Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I'm Infected, Please Help


  • This topic is locked This topic is locked
6 replies to this topic

#1 seltaeb112

seltaeb112

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 09 August 2006 - 09:40 PM

Logfile of HijackThis v1.99.1
Scan saved at 10:35:49 PM, on 8/9/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\Ati2evxx.exe
C:\WINNT\bnljYm9l\command.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\wtfntet.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\surfmonkey\SMProxy.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\DELL\AccessDirect\dadapp.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE
C:\Program Files\iRiver\Service\MLService.exe
C:\Program Files\iRiver\Service\Updater.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\outlook\outlook.exe
C:\WINNT\system32\wfxqhv.exe
C:\WINNT\system32\zqskw.exe
C:\WINNT\wtfntetA.exe
C:\WINNT\system32\cvn0.exe
C:\WINNT\system32\apbzk.exe
C:\WINNT\system32\n9nyb.exe
C:\WINNT\system32\ghynf.exe
C:\Program Files\Common Files\{C455B262-03E4-1033-1105-020204190001}\Update.exe
C:\WINNT\system32\y3aqsoepa.exe
C:\WINNT\system32\afdaqd3.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\GoogleDCC\GoogleDCC.exe
C:\Program Files\earthlinkim\aim.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.nycboe.org/proxy.pac
R3 - Default URLSearchHook is missing
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://news.google.com/nwshp?hl=en&gl=us"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {50F49B14-0C74-3B2E-27DA-51681DC17A91} - (no file)
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINNT\webdir.dll
O2 - BHO: (no name) - {C915E0B1-21E8-45AC-B716-76E9F164885A} - \
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINNT\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINNT\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [wtfntetA] C:\WINNT\wtfntetA.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINNT\system32\cvn0.exe
O4 - HKLM\..\Run: [wGzyM6F48] C:\WINNT\system32\apbzk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [GoogleDCClient] C:\Program Files\GoogleDCC\GoogleDCC.exe -startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: svchost.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/13e3bc4ab892e1629c17/...ip/RdxIE601.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/konti...current/kdx.cab
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\k8440ihqe84e0.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\bnljYm9l\command.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\wtfntet.exe

BC AdBot (Login to Remove)

 


m

#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:14 PM

Posted 10 August 2006 - 07:06 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Your system is terribly infected. The problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show. Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused. Due to the status of some of the files you have on your computer, I strongly recommend that you do the following immediately. From a clean computer, change all your online passwords-- for email, for banks, eBay, forums etc....

1) Click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

Network Monitor
Windows Overlay Components
Command Service


2) Please set your system to show hidden files; please see here if you're unsure how to do this.

3)I see you are running Teatimer.
I suggest you to disable it because it can interfere with the changes you'll make on your system.
When everything is done and your log is clean again, you can enable it again.
If teatimer gives you a warning afterwards that some changes were made, allow this instead of blocking it.
How to disable TeaTimer during HijackThis Cleanup
Then, Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

4) Please download Ewido Anti-Spyware and save the file to your desktop.
This is a free 30 day trial version of the program.
  • Locate the icon on your desktop and double click it to open the set-up program.
  • Follow the instructions on screen to install Ewido.
  • Run the program and you will meet the main screen.
  • Select the icon "Update" then select the "Update now" link
  • Next click the "Start Update" button; a progress bar will show the updates being installed.
  • Now select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Click on "Recommended actions" and then select "Quarantine".
  • Close the program now, we will be running a scan a bit later.
Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

5) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
O2 - BHO: (no name) - {50F49B14-0C74-3B2E-27DA-51681DC17A91} - (no file)
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - C:\WINNT\webdir.dll
O2 - BHO: (no name) - {C915E0B1-21E8-45AC-B716-76E9F164885A} - \
O2 - BHO: Ozbyq Class - {D623BC2F-A58D-4A75-A10D-CC244A702A35} - C:\WINNT\system32\xeymi.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINNT\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [wtfntetA] C:\WINNT\wtfntetA.exe
O4 - HKLM\..\Run: [ad8rIU3s] C:\WINNT\system32\cvn0.exe
O4 - HKLM\..\Run: [wGzyM6F48] C:\WINNT\system32\apbzk.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: svchost.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150/13e3bc4ab892e1629c17/...ip/RdxIE601.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINNT\system32\xeymi.dll
O20 - Winlogon Notify: Control Panel - C:\WINNT\system32\k8440ihqe84e0.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINNT\bnljYm9l\command.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINNT\wtfntet.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

6) Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.f

7) Using Windows Explorer, please locate the following files/folders, and delete them if still present:

C:\WINNT\wtfntet.exe
C:\WINNT\webdir.dll
C:\WINNT\system32\xeymi.dll
C:\WINNT\system32\wfxqhv.exe
C:\WINNT\wtfntetA.exe
C:\WINNT\system32\cvn0.exe
C:\WINNT\system32\apbzk.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\WINNT\bnljYm9l <--folder
C:\Program Files\Network Monitor <--folder

8) Open Ewido antispyware.
Then click on the Scanner tab at the top.
Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan.
Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side.

