Viruses, Spyware and...

Viruses, Spyware and other Nasties RSS

Trojan Virus - WinFixer and popups

•

Join Date: Jul 2005

Posts: 16

Reputation: sldout1 is an unknown quantity at this point

Solved Threads: 0

sldout1

Offline

Newbie Poster

Trojan Virus - WinFixer and popups

Nov 8th, 2005

Any help would be greatfully appreciated. Trying running all sorts of spyware which always gets interrupted by WinFixer.
Thanks in advance.
HijackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 10:04:40 AM, on 11/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\Yjyhi\Awqkxof.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\WINDOWS\System32\HPBPRO.EXE
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
F:\PROGRA~1\AIM\aim.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\Documents and Settings\user2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Xwhwbwd] C:\Program Files\Yjyhi\Awqkxof.exe
O4 - HKLM\..\RunOnce: [removeQL] cmd /c IF NOT EXIST "C:\WINDOWS\system32\qlink32.dll" (IF EXIST "C:\WINDOWS\system32\PreUninstallQL.exe" del /s /q "C:\WINDOWS\system32\PreUninstallQL.exe")
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] F:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=zuzeb004YYUS_undefined
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache/funwebproducts/ei/MyFunCardsFWBInitialSetup1.0.0.15.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://66.29.7.159/toolbar/cabs/free_access.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cpi.webex.com/client/v_mywebex-t20/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

•

Join Date: Jul 2005

Posts: 642

Reputation: swatkat is an unknown quantity at this point

Solved Threads: 50

swatkat

Offline

Small Town Boy

Re: Trojan Virus - WinFixer and popups

Nov 10th, 2005

Hi,
Download CleanUp and install it.

If you have not updated Ewido, then update it. Run Ewido, click the "Update" button on left side of main window and click "Start Update" button.

Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options (Folder Option will be in View Menu in Win98).
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.

Reboot in Safe Mode:-
Restart (or switch ON) the PC.
Then, keep tapping the F8 Key.
From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Uninstall this Software from Add/Remove Programs in Control Panel:-
MyWebSearch
Internet Optimizer

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/yco...search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/yco.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [Xwhwbwd] C:\Program Files\Yjyhi\Awqkxof.exe
O4 - HKLM\..\RunOnce: [removeQL] cmd /c IF NOT EXIST "C:\WINDOWS\system32\qlink32.dll" (IF EXIST "C:\WINDOWS\system32\PreUninstallQL.exe" del /s /q "C:\WINDOWS\system32\PreUninstallQL.exe")
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...YYUS_undefined
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.imgfarm.com/images/nocache...up1.0.0.15.cab
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://66.29.7.159/toolbar/cabs/free_access.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://cpi.webex.com/client/v_myweb...ex/ieatgpc.cab

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Exit from HijackThis. Delete these folders:-
C:\PROGRAM FILES\MYWEBSEARCH
C:\Program Files\Internet Optimizer
C:\Program Files\Yjyhi

Delete this file:-
C:\WINDOWS\wsem303.dll

Run CleanUp! and click "Options.." button. Here move the "Quick Setup" slider to "Thorough Cleanup" position. Uncheck the option "Delete Favorites Palces/Bookmarks", if you have any bookmarks. Click "OK" to return to main window, and click "CleanUp!" to start cleaning. After it completes, click "Close" and click "No" to avoid logging off.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Complete System Scan" button.
If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

Reboot to Normal Mode. Perform an online virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Panda ActiveScan log.

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.

•

Join Date: Jul 2005

Posts: 16

Reputation: sldout1 is an unknown quantity at this point

Solved Threads: 0

sldout1

Offline

Newbie Poster

Re: Trojan Virus - WinFixer and popups

Nov 11th, 2005

Thank you very much! Hope this works. Do you see anything remaining?

