Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Me


  • Please log in to reply
16 replies to this topic

#1 Jmarten

Jmarten

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 22 February 2006 - 05:02 PM

Hello. Monday I did my usual cleanup routine diskclean up, Adaware, spybot, Disk Defrag. THen the next day all of a sudden I was getting all these popups. And today when I turned my computer on all of a sudden I had this thing called spyfalcon and my home page has been hijacked and other new icons on my desktop that were not there when I turned my computter off. Here is my Hijack This Log.

Logfile of HijackThis v1.99.1
Scan saved at 4:02:21 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\Program Files\SpyFalcon\spyfalcon.exe
C:\Program Files\SpyFalcon\spyfalcon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jill\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 64.237.37.47 auto.search.msn.com
O1 - Hosts: 64.237.37.47 auto.search.msn.com
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp61FC.tmp
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - (no file)
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZSYYYYYYCSUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122474718796
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab40641.cab
O20 - Winlogon Notify: winbmf32 - C:\WINDOWS\SYSTEM32\winbmf32.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Please HELP ME!!!!

BC AdBot (Login to Remove)

 


#2 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 23 February 2006 - 03:27 PM

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "winbmf32.dll"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
    • C:\WINDOWS\SYSTEM32\winbmf32.dll
  • Click Open.
  • Click Post.
Thank you!

------------------------

Download smitRem.exe ©noahdfear, and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

Place a shortcut to Panda ActiveScan on your desktop (in Internet Explorer, right click on Panda ActiveScan link select "Copy Shortcut" then right click on your desktop and select "Paste Shortcut" or in FireFox right-click the link and select "Save Link As" and save it to your desktop).

Please download the trial version of ewido anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

Download FixSF.reg to your desktop by right clicking on the following link and then selecting Save Link As or Save File as, depending on your browser. Now double click on the FixSF.reg file. When it asks if you would like to merge the information, press the Yes button and then the OK button.

Download CWShredder.

Start Cwshredder and click FIX

Scan again with HijackThis and check the following items:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
O1 - Hosts: 64.237.37.47 auto.search.msn.com
O1 - Hosts: 64.237.37.47 auto.search.msn.com
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hp61FC.tmp
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O3 - Toolbar: (no name) - {159C2E51-9823-11D2-8DDC-D84A1B4ACD4D} - (no file)

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Go to add/remove programs in your control panel and uninstall(if there):

SpyFalcon

***if the computer asks for you to let it reboot DO NOT allow it.

Navigate to the following files/folders and delete these(if there):
C :\Windows\System32\dxmpp.dll
C:\Program Files\SpyFalcon

Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Now open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • While the scan is in progress you will be prompted to clean files, click OK
  • When it asks if you want to clean the first file, put a check in the lower left corner of the box that says "Perform action on all infections" then choose clean and click OK.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Close ewido anti-malware.

Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

Reboot back into Windows and click the Panda ActiveScan shortcut.
  • Once you are on the Panda site click the Scan your PC button.
  • A new window will open...click the Check Now button.
    • Enter your Country
    • Enter your State/Province
    • Enter your e-mail address and click send
    • Select either Home User or Company
    • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When the download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report, along with a new HijackThis Log, the contents of smitfiles.txt and the Ewido Log by using Add Reply.
Let us know if any problems persist.

Edited by didom, 23 February 2006 - 03:28 PM.


#3 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 23 February 2006 - 05:49 PM

Hello thanks for the help. It is all working good. what was the first part of the post.

Please go here:
The Spy Killer Forum
Click on "New Topic"
Put your name, e-mail address, and this as the title: "winbmf32.dll"
Put a link to this topic in the description box.
Then next to the file box, at the bottom, click the browse button, then navigate to this file:
C:\WINDOWS\SYSTEM32\winbmf32.dll
Click Open.
Click Post.


Here are my logs. Let me know if there is anything else to do. Thanks so much. I really appreciate it.