When the scan has finished, it will automatically set the recommended action.
Click the Apply all actions button.
Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close Ewido and reboot back to normal mode!!

9) Open notepad and copy and paste next in it:

sc stop "Windows Overlay Components"
sc delete "Windows Overlay Components"
sc stop "Network Monitor"
sc delete "Network Monitor"
sc stop cmdService
sc delete cmdService

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

10) Please download Look2Me-Destroyer from here to your desktop.
Close all programs before continuing.
Double-click Look2Me-Destroyer.exe icon to run it.
Put a check next to "Run this program as a task".
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click "OK"
When Look2Me-Destroyer re-opens, click the "Scan for L2M" button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the "Remove L2M" button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message - Done removing infected files....., click OK.
After the restart, please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
Note, if Look2Me-Destroyer does not reopen automatically, reboot and try again.
Post the ewido log also.
David

#3 seltaeb112

seltaeb112
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 11 August 2006 - 06:56 PM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:50:56 PM 8/10/2006

+ Scan result:



C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0O8JP7QX\Installer[1].exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Installer3.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\JFFI500.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\MPLS2.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\eocapi.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\fp0o03d3e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\fp6s03j7e.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\gpn0l35m1.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\l8j80i1ue8.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\mvrml9911.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\n82ulif9182.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\p48qlel51hq.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\qxgr.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\warebundlenewer.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
[316] C:\WINNT\system32\mgdart32.dll -> Adware.Look2Me : Error during cleaning.
[580] C:\WINNT\system32\mgdart32.dll -> Adware.Look2Me : Error during cleaning.
C:\WINNT\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINNT\876057.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\WinNB57.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc21.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\csrrs.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GTML25LJ\drsmartload45a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NW75M6BX\drsmartload46a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NW75M6BX\drsmartload849a[1].exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\dr.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\dr.exe -> Downloader.Adload.ds : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0O8JP7QX\dist13[1].exe -> Downloader.Agent.aaf : Cleaned with backup (quarantined).
C:\dist13.exe -> Downloader.Agent.aaf : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\dmonwv.dll_tobedeleted -> Downloader.Agent.agw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0O8JP7QX\ac2[1].txt -> Downloader.Agent.ahv : Cleaned with backup (quarantined).
C:\WINNT\ddhb.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\fym9bvo.exe -> Downloader.Agent.ala : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NW75M6BX\installerwnus[1].exe -> Downloader.Qoologic.at : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0O8JP7QX\rcverlib[1].exe -> Downloader.Qoologic.ax : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\mvftp.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\FCSPG3AP\al3[1].txt -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINNT\nvqcvueq.dll -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0O8JP7QX\MTE3NDI6ODoxNg[1].exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\WINNT\idlemg.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\VSL.dl_ -> Downloader.Small.ctp : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0O8JP7QX\ac3_0003[1].exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\Program Files\Common Files\fkur\fkurp.exe -> Downloader.TSUpdate.f : Cleaned with backup (quarantined).
C:\Program Files\Common Files\fkur\fkura.exe -> Downloader.TSUpdate.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NW75M6BX\stub_113_4_0_4_0[1].exe -> Downloader.TSUpdate.o : Cleaned with backup (quarantined).
C:\Program Files\Common Files\fkur\fkurl.exe -> Downloader.TSUpdate.r : Cleaned with backup (quarantined).
C:\WINNT\ms0616734-100102006.exe -> Downloader.VB.aga : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GTML25LJ\loader[1].exe -> Downloader.VB.agk : Cleaned with backup (quarantined).
C:\visfx500new.exe -> Dropper.Agent.aie : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\NW75M6BX\numbsoft[1].exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\bintheredunthat\numbsoftnew.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\WINNT\ss1205.exe -> Dropper.Small.qn : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\007 Email Sender Express 4.6.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\1Click DVD Copy v4.2.1.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\2Flyer Screensaver Builder Pro 6.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\AB Commander XP v6.5.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\AVID Xpress Pro HD 5.22.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Ace DVD Backup 1.2.22.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Alchemy Eye PRO 5.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Antenna Web Design Studio v1.2.32.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Anti Trojan Elite 3.43.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Apollo DVD Creator 2.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Arial CD Ripper v1.4.4.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Asmw PC-Optimizer PRO 6.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\AtomSync v2.02.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Attachments Zip Compressor 1.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\AutoUpdate Plus v3.00.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Awesome Moments Screensaver 1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\B-Puzzle v6.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\BadBlue Easy File Sharing Server 2.44.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Breaktru Fractions n Decimals v5.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Breaktru Quick Conversion v4.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\CarboMeter v1.0.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Casino Las Vegas 2004 4.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\CleanCenter 1.33.11.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\CloanTo Euro Calculator v3.5.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\DVD to MPEG v4.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\DVDIdle Pro 5.9.6.8.