Here are the logs:

Panda:

Incident Status Location

Adware:adware/favoriteman No disinfected C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
Adware:adware/aurora No disinfected C:\WINDOWS\abiuninst.htm
Adware:adware/ist.sidefind No disinfected C:\PROGRAM FILES\SideFind
Adware:adware/ist.yoursitebar No disinfected C:\PROGRAM FILES\YourSiteBar
Spyware:spyware/dyfuca No disinfected Windows Registry
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-143b45c8-64be6cfb.zip[Dummy.class]
Virus:Exploit/ByteVerify Disinfected C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-758bf4cc-2c0cfc18.zip[Dummy.class]
Spyware

pyware/LinkReplacer No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP63\A0004072.exe
Adware:Adware/IST.SideFind No disinfected C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP63\A0004172.dll
Adware:Adware/NetPals No disinfected C:\WINDOWS\Downloaded Program Files\ATPartners.inf

HijackThis:
Logfile of HijackThis v1.99.1
Scan saved at 9:53:11 AM, on 11/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell Support\DSAgnt.exe
F:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\WINDOWS\System32\HPBPRO.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user2\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

•

Join Date: Jul 2005

Posts: 642

Reputation: swatkat is an unknown quantity at this point

Solved Threads: 50

swatkat

Offline

Small Town Boy

Re: Trojan Virus - WinFixer and popups

Nov 11th, 2005

Hi,
HijackThis log looks clean.
There are some files to be deleted. Delete these files:-
C:\WINDOWS\DOWNLOADED PROGRAM FILES\ATPartners.inf
C:\WINDOWS\abiuninst.htm

Delete these folders:-
C:\PROGRAM FILES\SideFind
C:\PROGRAM FILES\YourSiteBar

Do you receive any popups related to WinFixer or any other spyware/virus?

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.

•

Join Date: Jul 2005

Posts: 16

Reputation: sldout1 is an unknown quantity at this point

Solved Threads: 0

sldout1

Offline

Newbie Poster

Re: Trojan Virus - WinFixer and popups

Nov 14th, 2005

Hi,

Thanks, I deleted those files and folders. I stopped getting (I hope) the WinFixer pop-ups but still get others asking me to run scans. I always close out of those without even looking at the name on it but will look out for it next time around.

I also get other pop-ups from a variety of sites. Many of them were from cheapflights.com. Any ideas?

Thanks again for your help!

Here's another look at my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:49:56 PM, on 11/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Dell Support\DSAgnt.exe
F:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Adobe\Acrobat 6.0\Acrobat\Acrobat.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Microsoft Office\Office\MSACCESS.EXE
C:\Program Files\Common Files\AOL\1124372039\ee\AOLServiceHost.exe
C:\Program Files\Microsoft Office\Office\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\user2\Desktop\HijackThis.exe
C:\WINDOWS\System32\HPBPRO.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [StatusClient 2.6] C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [AIM] F:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O17 - HKLM\System\CS2\Services\Tcpip\..\{2CB1A62C-B737-4E80-8B96-2569D273E137}: NameServer = 141.155.0.68,4.2.2.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

•

Join Date: Jul 2005

Posts: 642

Reputation: swatkat is an unknown quantity at this point

Solved Threads: 50

swatkat

Offline

Small Town Boy

Re: Trojan Virus - WinFixer and popups

Nov 15th, 2005

Hi,
Even though log looks clean, there can be some other "hidden" baddies. Do you get any pop-ups related to Registry Errors/Repairs?

Perform a scan at Kaspersky Webscanner (click on the button "Kaspersky Online scanner") and save the log file.

Download WinPFind.ZIP and completely extract it to a folder. Then run WinPFind.exe and click "Start Scan". When the scan completes, click "Copy to Clipboard" button to copy the log it gives, and please post it here along with the Kaspersky log.

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.

•

Join Date: Jul 2005

Posts: 16

Reputation: sldout1 is an unknown quantity at this point

Solved Threads: 0

sldout1

Offline

Newbie Poster

Re: Trojan Virus - WinFixer and popups

Nov 17th, 2005

Thanks swatkat - I have no clue how you people understand the stuff these scanners spit out. I appreciate you putting your time into help out. I still get some annoying pop-ups but I don't notice them being anything specific now. It's definitely better than it was a week ago.

Below are the log for the two scans you recommended me running.

Thanks again for the help!

