Mobile/PDA About Us Advertise here
User User name Password  
  Not registered yet? Register here.
Lost your password? Click here. 		 
  Home   News   Guides   Downloads   Glossary   Hardware   Profiles   Forums   v4  
 Advertise at AfterDawn.com     Link to us!     Private messages     Compose a private message     List of all updated threads     Threads without replies     Search messages
Thursday 28.11.2024 / 04:25
Search AfterDawn Forums:        In English   Suomeksi   På svenska
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > virus jumped on gf's computer, here is the logfile
Show topics
 
Forums
Forums
Virus Jumped On GF's computer, here is the logfile
  Jump to:
 
Posted Message
alcocerpi
Suspended due to non-functional email address
_ 		3. May 2006 @ 19:10 _ Link to this message    Send private message to this user   
Here is her log file

Logfile of HijackThis v1.99.1
Scan saved at 11:06:38 PM, on 5/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\atmclk.exe
C:\WINDOWS\System32\dcomcfg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\System32\iPODService.exe
C:\WINDOWS\vsnpstd2.exe
C:\WINDOWS\System32\winldra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\intell321.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www...
O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp96D7.tmp
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .asp: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
[ + quote]
Advertisement
_ 		__
JaPK
Senior Member
_ 		4. May 2006 @ 03:53 _ Link to this message    Send private message to this user   
You don't have an antivirus on your computer. Download and install one antivirus.

These are good (free) antiviruses:
AVG Antivirus --> http://www.grisoft.com
Avast --> http://www.avast.com

Ok, you got some infections....

Cleaning instructions:

Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download
We'll use it later.

Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.

Go to Control Panel -> Add/Remove programs -> Remove Viewpoint Manager, WeatherBug if found

Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www...
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/...
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www...
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\Program Files\Viewpoint
C:\Program Files\AWS

Delete these files (if found):
C:\WINDOWS\System32\winldra.exe
C:\WINDOWS\web\related.htm
C:\WINDOWS\System32\iPODService.exe

Run ATF Cleaner -> Check select all -> Press Empty selected

Scan and clean your computer with Ewido and save the log file.
Do NOT clean Ewidos Quarantine yet.

Restart your computer normally.

Post the following logs to here and we'll continue:
-> fresh HijackThis log
-> Ewido's log
-> Smitfraudfix log
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
alcocerpi
Suspended due to non-functional email address
_ 		5. May 2006 @ 15:46 _ Link to this message    Send private message to this user   
My GF's computer is a little slow but I did everything you suggested. Here are the latest logs. Thanks

Logfile of HijackThis v1.99.1
Scan saved at 7:39:54 PM, on 5/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\System32\dcomcfg.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\HJT\HijackThis.exe

O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} -

C:\WINDOWS\System32\hpC5BE.tmp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program

Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler]

c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program

Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program

Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program

Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program

Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program

Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft

Office\Office\OSA.EXE
O4 - Startup: PerfectPrint.LNK =

C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program

Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune -

{44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program

Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

- C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O12 - Plugin for .asp: C:\Program Files\Internet

Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative

Software AutoUpdate) -

http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4}

(PhxStudent.OeSetup15) -

https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative

Software AutoUpdate Support Package) -

http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: igfxcui -

C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software

- C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) -

Agnitum Ltd. - C:\Program Files\Agnitum\Outpost

Firewall\outpost.exe

-----------------------------------------------------------

SmitFraudFix v2.38

Scan done at 7:57:01.20, Fri 05/05/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\uninstDsk.exe FOUND !
C:\WINDOWS\warnhp.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\oleext.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\1024\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\SpyFalcon\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\warnhp.html"
"SubscribedURL"=""
"FriendlyName"="Desktop Uninstall"

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

[HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\System32\twain32.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
@="C:\WINDOWS\System32\twain32.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

C:\WINDOWS\system32\wininet.dll infected !

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup

Volume in drive C has no label.
Volume Serial Number is F4D5-9D00

Directory of C:\WINDOWS\SoftwareDistribution\Download\bc2bb94b99deb6cd7b7cb182db7109cb\rtmgdr

02/24/2006 02:26 PM 575,488 wininet.dll
1 File(s) 575,488 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\bc2bb94b99deb6cd7b7cb182db7109cb\RTMQFE

02/24/2006 06:28 PM 586,752 wininet.dll
1 File(s) 586,752 bytes

Directory of C:\WINDOWS\SYSTEM32

09/03/2002 01:12 PM 599,040 wininet.dll
1 File(s) 599,040 bytes

Directory of C:\WINDOWS\SYSTEM32\DLLCACHE

09/03/2002 01:12 PM 599,040 wininet.dll
1 File(s) 599,040 bytes

»»»»»»»»»»»»»»»»»»»»»»»» End

----------------------------------------------------------

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:17:40 PM, 5/5/2006
+ Report-Checksum: 264B6825

+ Scan result:

