 - 03:21 PM

sorry i forgot to post the log.
i think that the bolded item looks a little suspicious

Logfile of HijackThis v1.99.1
Scan saved at 3:19:31 PM, on 7/23/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://officeint.microsoft.com/officeupdat...ntent/opuc2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{696A533F-37B9-4EE2-995B-114DB9758EDB}: NameServer = 205.188.146.145
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

#10 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 23 July 2005 - 05:39 PM

i think that the bolded item looks a little suspicious


It's the AOL server.
205.188.146.145 = [ nstot.proxy.aol.com ]
OrgName: America Online Inc
OrgID: AMERIC-59
Address: 22080 Pacific Blvd
City: Sterling
StateProv: VA


Copy the contents of the quote box below into notepad and save it directly to the root directory (C:) as vundoh.reg
Set File type to "All files" (the file should now be here: C:\vundoh.reg)

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wineula]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\CLSID\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]

[-HKEY_CLASSES_ROOT\CLSID\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents.1]

[-HKEY_CLASSES_ROOT\MSEvents.MSEvents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{44240BB5-BD7D-4D49-A1AA-8AB0F3D3CB44}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{B8B55274-0F9A-41E5-9067-A3539BD9E860}]
"Compatibility Flags"=dword:00000400


Copy the following instructions and paste into a notepad text to use while in safemode.

Now reboot into safemode:
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Open Process Explorer.
  • Scroll down in the main window and find winlogon.exe

  • Right click on winlogon.exe and select Suspend

  • Leave Process Explorer open.
Scan with HijackThis and place a checkmark beside each of the following:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll

O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll

Do NOT fix them yet


Now open Advanced Process Manipulation.
  • Scroll down in the main window and find c:\windows\explorer.exe

  • Click on the entry and that will display a list of files in the second window.

  • Scroll down the list in the second window and find C:\WINDOWS\repair\wineula.dll

  • Right click on that entry and select Unload DLL

  • You will now lose your Start Bar and Desktop Icons. This is normal.

  • Leave Advanced Process Manipulation open
Go back to Process Explorer window.
  • Click File > Run

  • In the run box type ( or copy and paste from your notepad instructions)
    regedit.exe /s C:\vundoh.reg
Back in Advanced Process Manipulation.
  • Scroll down in the main window and find c:\windows\system32\winlogon.exe

  • Click on the entry and that will display a list of files in the second window.

  • Scroll down the list in the second window and find C:\WINDOWS\repair\wineula.dll

  • Right click on that entry and select Unload DLL

  • You will have to click OK about six times
In HijackThis click Fix checked. You will be prompted you are about to remove a BHO. That's what you want.

Now back in Process Explorer.
  • Find winlogon.exe again.

  • Right click on winlogon.exe and select Resume

  • This should reboot your computer automatically.
After the reboot, copy the contents of the quote box below into notepad.
Save as and name it findtheother.bat
Change the save as type to all files

dir %Systemdrive%\alueniw.* /a h /s > files.txt
start notepad files.txt


Now, doubleclick findtheother.bat and allow it to run.

It will open a text file showing all files with that reverse name of the wineula.dll.
Post the contents of the text file in your next reply.

Scan with hijackthis and post a fresh log.
Posted Image

#11 pimfram

pimfram
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 24 July 2005 - 04:00 PM

when i try to suspend winlogin i keep getting "Unable to suspend the process: Access is denied"

#12 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 24 July 2005 - 05:01 PM

I'm not sure why you are getting access denied.
Can you confirm for me that you are booted into safemode at this point?
You are logged in with administrator rights?
If your not sure, go to start > control panel > user accounts
Your account should say computer administrator.


I would also request that you run the FixVundo tool again, in safemode.
I don't think it will be successful, but I need to see the log it produces.
Locate the FixVundo.log in the same folder as FixVundo.exe.
Copy the log and post it here.
Posted Image

#13 pimfram

pimfram
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 24 July 2005 - 07:11 PM

yes i was in safe mode with administrator rights.

Symantec Trojan.Vundo Removal Tool 1.2.4

C:\Documents and Settings\All Users\Documents: (not scanned)
Trojan.Vundo has not been found on your computer.

#14 JG427

JG427

  • Members
  • 241 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 25 July 2005 - 01:55 PM

Let's try ewido, it has been successful in removing vundo in some cases.

Please download, install, and update the free version of ewido security suite:
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK.
Click on update in the left menu, then click the Start update button.
After the update finishes, exit from ewido as it should be run in safemode.

Reboot into safemode
Restart the computer, as soon as the BIOS has finished loading, begin tapping the F8 key .
Continue to do so until the Windows Advanced Options menu appears.
Using the arrow keys, scroll to and select Safemode, then press Enter.

Open Ewido and click on the Scanner button in the left menu, then click on complete system scan.
When ewido finds something, it will pop up a notification.
Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on ok.
When the scan finishes, click on "Save Report".

Continue in safemode.
Scan with HijackThis and place a checkmark beside each of the following:

O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll

O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll

Close all browsers and open windows, except hijackthis, and click fix checked.
Exit from HijackThis.

Reboot into normal mode.
Scan with hijackthis and post the log.
Also post the report from ewido.