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Dekart Private Disk v2.06.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\ENat Voice For MSN Messanger v2.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\EXE Stealth v2.73.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Easi Mp3 3.45.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Easy Audio Grabber 2.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Electronic Recipe Manager 3.5.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Eudora mail 5.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\ExtractNow 3.53.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\FairStars Audio Converter v1.03.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\File Spy 3.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Fireworks MX 2004 v7.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\FlashFXP 2.2 Build 945 Beta.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Focus Photoeditor v3.0.29.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\GameBoost v1.1.16.2006.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Golden Eye v3.11.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\HarbourMan v1.03.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Headsoft Clone Cleaner Pro v1.02.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Heaven and Hell.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\IdImager Image Browser and Web Publisher v1.5.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\ImTOO DVD Audio Ripper v1.0.7.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Image To PDF 2.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\ImageKeep.Express v1.2.6.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Internet Download Accelerator 2.3.1.595.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Internet Explorer Password Recovery.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Job Search Software Engine 5.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Joiner v1.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Jpg Animated Slide Show v1.10.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\K-ML v3.8.248.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Language Coach v1.10.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Linux redhat 8.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Local Port Scanner 1.2.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\LockItNow v1.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Lost Vikings 2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\MP3 Disc Burner 1.75.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\MP3 Disc Burner v1.72.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\MP3 Disc Burner v1.75.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Magic Tweak 2.60.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Megaleecher 1.0.4.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\MemoriesOnTV v2.010.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Motor City Online.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Mp3tag 2.15k.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\MyNetProtector Anti Popup v2.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Neevia docCreator v3.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Netops Stronghold v1.26.060503.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Never Winter Nights.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Newsgroups Pictures Downloader 1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\NoClone v2.1.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Opera 7.11.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Optimal Desktop Standard 3.0 r132.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\PagePopupMaker 2.0.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\PcMedik v6.1.16.2006.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Perfect Tgp Submitter 1.7 Pro Edition.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\PhotoCool 1.50.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\PicaLoader v1.39.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Poker Mania 2.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Post2Blog Enterprise v1.11a.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Privacy Eraser Pro v3.20.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Private Shell v1.4.1.321.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Public Access Desktop v2.8.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Purge v1.1.0.269.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\PyroBatchFTP v2.07.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\PyroTrans v2.07.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\QueIt v2.0.17.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Rapid Reminder v2004.93.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Real Time Quotes Downloader v1.4.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\RealMedia Booster Pack v1.4.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Reget v3.3 (beta 186).exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Robo-FTP v2.1.2.6.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SEE Electrical LT v2005.57.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SMS Create Pro v5.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SMS-it 3.1.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SQL Server Backup v5.20.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Sadman FileTime v3.3.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Sadman Xchange v2.6.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Search Launcher 1.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SelfCron v2.20.0036.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Simple MP3 Renamer 6.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SkyMark PathMaker v6.0.21.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Slave zero.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SmartFTP 2.0 Build 992.35.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SmartFTP v1.5.988.50.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Smartftp 1.5.991.31.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SoftDisc v2.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Spamwasher v1.2.1036.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SpyRemover 2.49.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Spyware Doctor v3.2.1.359.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Spyware Nuker XT v4.5.40.1560.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Starscape v1.4.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Startup Organizer v2.2.163.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SuperCleaner v2.6.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SuperCleaner v2.87.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\SysJewel v1.1.100.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\System Cop 1.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Test Drive 6.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Text To Speech Live Player 1.40.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\The Bat! 3.70 Beta.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Time Sled v1.40.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Topee CD Ripper 1.2.18.