C:\Documents and Settings\Abby\Local Settings\Temp\Temporary Internet Files\Content.IE5\9ZMVWEW3\WinTA[1].cab/WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\Temporary Internet Files\Content.IE5\CL6SFT1E\Toolbar[2].cab/IExploreSkins.exe -> Adware.WebSearch : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\Temporary Internet Files\Content.IE5\CL6SFT1E\Toolbar[2].cab/toolbar.dll -> Adware.WebSearch : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~135676.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~146980.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~18015.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~307189.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~309264.tmp -> Downloader.Wintool.d : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~312049.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~312842.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~314255.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~314569.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~315723.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~315802.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~316635.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~316658.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~316893.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~318211.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~319410.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~320661.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~323946.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~326327.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~331219.tmp -> Downloader.Wintool.d : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~332513.tmp -> Downloader.Wintool.d : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~333808.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~337014.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~337508.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~338671.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~341086.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~341974.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~347033.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~347456.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~351116.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~351160.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~352673.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~355677.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~357009.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~360611.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~372994.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~374830.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~382902.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~384891.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~386178.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~386610.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~386869.tmp -> Downloader.Wintool.d : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~393984.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~397971.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~404577.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~404641.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~407308.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~409500.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~419630.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~423105.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~423495.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~426827.tmp -> Downloader.Wintool.d : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~428064.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~428097.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~43039.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~431421.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~432436.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~438587.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~440456.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~445912.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~448535.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~450376.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~451057.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~455523.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~457433.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~458817.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~461296.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~462047.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~464484.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~464749.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~467762.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~473762.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~474260.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~476035.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~476156.tmp -> Downloader.Wintool.d : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~482091.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~487094.tmp -> Downloader.Wintool.d : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~50076.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~505695.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~506851.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~519704.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~520226.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~522663.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~530458.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~531357.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~548061.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~559641.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~560129.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~576669.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~584896.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~586534.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~593877.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~599654.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~605723.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~635352.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~656708.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~663616.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~673957.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~674230.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~680451.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~683064.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~683642.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~687559.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~693321.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~695716.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~701839.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~709530.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~711669.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~711737.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~718903.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~721431.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~725653.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~734457.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~741999.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~752381.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~777659.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~793439.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~806669.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~830014.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~838969.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~850329.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~850633.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~856026.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~860797.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~876405.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~877503.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~893538.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~90271.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~92848.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~935037.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~94534.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~94747.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~983015.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~990026.tmp -> Downloader.Wintool.a : Cleaned with backup
C:\Documents and Settings\Abby\Local Settings\Temp\~998972.tmp -> Adware.Wintol : Cleaned with backup
C:\Documents and Settings\Abby\Start Menu\Programs\WeatherCast -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\Abby\Start Menu\Programs\WeatherCast\WeatherCast.lnk -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Common Files\GMT\egIEEngine.dll -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\GMT\GMT.exe -> Adware.Gator : Cleaned with backup
C:\Program Files\Common Files\WinTools\Update\WToolsA.exe -> Adware.Wintol : Cleaned with backup
C:\Program Files\Common Files\WinTools\Update\WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Common Files\WinTools\WSup.exe -> Downloader.Wintool.a : Cleaned with backup
C:\Program Files\Common Files\WinTools\WToolsA.exe -> Downloader.Wintool.a : Cleaned with backup
C:\Program Files\Common Files\WinTools\WToolsB.dll -> Adware.Wintol : Cleaned with backup
C:\Program Files\Common Files\WinTools\WToolsS.exe -> Downloader.Wintool.b : Cleaned with backup
C:\Program Files\Save -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\save.db -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\Save.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\save.htm -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\SaveUninst.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\store.db -> Adware.SaveNow : Cleaned with backup
C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\Webhdll.dll -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\WhAgent.exe -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.inf -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whiehlpr.dll -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whInstaller.exe -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\whInstaller.ini -> Adware.Webhancer : Cleaned with backup
C:\Program Files\whInstall\WhSurvey.exe -> Adware.Webhancer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0001004.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0002004.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0003004.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0003066.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004066.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004112.exe -> Adware.Gator : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004121.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004122.dll -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004123.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004124.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004146.dll -> Adware.Aws : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004152.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004157.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004162.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004168.dll -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004307.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004312.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0005315.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0006253.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0010361.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0010363.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0011258.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0011290.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0011306.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0011323.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0011333.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0012333.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039677.exe -> Trojan.Small.ev : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039689.dll -> Not-A-Virus.Hoax.Win32.Renos.cu : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039718.dll -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039719.exe -> Adware.NewDotNet : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039720.dll -> Adware.Aws : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039979.exe -> Adware.WebHancer : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039981.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039982.exe -> Adware.SaveNow : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040016.dll -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040017.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040018.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040019.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040020.exe -> Adware.WebSearch : Cleaned with backup
C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040023.exe -> Adware.WebSearch : Cleaned with backup
C:\WINDOWS\SYSTEM32\ld9302.tmp -> Downloader.Zlob.mr : Cleaned with backup


::Report End
[ + quote]
JaPK
Senior Member
_ 		5. May 2006 @ 20:51 _ Link to this message    Send private message to this user   
Ok, not clean yet.