Kaspersky:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 16, 2005 17:05:29
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 16/11/2005
Kaspersky Anti-Virus database records: 150302
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 94427
Number of viruses found: 17
Number of infected objects: 87
Number of suspicious objects: 24
Duration of the scan process: 9093 sec

Infected Object Name - Virus Name
C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-65ce38b6-7974e225.zip/BlackBox.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-65ce38b6-7974e225.zip/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-65ce38b6-7974e225.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Documents and Settings\user2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-65ce38b6-7974e225.zip Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0DB6001F Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C95634D Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\1C980D4A Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\24E403CD.htm Infected: Exploit.HTML.Mht
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\2F85491D Infected: Trojan-Downloader.Win32.Small.ayl
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\430F02F5 Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4C4D4236 Infected: Trojan.Java.ClassLoader.ak
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\55F42190 Infected: Trojan-Downloader.Win32.IstBar.gen
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\6DFD03BE Infected: Trojan-Dropper.Win32.Small.ly
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\754D271C Infected: Trojan.Win32.Small.cy
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\770209CA Infected: Trojan.Win32.Crypt.t
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\77095DC3 Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7D5F1B7F Infected: Trojan-Downloader.Java.OpenConnection.ah
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP61\A0004004.exe Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\SYSTEM32\ansvideo.dll Infected: Trojan.Win32.Crypt.t
F:\Archive\back\backup.pst/Personal Folders/Inbox/17 Oct 2002 13:07 from soholit:Hi,gdavid,darling.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Archive\back\backup.pst/Personal Folders/Sent Items/17 Oct 2002 13:31 to soholit:RE: Hi,gdavid,darling.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Archive\back\backup.pst Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft/Energy Spectrum/Estimate Draft Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate/Energy Spectrum/Final Estimate Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst/Personal Folders/Inbox/10 Jan 2002 00:26 from Paula Dombrow:Final Estimate/Energy Spect/Energy SpectrumFinal Estimate.doc Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\archive.pst Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft/Energy Spectrum/Estimate Draft Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate/Energy Spectrum/Final Estimate Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst/Personal Folders/Inbox/10 Jan 2002 00:26 from Paula Dombrow:Final Estimate/Energy Spect/Energy SpectrumFinal Estimate.doc Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip/Dovid/archive.pst Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Dovid\resume rick nowak.zip Infected: Virus.MSWord.Marker.fq2
F:\Energy Spectrum\Gary\OutlookBackup07012005.pst/Personal Folders/Inbox/17 Oct 2002 13:07 from soholit:Hi,gdavid,darling.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Energy Spectrum\Gary\OutlookBackup07012005.pst/Personal Folders/Sent Items/17 Oct 2002 13:31 to soholit:RE: Hi,gdavid,darling.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\Energy Spectrum\Gary\OutlookBackup07012005.pst Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft/Energy Spectrum/Estimate Draft Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/09 Jan 2002 02:45 from Paula Dombrow:Formal Estimate Draft/Energy Spectrum/Estimate Draft Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate/Energy Spectrum/Final Estimate Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/09 Jan 2002 20:23 from Stella500@aol.com:Final Estimate from Pau/Energy Spectrum/Final Estimate Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/10 Jan 2002 00:26 from Paula Dombrow:Final Estimate/Energy Spect/Energy SpectrumFinal Estimate.doc Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/20 May 2002 05:37 from Russak:Let's be friends.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/31 Oct 2002 15:16 from ReuvenElson@aol.com:zooz/invitemm102...temm102401.doc Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/31 Oct 2002 15:16 from ReuvenElson@aol.com:zooz/invitemm102401.doc Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/13 Nov 2002 19:19 from ReuvenElson@aol.com:Re: No Subject/blurbforinvitation111302.doc/blurbforinvitation111302.doc Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/13 Nov 2002 19:19 from ReuvenElson@aol.com:Re: No Subject/blurbforinvitation111302.doc Infected: Virus.MSWord.Marker.fq2
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/29 Nov 2002 22:13 from SarinaM:BLANK AD .html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\Outlook\outlook.pst/Personal Folders/Inbox/03 Dec 2002 00:21 from silverfe