[b][u][size=3] PANDA ACTIVE SCAN

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
Adware:adware/videoc Not disinfected C:\WINDOWS\videoc.ocx
Adware:adware/mediatickets Not disinfected Windows Registry
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@dist.belnk[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Jill\Cookies\jill@webpower[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jill\Cookies\jill@xiti[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Jill\Cookies\jill@adultfriendfinder[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Jill\Cookies\jill@dist.belnk[2].txt
Spyware:Cookie/WebPower Not disinfected C:\Documents and Settings\Jill\Cookies\jill@webpower[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Jill\Cookies\jill@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jill\Desktop\Cleanup stuff\smitRem\Process.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf

[b][u][size=3]SMITREM

smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Thu 02/23/2006
The current time is: 15:16:38.90

Running from
C:\Documents and Settings\Jill\Desktop\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Security Troubleshooting.url


~~~ Favorites ~~~

Antivirus Test Online.url


~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
mssearchnet.exe
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 732 'explorer.exe'
Killing PID 732 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :

[b][u][size=3] EWIDO
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:00:28 PM, 2/23/2006
+ Report-Checksum: BC290E9A

+ Scan result:

HKU\S-1-5-21-1960408961-1935655697-725345543-1004\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4DA4616D-7E6E-4FD9-A2D5-B6C535733E22} -> Adware.Generic : Cleaned with backup
[208] C:\WINDOWS\system32\winbmf32.dll -> Hijacker.Small.kb : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@cz7.clickzs[2].txt -> TrackingCookie.Clickzs : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@hypertracker[1].txt -> TrackingCookie.Hypertracker : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@paypopup[1].txt -> TrackingCookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Jill\Cookies\jill@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup
C:\WINDOWS\system32\winbmf32.dll -> Hijacker.Small.kb : Cleaned with backup
C:\WINDOWS\winres.dll -> Downloader.IstBar.eq : Cleaned with backup


::Report E

[b][u][size=3] HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 4:41:04 PM, on 2/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jill\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122474718796
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab40641.cab
O20 - Winlogon Notify: winbmf32 - winbmf32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 23 February 2006 - 06:40 PM

what was the first part of the post.

I needed that file for analysis.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Scan again with HijackThis and check the following items:
O20 - Winlogon Notify: winbmf32 - winbmf32.dll (file missing)
After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #2

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #3

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #4

Find and delete these files and folders (if they are still there):
C:\WINDOWS\videoc.ocx <= this file
C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf <= this file



Reboot your computer normally.

Step #5

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#5 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 28 February 2006 - 05:35 PM

I need HELP FAST. I was doing some cleanup work and then the panda active scan and all of a sudden my computer restarted and when I tried to get it going again windows started but these errors were popping up like something like ruocmm and visial runtime error. and then when I finally got the error boxes closed It was just a blank screen just my desktop background, no taskbar, no icons, no nothing. I can get into safe mode with networking under administrator but when I do it under my name it is again a blank screen and nothing will load up. When I try to restart it says it is having a problem closing explorer.exe. I don't know what to do. THis is all of a sudden after some new spyware and things showed up. I tried system restore and that didn't work either. Please Help

#6 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 01 March 2006 - 10:29 AM

Please boot in Safe Mode with networking and do this:

Please download OldTimer's Winpfind from here:
http://www.bleepingcomputer.com/files/winpfind.php
Unzip it to the desktop and run Winpfind.exe.

Once the scan is finished, please CLOSE the Notepad window that pops up. Then please post the entire contents of the logfile winpfind.txt here for me.

Please don't do anything else because you don't have any protection enabled while in Safe Mode!

#7 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 01 March 2006 - 05:36 PM

Well I did get that problem fixed. I can log on to my computer just fine now. I went into safe mode and then created a new user account. Then I went under administrator and copied what I needed to keep onto the new user account and then deleted the old one. But I am still having a problem with the popups. Here is a hijacak this log and a panda scan log. How do u get rid of these that show up on there? I ran a hijack this, cws shredder, and FixSf, then I went into safe mode and ran smitremit, adaware, spybot, then ewido. I then got out of safe mode and did a panda scan. Here r my logs. Im still getting popups.

HIJACK THIS LOG

Logfile of HijackThis v1.99.1
Scan saved at 3:14:36 PM, on 3/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SmlsbCBNYXJ0ZW4\command.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\WINDOWS\win3207792772243.exe
C:\winsysban12.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/servlet/P...&build=Symantec
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [win3207792772243] C:\WINDOWS\win3207792772243.exe
O4 - HKLM\..\Run: [winsysban] C:\\winsysban12.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122474718796
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab40641.cab
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\q4nule591h.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\n4r20e9oeh.dll
O20 - Winlogon Notify: Shell Extensions - C:\WINDOWS\system32\daquery.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\o6pqlg7516.dll
O20 - Winlogon Notify: winbmf32 - winbmf32.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmlsbCBNYXJ0ZW4\command.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



SMITREM


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Wed 03/01/2006
The current time is: 15:23:36.48

Running from
C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~

atmtd.dll
atmtd.dll._


~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 Craig.Peacock@beyondlogic.org
Killing PID 1640 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\system32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :thumbsup:



EWIDO


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:07:48 PM, 3/1/2006
+ Report-Checksum: 54B510A5

+ Scan result:

[1380] C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Error during cleaning
[1396] C:\WINDOWS\system32\guard.tmp -> Adware.Look2Me : Error during cleaning
C:\Documents and Settings\Administrator\Cookies\administrator@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Jilly\Cookies\jilly@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jilly\Cookies\jilly@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Jilly\Cookies\jilly@ads.realcastmedia[1].txt -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\Documents and Settings\Jilly\Cookies\jilly@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Jilly\Cookies\jilly@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Jilly\Local Settings\Temp\Cookies\jilly@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\RECYCLER\NPROTECT\00006009.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006010.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006011.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006012.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006014.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006015.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006016.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006017.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006018.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006019.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006020.TXT -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00006021.TXT -> TrackingCookie.Realcastmedia : Cleaned with backup