Cleaning instructions:

SmitfraudFix has been updated, please remove the old version and download the latest from here -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html

Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml

Delete these folders (if found):
C:\Program Files\Common Files\GMT
C:\Program Files\Common Files\WinTools

When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.

Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

Post a fresh HijackThis log and the contents of C:\rapport.txt to here.
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.

This message has been edited since posting. Last time this message was edited on 5. May 2006 @ 21:09
alcocerpi
Suspended due to non-functional email address
_ 		6. May 2006 @ 07:38 _ Link to this message    Send private message to this user   
Here they go

SmitFraudFix v2.38

Scan done at 11:15:13.21, Sat 05/06/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\uninstDsk.exe Deleted
C:\WINDOWS\warnhp.html Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp????.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
Problem while deleting C:\WINDOWS\system32\oleext.dll
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll

C:\WINDOWS\system32\wininet.dll infected !

Searching wininet.dll backup file...
C:\WINDOWS\SoftwareDistribution\Download\bc2bb94b99deb6cd7b7cb1

82db7109cb\rtmgdr\wininet.dll
C:\WINDOWS\SoftwareDistribution\Download\bc2bb94b99deb6cd7b7cb1

82db7109cb\RTMQFE\wininet.dll
C:\WINDOWS\SYSTEM32\wininet.dll
C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll

File Found : C:\WINDOWS\SYSTEM32\DLLCACHE\\wininet.dll
System Version : 6.0.2800.1106
BackUp Version : 6.0.2800.1106

Wininet.dll Remplacement (reboot necessary)

»»»»»»»»»»»»»»»»»»»»»»»» Reboot

C:\WINDOWS\system32\oleext.dll Deleted

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 11:30:31 AM, on 5/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\FSI\F-Prot\fpavupdm.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\Program Files\FSI\F-Prot\F-Sched.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\FSI\F-Prot\F-StopW.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [AS00_Gear511] C:\Program

Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler]

c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program

Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program

Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program

Files\FSI\F-Prot\F-Sched.exe STARTUP
O4 - HKLM\..\Run: [F-StopW] C:\Program

Files\FSI\F-Prot\F-StopW.EXE
O4 - HKCU\..\Run: [MSMSGS] "C:\Program

Files\Messenger\msmsgs.exe" /background
O4 - Startup: Microsoft Find Fast.lnk = C:\Program

Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft

Office\Office\OSA.EXE
O4 - Startup: PerfectPrint.LNK =

C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &AIM Search - res://C:\Program

Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune -

{44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program

Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

- C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\MSMSGS.EXE
O12 - Plugin for .asp: C:\Program Files\Internet

Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative

Software AutoUpdate) -

http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4}

(PhxStudent.OeSetup15) -

https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative

Software AutoUpdate Support Package) -

http://www.creative.com/su/ocx/15016/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
O20 - Winlogon Notify: igfxcui -

C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software

- C:\Program Files\FSI\F-Prot\fpavupdm.exe
O23 - Service: InstallDriver Table Manager (IDriverT) -

Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) -

Agnitum Ltd. - C:\Program Files\Agnitum\Outpost

Firewall\outpost.exe
[ + quote]
JaPK
Senior Member
_ 		6. May 2006 @ 09:57 _ Link to this message    Send private message to this user   
Ok looking quite good but you still have the old version of smitfraudfix (2.38). Delete the old smitfraudfix.zip file and the smitfraudfix folder.

Then download SmitfraudFix.zip(version 2.40) to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

Unzip it (folder named SmitFraudFix) to your desktop:

Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

Post the contents of this textfile to here.

(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
alcocerpi
Suspended due to non-functional email address
_ 		6. May 2006 @ 10:41 _ Link to this message    Send private message to this user   
Here it is. Hey when you help clean my other computer a few days ago I used the old version too. Should I post you a log with this version?

thanks

SmitFraudFix v2.40

Scan done at 14:37:40.38, Sat 05/06/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
[ + quote]
Advertisement
_ 		__
 
_
JaPK
Senior Member
_ 		6. May 2006 @ 10:46 _ Link to this message    Send private message to this user   
Hi alcocerpi, this one is clean :)

But Windows and Internet Explorer are outdated.
Go to update those -> http://update.microsoft.com/windowsupdate/

And yes you can post that log with the new version to here. It was the latest version then, but as you can see, the fix is updated quite often:)
[ + quote]
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
afterdawn.com > forums > software, operating systems and more > windows - virus and spyware problems > virus jumped on gf's computer, here is the logfile
 

Digital video: AfterDawn.com | AfterDawn Forums
Music: MP3Lizard.com
Gaming: Blasteroids.com | Blasteroids Forums | Compare game prices
Software: Software downloads
Blogs: User profile pages
RSS feeds: AfterDawn.com News | Software updates | AfterDawn Forums
International: AfterDawn in Finnish | AfterDawn in Swedish | AfterDawn in Norwegian | download.fi
Navigate: Search | Site map
About us: About AfterDawn Ltd | Advertise on our sites | Rules, Restrictions, Legal disclaimer & Privacy policy
Contact us: Send feedback | Contact our media sales team
 
  © 1999-2024 by AfterDawn Ltd.

  IDG TechNetwork