opup0.newyork.bars.search recur.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\Outlook\outlook.pst Infected: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\ethel\outlook backup.pst/Personal Folders/Deleted Items/17 Jun 2005 16:59 from David Ahrens:FW: Your password has been s/updated-password.zip/updated-password.htm .pif Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\ethel\outlook backup.pst/Personal Folders/Deleted Items/17 Jun 2005 16:59 from David Ahrens:FW: Your password has been s/updated-password.zip Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\ethel\outlook backup.pst Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\gary\outlook backup.pst/Personal Folders/Inbox/17 Oct 2002 13:07 from soholit:Hi,gdavid,darling.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\gary\outlook backup.pst/Personal Folders/Sent Items/17 Oct 2002 13:31 to soholit:RE: Hi,gdavid,darling.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\gary\outlook backup.pst Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user2\mailbox backup.pst/Personal Folders/Deleted Items/01 Sep 2005 00:12 from eBay Inc:0fficiaI Information For CIient .html Infected: Trojan-Spy.HTML.Bayfraud.hn
F:\shia\outlook backups\user2\mailbox backup.pst/Personal Folders/Norton AntiSpam Folder/14 Sep 2005 12:57 from eBay:Important Banking Mail From eBay.html Infected: Trojan-Spy.HTML.Bayfraud.hn
F:\shia\outlook backups\user2\mailbox backup.pst Infected: Trojan-Spy.HTML.Bayfraud.hn
F:\shia\outlook backups\user3\archive backup.pst/Archive Folders/Sent Items/12 Mar 2004 13:21 to Earl Baim:FW: Your text Do you know this pe/your_text.pif Infected: Email-Worm.Win32.NetSky.d
F:\shia\outlook backups\user3\archive backup.pst Infected: Email-Worm.Win32.NetSky.d
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/07 Oct 2004 15:35 from Smith Barney

ERVICE MESSAGE FROM SMITH B.html Infected: Trojan-Spy.HTML.Citifraud.an
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/01 Mar 2005 09:50 from Dahrens/new__price.zip/Doc_01.02.exe Infected: Email-Worm.Win32.Bagle.pac
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/01 Mar 2005 09:50 from Dahrens/new__price.zip Infected: Email-Worm.Win32.Bagle.pac
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/14 Jun 2005 19:54 from info@energyspec.com:Members Support/account-report.zip/account-report.txt .pif Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Inbox/14 Jun 2005 19:54 from info@energyspec.com:Members Support/account-report.zip Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Sent Items/12 Mar 2004 13:21 to Earl Baim:FW: Your text Do you know this pe/your_text.pif Infected: Email-Worm.Win32.NetSky.d
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Sent Items/17 Jun 2005 16:59 to jma@jasonasher.com:FW: Your password has be/updated-password.zip/updated-password.htm .pif Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user3\outlook backup.pst/Personal Folders/Sent Items/17 Jun 2005 16:59 to jma@jasonasher.com:FW: Your password has be/updated-password.zip Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user3\outlook backup.pst Infected: Net-Worm.Win32.Mytob.bi
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/08 Aug 2005 13:25 from .1392@tk2msftngp13.phx.gbl.com:Mail Deliv.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/08 Aug 2005 13:25 from .1392@tk2msftngp13.phx.gbl.com:Mail Deliv/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/09 Aug 2005 13:44 from /alex@pro.ro:Re: Sex pictures/www.myx4free.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/09 Aug 2005 13:44 from /alex@pro.ro:Re: Sex pictures/www.myx4free.zip Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/12 Aug 2005 12:59 from db0fefd9@news.zen.co.uk:Mail Delivery (fa.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/12 Aug 2005 12:59 from db0fefd9@news.zen.co.uk:Mail Delivery (fa/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/30 Jul 2005 21:32 from fatjohn@pchome.com.tw:Re: Mail Server/data_ssofer.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/30 Jul 2005 21:32 from fatjohn@pchome.com.tw:Re: Mail Server/data_ssofer.zip Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/01 Aug 2005 13:26 from hr@adoreinfotech.com:hi/letter.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/01 Aug 2005 13:26 from hr@adoreinfotech.com:hi/letter.zip Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/02 Aug 2005 13:31 from hun9bal@yahoo.dk:o0ßi4grjj40j09gjij...9.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/02 Aug 2005 13:31 from hun9bal@yahoo.dk:o0ßi4grjj40j09gjijgpüdé/id09509.zip Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/11 Aug 2005 13:33 from info@helpink.co.nz.com:Re: Hi/my_details.txt.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/08 Aug 2005 13:25 from jontraudt@healthandenergy.com:Re: Secure /readme.pif Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/13 Aug 2005 13:58 from larry@galaxy3000.com

tolen document/your_document_ssofer.zip/data.rtf .scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/13 Aug 2005 13:58 from larry@galaxy3000.com