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\WINner Tweak SE2 2.4.6.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\WWW File Share Pro v2.4.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\WebSite Watcher v4.03.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\WinHex v12.75 SR3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\WinXMedia AVI MPEG iPod Converter v1.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Winzip 8.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\WorldWide FTP v2.43.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\XLS Converter v1.5.8.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\XP Tools v5.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\XPCSpy Pro 1.51.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Xnview 1.82 Rc-2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Zealot All Video Splitter v1.8.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\Zone Labs IMsecure Pro v1.0.2.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Shared\_\xzxzxzxzxzxz.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc6.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\1-More PhotoCalendar v1.80.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\3aLab iRadio v1.5.0.512.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\AMS Media Show Pro v1.45.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\AccuHash v2.0.15.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\AlbumSee 1.6 build 333.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\AmiPic ShareMaster v6.16.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\AnFX 5.3.1.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\ArGoSoft Mail Server Pro with IMAP v1.8.8.5.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Autopano Pro v1.0.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Beside Import Wizard v8.2.0f.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Block Buddy 2.5.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Cheetah CD Burner v3.38.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\CodeSpy v1.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Driver Magician V2.6.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\EZB Systems UltraISO Media Edition v7.6.5.1260.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Easy DVD Shrink v3.0.21.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Easy DVD To DVD Copy v3.0.31.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Easy DVD to DVD Copy v3.0.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Easy FlashMaker v1.3.415.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Easy Music CD Burner v3.0.35.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\FTPRush Unicode 1.0.0.572.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Game Jackal v2.7.11.321.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\InsidePro SAMInside v2.5.2.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\MaxiVista Mirror Pro v2.0.16.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Media Center 11.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\MouseCage v1.05.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Nature Illusion Studio v1.10.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\NetConceal Anonymizer v3.0.033.02.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Odds Wizard v1.80.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Protector Plus v7.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Rapid Network Configurator v1.30.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Scan and Repair Utilities 2006.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\SoapMaker Professional v2.8.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\SourceAnyWhere v4.23 Pro.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\SpyShield v1.6.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Teleport Pro v1.40.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\TweakNow PowerPack 2006 Pro v.1.1.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\WaveGenix Mastering Suite Pro v5.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\XStart v1.8.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\Zip Express v2.4.2.1.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc7\xzxzxzxzxzxz.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\1 DVD Audio Ripper 1.2.11.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\16 Blocks.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\18 Fingers Of Death.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Acala DVD to Pocket PC Movie v2.3.2.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Acronis Disk Director Server 10.0.0.2117 Eng Retail.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Adobe After Effects V7.0 Professional + Keygen.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Adobe Photoshop CS 2 Photographers Guide eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\AirStrike 3D Operation W.A.T. 1.68.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Ashampoo Magical Defrag v1.11.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Building Forums with Vbulletin eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Bulletproof Public PC v3.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Chipscope Pro v8.2i.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Creating Cool Web Sites with HTML XHTML and CSS.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Dave Chappelles Block Party.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Dream Match Tennis 1.02.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Easy File Sharing Web Server v3.3.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Essential System Administration Third Edition eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Garfield 2 A Tail of Two Kitties.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Google Hacking For Penetration Testers eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Hack Proofing Your Network - Internet Tradecraf eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\House of Wax.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Ill Always Know What You Did Last Summer.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Living the 80 20 Way Work Less Worry Less eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Modem Booster v5.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Nero 7 Premium v7.2.3.2b.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\PowerDVD 7 Deluxe.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Satanic 2006.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\ShareAlarmPro v1.6.6.0.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Star Wars Empire at War.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\The DaVinci Code.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\The Descent - 2005 - DVDRip.XVID.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\The Power Of Strategy Innovation - Amacom eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\The Real Business of Web Design eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\The Rundown.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\This is Your Life Not a Dress Rehearsal eBook.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Underworld Evolution.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\WWE Backlash 2006.