C:\RECYCLER\NPROTECT\00006022.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006023.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006024.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006025.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006026.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006027.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006028.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006029.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006030.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006031.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006032.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006033.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006034.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006035.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006036.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006039.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006040.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006041.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006042.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006046.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006047.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006048.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006049.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006050.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006051.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006052.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006053.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006056.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00006057.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00006058.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00006059.TXT -> TrackingCookie.Tacoda : Cleaned with backup
C:\RECYCLER\NPROTECT\00006061.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006062.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006063.TXT -> TrackingCookie.Revenue : Cleaned with backup
C:\RECYCLER\NPROTECT\00006064.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006065.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006066.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006067.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006068.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006072.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006073.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006074.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006075.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006077.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006078.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006079.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006080.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006081.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006082.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006083.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006084.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006085.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006086.TXT -> TrackingCookie.Trafficmp : Cleaned with backup
C:\RECYCLER\NPROTECT\00006087.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006088.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006089.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006090.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006091.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006092.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006093.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006094.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006095.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006096.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006097.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006098.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006100.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006101.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006103.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006104.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006105.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006106.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006109.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006110.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006111.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006112.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006113.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006114.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006115.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\RECYCLER\NPROTECT\00006116.TXT -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP0\A0000005.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000084.EXE/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000086.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000108.dll -> Adware.PurityScan : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000112.EXE -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000113.EXE -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000115.exe -> Adware.Suggestor : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000127.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000130.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000134.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000135.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000136.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000137.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000138.EXE -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000140.EXE -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000141.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000142.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000143.EXE/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000145.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000204.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000205.dll -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000206.DLL -> Adware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000207.exe -> Backdoor.Rbot : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000213.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000217.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000218.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000219.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000220.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000221.EXE -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000223.EXE -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000228.EXE -> Hijacker.VB.li : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000229.exe -> Trojan.VB.tg : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000230.exe -> Adware.ZenoSearch : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000231.exe -> Downloader.Dyfuca.ei : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000232.EXE -> Downloader.Agent.afi : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000233.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000234.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000235.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000236.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000237.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000238.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000239.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000240.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000241.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000242.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000243.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000244.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000245.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000246.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000247.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000248.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000249.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000250.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000251.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000252.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000253.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000254.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000255.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000256.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000257.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000258.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000259.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000260.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000261.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000262.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000263.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000264.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000265.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000266.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000267.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000268.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000269.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000270.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000271.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000272.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000273.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000274.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000275.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000276.