tolen document/your_document_ssofer.zip Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/05 Aug 2005 13:01 from Mail Administrator:Mail System Error - Re/05 Aug 2005 13:00 from ssofer@energyspec.com:Mail Delivery (fail.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/05 Aug 2005 13:01 from Mail Administrator:Mail System Error - Re/05 Aug 2005 13:00 from ssofer@energyspec.com:Mail Delivery (fail/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/06 Aug 2005 16:23 from nazkel@hotmail.com:Re: Notify/readme.pif Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/10 Aug 2005 13:32 from nmoinian@laffey.net:Re: Is that your docu/document.doc Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/11 Aug 2005 13:33 from oliver.gu@qast.com:Mail Delivery (failure.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/11 Aug 2005 13:33 from oliver.gu@qast.com:Mail Delivery (failure/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/10 Aug 2005 13:33 from paulluikk@yahoo.com.hk:Mail Delivery (fai.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/10 Aug 2005 13:33 from paulluikk@yahoo.com.hk:Mail Delivery (fai/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/02 Aug 2005 13:16 from ppwyw@microvoip.com:Mail Delivery (failur.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/02 Aug 2005 13:16 from ppwyw@microvoip.com:Mail Delivery (failur/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/13 Aug 2005 13:49 from support@pocketgear.com:Mail Delivery (fai.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/13 Aug 2005 13:49 from support@pocketgear.com:Mail Delivery (fai/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/30 Jul 2005 21:47 from tjcraig@bellsouth.net:Mail Delivery (fail.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/30 Jul 2005 21:47 from tjcraig@bellsouth.net:Mail Delivery (fail/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/09 Aug 2005 13:59 from ubidalerts.6clyhjh3y.f3@deals.ubid.com:Ma.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/09 Aug 2005 13:59 from ubidalerts.6clyhjh3y.f3@deals.ubid.com:Ma/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/06 Aug 2005 16:06 from voipbiz@globalkt.com:Mail Delivery (failu.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/06 Aug 2005 16:06 from voipbiz@globalkt.com:Mail Delivery (failu/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/05 Aug 2005 13:04 from www.willdatz@aol.com:Mail Delivery (failu.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Deleted Items/05 Aug 2005 13:04 from www.willdatz@aol.com:Mail Delivery (failu/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Inbox/01 Aug 2005 13:38 from steve.dear@na.teleatlas.com:Mail Delivery.html Suspicious: Exploit.HTML.Iframe.FileDownload
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Inbox/01 Aug 2005 13:38 from steve.dear@na.teleatlas.com:Mail Delivery/message.scr Infected: Email-Worm.Win32.NetSky.q
F:\shia\outlook backups\user4\outlook backup.pst/Personal Folders/Inbox/01 Sep 2005 21:52 from eBay:IDENTITY THEFT SOLUTIONS FROM EBAY [.html Infected: Trojan-Spy.HTML.Bayfraud.hn
F:\shia\outlook backups\user4\outlook backup.pst Infected: Trojan-Spy.HTML.Bayfraud.hn

Scan process completed.