Edit: typo

Edited by JG427, 25 July 2005 - 01:56 PM.

Posted Image

#15 pimfram

pimfram
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:10:50 PM

Posted 25 July 2005 - 06:21 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:19:31 PM, on 7/25/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\1XConfig.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\America Online 9.0a\waol.exe
C:\Program Files\America Online 9.0a\shellmon.exe
C:\Program Files\Common Files\Aol\aoltpspd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: MSEvents Object - {B8B55274-0F9A-41E5-9067-A3539BD9E860} - C:\WINDOWS\repair\wineula.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0a\aoltray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: E&xport to Microsoft Office Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {3E68E405-C6DE-49FF-83AE-41EE9F4C36CE} (Office Update Installation Engine) - http://officeint.microsoft.com/officeupdat...ntent/opuc2.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{696A533F-37B9-4EE2-995B-114DB9758EDB}: NameServer = 205.188.146.145
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\System32\LgNotify.dll
O20 - Winlogon Notify: wineula - C:\WINDOWS\repair\wineula.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 6:10:56 PM, 7/25/2005
+ Report-Checksum: E47DB82D

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{2AEEAC34-FD74-4142-B891-4B05C0C03C87} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} -> Spyware.MiniBug : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{D7B59209-0ED9-4986-BD4A-527BE836C6B2} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\EGCOMSERVICE2.EGComSvc2 -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\EGCOMSERVICE2.EGComSvc2\CLSID -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{F8ACA5A0-060A-478A-8368-1407780D2251} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{AD9B275B-E42D-4C7F-9FFB-29B5FB81688B} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Spyware.InternetOptimizer : Cleaned with backup
C:\Documents and Settings\Brandon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-3006fde7-771b474a.class -> Trojan.Byteverify : Cleaned with backup
C:\Documents and Settings\Brandon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-51d3f209-3b4c5285.class -> Trojan.Byteverify : Cleaned with backup
C:\Documents and Settings\Brandon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-531c338a-6241ccbf.class -> Trojan.Byteverify : Cleaned with backup
C:\Documents and Settings\Brandon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-7e60c2e9-2b1bbd5d.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Brandon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-da569aa-3022acbd.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Brandon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Gummy.class-e02b4b-646db420.class -> Trojan.Java.Femad : Cleaned with backup
C:\Documents and Settings\Brandon\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\SecurityClassLoader.class-6fd9f626-5bdb643f.class -> TrojanDownloader.Small.wv : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@ad.yieldmanager[1].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@ad1.clickhype[1].txt -> Spyware.Cookie.Clickhype : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@adopt.specificclick[2].txt -> Spyware.Cookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@cz3.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@cz7.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@cz8.clickzs[2].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@image.masterstats[1].txt -> Spyware.Cookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@ivwbox[1].txt -> Spyware.Cookie.Ivwbox : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@paycounter[1].txt -> Spyware.Cookie.Paycounter : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@paypopup[1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@sales.liveperson[1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Brandon\Cookies\brandon@www.burstnet[1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\I386\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050508-163406-309.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050512-123553-801.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050512-125112-943.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050512-125613-132.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050512-125630-951.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050604-154513-908.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050712-163348-596.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050712-231932-283.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050712-232403-310.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050715-152300-381.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050723-145741-216.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050723-150902-465.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050724-155829-549.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050724-175737-249.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050724-180114-133.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050725-172207-621.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\hijackthis\backups\backup-20050725-172250-805.dll -> Trojan.Agent.cs : Cleaned with backup
C:\Program Files\LeapFTP\LeapFTP.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP215\A0032070.dll -> Trojan.Agent.cs : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP219\A0033159.dll -> Trojan.Agent.cs : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0034180.dll -> Trojan.Agent.cs : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0034232.dll -> Trojan.Agent.cs : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP220\A0034233.dll -> Trojan.Agent.cs : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP226\A0036457.dll -> Trojan.Agent.cs : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP229\A0036514.dll -> Trojan.Agent.cs : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP230\A0039982.dll -> Trojan.Agent.cs : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP231\A0040015.dll -> TrojanDropper.Small.wn : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP231\A0040020.exe -> TrojanSpy.Delf.af : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\YSBactivex.dll -> TrojanDownloader.IstBar.gp : Cleaned with backup
C:\WINDOWS\ExeDialer.exe -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\Fonts\ftpc.dll -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\Help\SBSI\dosras.dll -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\inetkw.exe -> Spyware.CommonName.d : Cleaned with backup
C:\WINDOWS\Programmi PC.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\WINDOWS\REPAIR\doshard.dll -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\REPAIR\wineula.dll -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\SYSTEM\dosnet.dll -> Trojan.Agent.cs : Cleaned with backup
C:\WINDOWS\SYSTEM32\EGAUTH.dll -> Trojan.P2E.al : Cleaned with backup
C:\WINDOWS\SYSTEM32\EGCOMSERVICE2.dll -> Dialer.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\in10b6s.dll -> TrojanDropper.Mudrop.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\k404SearchSetup_MS28.exe -> Spyware.404Search : Cleaned with backup
C:\WINDOWS\SYSTEM32\osmim.dll -> Spyware.MarketScore : Cleaned with backup


::Report End




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users