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000277.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000278.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000279.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000280.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000281.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000282.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000283.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000284.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000285.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000286.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000287.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000288.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000289.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000290.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000291.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000292.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000293.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000294.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000295.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000296.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000297.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000298.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000299.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000300.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000301.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000302.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000303.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000304.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000305.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000306.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000307.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000308.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000309.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000310.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000311.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000312.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000313.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000314.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000315.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000316.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000317.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000318.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000319.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000320.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000321.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000322.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000323.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000324.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000325.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000326.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000327.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000328.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000329.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000330.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000331.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000332.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000333.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000334.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000335.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000336.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000337.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000338.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000339.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000340.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000341.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000342.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000343.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000344.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000345.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000346.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000347.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000348.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000349.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000350.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000351.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000352.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000353.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000354.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000355.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000356.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000357.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000358.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000359.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000360.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000361.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000362.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000363.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000364.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000365.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000366.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000367.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000368.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000369.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000370.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000371.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000372.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000373.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000374.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000375.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000376.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000377.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000378.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000379.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000380.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000381.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000382.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000383.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000384.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000385.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000386.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000387.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000388.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000389.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000390.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000391.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000392.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000393.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000394.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000395.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000397.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000399.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000400.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000401.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000402.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000403.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000404.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000405.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000406.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000407.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000408.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000409.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000410.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000411.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000412.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000413.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000414.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000415.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000416.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000417.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000418.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000419.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000420.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000421.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000422.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000423.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000424.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000425.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000426.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000427.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000428.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000429.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000430.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Information\_restore{881F9D4A-E3A6-44EA-88ED-DD399E31A80E}\RP1\A0000431.EXE -> Dropper.VB.lu : Cleaned with backup