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\Worms 4 Mayhem.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\YearPlanner v2.4.8.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc8\xzxzxzxzxzxz.exe -> Dropper.VB.lu : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GTML25LJ\v1201[1].exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc18.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-499990282-208432103-633414084-500\Dc20.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\WINNT\unin101.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\WINNT\v1201.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\0O8JP7QX\wallpap[1].exe -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\html1.htm -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\html2.htm -> Hijacker.Small.jf : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\seltaeb112@earthlink.net\fqgcc38t.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.15:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.16:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.17:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.19:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.20:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.21:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.22:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.6:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\seltaeb112@earthlink.net\fqgcc38t.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\seltaeb112@earthlink.net\fqgcc38t.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\seltaeb112@earthlink.net\fqgcc38t.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.9:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\seltaeb112@earthlink.net\fqgcc38t.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@adrevolver[2].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.139:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.140:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup (quarantined).
:mozilla.45:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Centrport : Cleaned with backup (quarantined).
:mozilla.172:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Cj : Cleaned with backup (quarantined).
:mozilla.126:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.127:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.128:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.129:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.130:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.131:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.132:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.133:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.134:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.136:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.137:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.24:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Esomniture : Cleaned with backup (quarantined).
:mozilla.162:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.163:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.164:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Liveperson : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Overture : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Pointroll : Cleaned with backup (quarantined).
:mozilla.91:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
:mozilla.92:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Qksrv : Cleaned with backup (quarantined).
:mozilla.93:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\seltaeb112@earthlink.net\fqgcc38t.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\seltaeb112@earthlink.net\fqgcc38t.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\seltaeb112@earthlink.net\fqgcc38t.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup (quarantined).
:mozilla.105:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
:mozilla.114:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@media.top-banners[1].txt -> TrackingCookie.Top-banners : Cleaned with backup (quarantined).
:mozilla.117:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@ac2.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@free.wegcash[2].txt -> TrackingCookie.Wegcash : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.141:C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\cookies.txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Cookies\administrator@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GTML25LJ\redistribute[1].exe -> Trojan.Agent.sx : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\.jpi_cache\file\1.0\Dummy.class-31a87ca1-3b9749c1.class -> Trojan.Nocheat : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\.jpi_cache\file\1.0\ok.class-33b5fbf9-77c9a70f.class -> Trojan.Nocheat : Cleaned with backup (quarantined).
C:\WINNT\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\'VA - Finally (Discostyle Goes House) [2CDS] [2006][House][www bitmp3 com].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\(ES) Sexy Movie FRENCH DVDRIP By Cc65.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\007 Casino Royale 2006 Wallpapers Posters Screens[BADR1X].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\100000 Web Images.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\22in1 PC Repairs.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\252 Disney Wallpaper and 154 Buddy Icons and 16 Disney Print Fonts.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\300 assorted card and puzzle games.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\3D Icons zip.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\ATOMIC BOMBERMAN.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\About CNET Networks.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Absolute Java.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Acronis Drive Cleanser 6.0 [Boot CD].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\AdultPDF PDF to Word v2 1 WinALL Incl Keygen-iNDUCT rar.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Advanced search.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Air America Radio - The Al Franken Show 080806 [mp3].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Air America Radio - The Majority Report 080806 [mp3].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Air America Radio - The Mike Malloy Show 080706 [mp3].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Air America Radio - The Rachel Maddow Show 080806 [mp3].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Air America Radio - The Randi Rhodes Show 080806 [mp3].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Air America Radio - The Thom Hartmann Program 080806 [mp3].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\All RSS feeds.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\All Software.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\AntiSemitism In The 21st Century PDTV XviD-WPi [eztv].zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Apress Excel PivotTables Recipes A Problem Solution Approach Mar 2006 eBook-BBL.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\Audio Books Orson Welles - War of the Worlds Original, Uncut mp3.zip/Setup.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Complete\BETTER HOMES AND GA

#4 seltaeb112

seltaeb112
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 11 August 2006 - 06:58 PM

Logfile of HijackThis v1.99.1
Scan saved at 9:37:51 PM, on 8/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.nycboe.org/proxy.pac
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,idoyosq.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://news.google.com/nwshp?hl=en&gl=us"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gquidk] C:\WINNT\system32\hyqqem.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\hyqqem.exe reg_run
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINNT\system32\redistributor.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [GoogleDCClient] C:\Program Files\GoogleDCC\GoogleDCC.exe -startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cmbjf] C:\WINNT\system32\hyqqem.exe reg_run
O4 - HKCU\..\Run: [fkur] C:\PROGRA~1\COMMON~1\fkur\fkurm.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/konti...current/kdx.cab
O20 - Winlogon Notify: RunServices - C:\WINNT\system32\p04ulah91d4.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

I tried to run look2me but it would freeze up.

Do you have any further advice David? It appears my computer is worse than I thought

#5 seltaeb112

seltaeb112
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:10:14 AM

Posted 11 August 2006 - 08:18 PM

With some perseverence I was able to get look2me-destroyer to work, here are the updated files:

Logfile of HijackThis v1.99.1
Scan saved at 9:37:51 PM, on 8/10/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\explorer.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie...ton/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.earthlink.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.google.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://proxy.nycboe.org/proxy.pac
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,idoyosq.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://news.google.com/nwshp?hl=en&gl=us"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Administrator\Application Data\Mozilla\Profiles\default\rdjpf0yb.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Acrobat\ActiveX\AcroIEHelper.ocx
O2 - BHO: EarthLink ScamBlocker V2 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE_PopupBlocker Class - {656EC4B7-072B-4698-B504-2A414C1F0037} - C:\Program Files\EarthLink TotalAccess\Accelerator\prpl_IePopupBlocker.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\winnt\googletoolbar1.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [Camera Detector] C:\PROGRA~1\ACDSYS~1\DEVDET~1\DEVDET~1.EXE -autorun
O4 - HKLM\..\Run: [iRiver AutoDB] C:\Program Files\iRiver\Service\MLService.exe
O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\Service\Updater.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [gquidk] C:\WINNT\system32\hyqqem.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [ntdll.dll] C:\WINNT\system32\hyqqem.exe reg_run
O4 - HKLM\..\Run: [NwCplMonitor] C:\WINNT\system32\redistributor.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [GoogleDCClient] C:\Program Files\GoogleDCC\GoogleDCC.exe -startup
O4 - HKCU\..\Run: [AIM] C:\Program Files\earthlinkim\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [cmbjf] C:\WINNT\system32\hyqqem.exe reg_run
O4 - HKCU\..\Run: [fkur] C:\PROGRA~1\COMMON~1\fkur\fkurm.exe
O4 - HKCU\..\Run: [E6TaskPanel] "C:\Program Files\EarthLink TotalAccess\TaskPanl.exe" -winstart
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotSync Manager.lnk = C:\Palm\Hotsync.exe
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://c:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\winnt\GoogleToolbar1.dll/cmsimilar.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: iSiloX Clipper - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O9 - Extra 'Tools' menuitem: iSiloX Clipper... - {C86027A6-12A1-4298-B6EA-A42AC6EE6C7C} - C:\Program Files\iSilo\iSiloX\iSiloXIE.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {F54C1137-5E34-4B95-95A5-BA56D4D8D743} (Secure Delivery) - http://content.kontiki.com/kdx/v2.20/konti...current/kdx.cab
O20 - Winlogon Notify: RunServices - C:\WINNT\system32\p04ulah91d4.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\Ati2evxx.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:06:13 PM 8/11/2006

+ Scan result:



C:\WINNT\SYSTEM32\NDMARTA.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINNT\SYSTEM32\PYNMAP.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\mit4.tmp.cab/NNBar_VCSetup_876072.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Administrator\Local Settings\Temp\mit4.tmp/NNBar_VCSetup_876072.exe -> Adware.Mirar : Cleaned with backup (quarantined).


::Report end

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:14 PM

Posted 12 August 2006 - 04:01 AM

Hey there seltaeb112

We still have quite a bit more work to do.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Please move HijackThis to another location, preferably c:\Program Files\HijackThis. Anywhere is fine, other than your Desktop or a Temp folder. If HijackThis is in a temporary folder you run the risk of accidentally deleting the backups or it clutters your desktop with all the backups.
If you use Windows XP it might be that you just double clicked on the file HijackThis.exe, but that only extracts the file to a temporary folder. Please select the file and Extract it to a folder.

How do you make a permanent folder:

Click "My Computer", then "C:\" and then on "Program Files".
In the menu bar, "File"->"New"->"Folder".
That will create a folder named "New Folder", which you can rename to "HJT" or "HijackThis".
Now you have "C:\Program Files\HijackThis". Put your HijackThis.exe there.

2) Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

3) Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:03:14 PM

Posted 09 September 2006 - 02:48 PM

Since this issue appears resolved, this Topic is now closed.

If you need this topic reopened, please request this by sending me
a PM with the address of the thread using the link here. This applies only to the original topic starter.

Everyone else please begin a New Topic.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users