C:\System Volume Informa

#8 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 01 March 2006 - 05:49 PM

Before cleaning I would love to have a certain file from you:

CLICK THIS TO LINK TO BE SURE YOU CAN VIEW HIDDEN FILES

Please go here:
The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "win3207792772243.exe"
  • Put a link to this topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
    • C:\WINDOWS\win3207792772243.exe
  • Click Open.
  • Click Post.
Thank you!

Post back after you did that!

Edited by didom, 01 March 2006 - 05:50 PM.


#9 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 01 March 2006 - 09:56 PM

Okay I have done that. I had 2 do it twice because the 1st one timed out and then posted with out the file. Please tell me what to do next.

Edited by Jmarten, 01 March 2006 - 10:02 PM.


#10 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 02 March 2006 - 09:57 AM

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Step #1

Click Start> Run> type in CMD tap enter. Type the following into command prompt:

sc stop cmdService

Hit 'enter' and type the following:

sc delete cmdService

At the command prompt: type exit.

Make sure all hidden files and folders are visible (Instructions )

Navigate to:
C:\WINDOWS\SmlsbCBNYXJ0ZW4 <-- delete this folder if listed.

Step #2

Please download and unzip BFUzip from http://computercops.biz/zx/Merijn/bfu.zip
Run the program and click the Web button as shown here:
Posted Image

Use this URL to copy into the address bar of the Download script window:
http://metallica.geekstogo.com/alcanshorty.bfu

Execute the script by clicking the Execute button.
Note that you should see a progress bar while the script is being executed.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html


Step #3

Scan again with HijackThis and check the following items:
O4 - HKLM\..\Run: [win3207792772243] C:\WINDOWS\win3207792772243.exe
O4 - HKLM\..\RunServices: [csr] csrrs.exe

O20 - Winlogon Notify: winbmf32 - winbmf32.dll (file missing)

O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SmlsbCBNYXJ0ZW4\command.exe

After checking these items, close all browser windows except HijackThis and click "Fix checked".

Step #4

We need to make sure all hidden files are showing so please:
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Step #5

Reboot Your System in Safe Mode:
  • Restart the computer.
  • As soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
  • Use the arrow keys to select the Safe Mode menu item.
  • Press the Enter key.
Step #6

Find and delete these files and folders (if they are still there):
C:\WINDOWS\win3207792772243.exe <= this file


Reboot your computer normally.

Step #7

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report
Start HijackThis, perform a new scan and save the log file.

Use the Add Reply button to post your new logs back here along with details of any problems you encountered performing the above steps and I will review it when it comes in.

#11 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 02 March 2006 - 02:35 PM

Hello, Well I was starting the first step the cmd thing and when I went to type sc stop cmdService it came back with "the specified service does not exist as an installed service" ????????

#12 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 02 March 2006 - 03:06 PM

Then skip step 1 and only do this:

Make sure all hidden files and folders are visible (Instructions )

Navigate to:
C:\WINDOWS\SmlsbCBNYXJ0ZW4 <-- delete this folder if listed.

---------

Then go further with the next steps!

#13 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 02 March 2006 - 05:59 PM

Hello I did the above steps no problems but I am still continuing a lot of adaware popups. one that popups a lot are casino stuff and then there is the winantivrus pro thing. among others. here are my hijack this logs and the log that panda active scan found. How do you get rid of the stuff it finds?

Logfile of HijackThis v1.99.1
Scan saved at 4:56:53 PM, on 3/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/servlet/P...&build=Symantec
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\Sound Blaster Live! 24-bit\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab40641.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3DA5D23B-EFE1-4181-ADB7-7D457567AACA} - http://zone.msn.com/bingame/pacz/default/pandaonline.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1122474718796
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://cdn2.zone.msn.com/binframework/v10/...gr.cab31267.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/as...rl/SymAData.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/apop/default/popcaploader_v6.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (ZPA_Backgammon Object) - http://zone.msn.com/bingame/zpagames/ZPA_B...on.cab40641.cab
O20 - Winlogon Notify: Hints - C:\WINDOWS\system32\i2jq0c15ef.dll
O20 - Winlogon Notify: IPConfTSP - C:\WINDOWS\system32\q4nule591h.dll
O20 - Winlogon Notify: Nls - C:\WINDOWS\system32\n4r20e9oeh.dll
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\o6pqlg7516.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\GHOSTS~2.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Panda Active Scan

Incident Status Location

Potentially unwanted tool:application/funweb Not disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
Adware:adware/adurl Not disinfected C:\WINDOWS\icont.exe
Adware:adware/mediatickets Not disinfected Windows Registry
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Jilly\Desktop\Cleanup stuff\smitRem\Process.exe
Adware:Adware/BroadcastPC Not disinfected C:\DR21206.exe
Virus:Trj/Downloader.CKQ Not disinfected C:\gimmygames12.exe
Potentially unwanted tool:Application/FunWeb Not disinfected C:\WINDOWS\Downloaded Program Files\f3initialsetup1.0.0.15.inf
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\iconu.exe
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\dnp2017oe.dll
Adware:Adware/Look2Me Not disinfected C:\WINDOWS\system32\wrnntbbu.dll
Spyware:Cookie/24/7 Realmedia Not disinfected C:\WINDOWS\temp\Cookies\jilly@247realmedia[1].txt
Spyware:Cookie/888 Not disinfected C:\WINDOWS\temp\Cookies\jilly@888[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\WINDOWS\temp\Cookies\jilly@ad.yieldmanager[2].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\WINDOWS\temp\Cookies\jilly@adopt.hbmediapro[2].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\temp\Cookies\jilly@as-eu.falkag[1].txt
Spyware:Cookie/Falkag Not disinfected C:\WINDOWS\temp\Cookies\jilly@as-us.falkag[2].txt
Spyware:Cookie/Bluestreak Not disinfected C:\WINDOWS\temp\Cookies\jilly@bluestreak[1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\temp\Cookies\jilly@c5.zedo[1].txt
Spyware:Cookie/Cassava Not disinfected C:\WINDOWS\temp\Cookies\jilly@cassava[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\WINDOWS\temp\Cookies\jilly@entrepreneur[1].txt
Spyware:Cookie/Maxserving Not disinfected C:\WINDOWS\temp\Cookies\jilly@maxserving[2].txt
Spyware:Cookie/Overture Not disinfected C:\WINDOWS\temp\Cookies\jilly@perf.overture[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\WINDOWS\temp\Cookies\jilly@realmedia[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\WINDOWS\temp\Cookies\jilly@stats1.reliablestats[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\WINDOWS\temp\Cookies\jilly@trafficmp[2].txt
Spyware:Cookie/Adserver Not disinfected C:\WINDOWS\temp\Cookies\jilly@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\WINDOWS\temp\Cookies\jilly@zedo[2].txt
Adware:Adware/XPlugin Not disinfected C:\winsysupd12.exe

#14 didom

didom

  • Members
  • 1,389 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:38 AM

Posted 03 March 2006 - 02:48 PM

Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold part:

C:\WINDOWS\DOWNLOADED PROGRAM FILES\f3initialsetup1.0.0.15.inf
C:\WINDOWS\icont.exe
C:\DR21206.exe
C:\gimmygames12.exe
C:\winsysupd12.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are
present!

Click the button: All Files (!important!)

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer must reboot now.

Find and delete this folder :
C:\!Killbox <= this folder

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

#15 Jmarten

Jmarten
  • Topic Starter

  • Members
  • 12 posts
  • OFFLINE
  •  
  • Local time:08:38 PM

Posted 04 March 2006 - 02:43 AM

I just saw your post I am going to do it 2morrow I had 2 work a double shift 2day and am too tired 2 do it. But I did leave my computer on while I wa at work so I can go into task manager and look at all the stuff that is running and there was like 40 "IEXPLORER" running it wasn't like the regular ones it was the that capitalized just like I typed it in quotes. but there was only 5 internet explorer popups open. You know the ones that I could see and close. I will do what you said above and then let you know what you want me too know. I want too thank you for all the help that you are giving me.... And please let me know what kind of program too get so this doesn't happen to me anymore....I mean after we fix the problem at hand ....THANK YOU SOOOOOO MUCH!!!!!!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users