WinPFind.ZIP:
Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/23/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 7/12/2005 5:04:22 PM 520456 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 11/2/2005 12:34:18 AM 2368864 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
11/11/2005 8:57:14 AM S 2048 C:\WINDOWS\BOOTSTAT.DAT
11/17/2005 4:25:46 PM H 24 C:\WINDOWS\pyguK
11/11/2005 8:57:16 AM S 64 C:\WINDOWS\CSC\00000001
11/11/2005 9:00:56 AM H 0 C:\WINDOWS\LastGood\INF\oem31.inf
11/11/2005 9:00:56 AM H 0 C:\WINDOWS\LastGood\INF\oem31.PNF
10/5/2005 8:33:38 PM S 12849 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896424.cat
10/4/2005 8:17:40 PM S 21737 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB896688.cat
9/28/2005 10:53:30 AM S 17402 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\KB900725.cat
11/17/2005 4:05:44 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
11/15/2005 12:55:08 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
11/11/2005 8:58:10 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
11/17/2005 4:25:50 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
11/17/2005 4:21:46 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
11/10/2005 3:01:06 AM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
11/2/2005 2:45:20 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\d611d117-132f-49cf-81f3-0e60b4f56968
11/2/2005 2:45:20 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
11/11/2005 8:57:16 AM H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Borland Software Corporation 10/7/2003 1:39:00 PM 184320 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 4/7/2003 12:14:30 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 11/19/2003 5:48:12 PM 61555 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Intel(R) Corporation 3/11/2003 4:15:56 PM 77824 C:\WINDOWS\SYSTEM32\PRApplet.cpl
RealNetworks, Inc. 7/15/2004 3:14:38 AM 24576 C:\WINDOWS\SYSTEM32\prefscpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\DLLCACHE\main.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\DLLCACHE\ncpa.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\DLLCACHE\nwc.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\DLLCACHE\telephon.cpl
Microsoft Corporation 5/26/2005 3:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
9/7/2005 9:05:58 AM 1824 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
3/31/2005 5:27:50 PM 890 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
8/10/2005 11:22:46 AM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
7/29/2004 10:04:32 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI
7/28/2005 6:51:16 PM 1725 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
7/29/2004 9:57:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...
9/3/2002 9:00:00 AM HS 84 C:\Documents and Settings\user2\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %USERPROFILE%\Application Data folder...
8/10/2005 11:21:26 AM 1747 C:\Documents and Settings\user2\Application Data\AdobeDLM.log
1/28/2005 12:02:00 PM 36290 C:\Documents and Settings\user2\Application Data\Comma Separated Values (Windows).ADR
9/3/2002 8:50:46 AM HS 62 C:\Documents and Settings\user2\Application Data\DESKTOP.INI
8/10/2005 11:18:28 AM 0 C:\Documents and Settings\user2\Application Data\dm.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Adobe.Acrobat.ContextMenu
{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 6.0\Acrobat Elements\ContextMenu.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido
{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E} = C:\Program Files\ewido\security suite\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
=

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AE7CD045-E861-484f-8273-0445EE161910}
AcroIEToolbarHelper Class = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BDF3E430-B101-42AD-A544-FADC6B084872}
CNavExtBho Class = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{182EC0BE-5110-49C8-A062-BEB1D02A220B}
Adobe PDF = C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Web assistant : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : F:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Web assistant : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{47833539-D0C5-4125-9FA8-0819E2EAAC93} = Adobe PDF : C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray C:\WINDOWS\System32\igfxtray.exe
HotKeysCmds C:\WINDOWS\System32\hkcmd.exe
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
URLLSTCK.exe C:\Program Files\Norton Internet Security\UrlLstCk.exe
Symantec NetDriver Monitor C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
StatusClient 2.6 C:\Program Files\Hewlett-Packard\Toolbox\StatusClient\StatusClient.exe /auto
TomcatStartup 2.5 C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe
MMTray C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
HostManager C:\Program Files\Common Files\AOL\1124372039\ee\AOLHostManager.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
AIM F:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\COMMON~1\Adobe\CALIBR~1\ADOBEG~1.EXE
item Adobe Gamma Loader

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 9.0 Tray Icon
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\AMERIC~1.0\aoltray.exe -check
item America Online 9.0 Tray Icon

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l
item Microsoft Office
path C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
location Common Startup
command C:\PROGRA~1\MICROS~4\Office\OSA9.EXE -b -l
item Microsoft Office

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\cbax
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cbax
hkey HKLM
command c:\windows\cbax.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cbax
hkey HKLM
command c:\windows\cbax.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\mmtask
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mmtask
hkey HKLM
command c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\MMTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item mm_tray
hkey HKLM
command C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\msbb
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msbb
hkey HKLM
command c:\windows\system32\msbb.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item msbb
hkey HKLM
command c:\windows\system32\msbb.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\PCMService
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PCMService
hkey HKLM
command "C:\Program Files\Dell\Media Experience\PCMService.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item PCMService
hkey HKLM
command "C:\Program Files\Dell\Media Experience\PCMService.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\QuickTime Task
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item qttask
hkey HKLM
command "C:\Program Files\QuickTime\qttask.exe" -atboottime
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\RealTray
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item RealPlay
hkey HKLM
command C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SSC_UserPrompt
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UsrPrmpt
hkey HKLM
command C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item UsrPrmpt
hkey HKLM
command C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\SunJavaUpdateSched
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item jusched
hkey HKLM
command C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Symantec NetDriver Monitor
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKCU
command C:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item SNDMon
hkey HKCU
command C:\PROGRA~1\SYMNET~1\SNDMon.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\TV Media
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Tvm
hkey HKLM
command C:\Program Files\TV Media\Tvm.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Tvm
hkey HKLM
command C:\Program Files\TV Media\Tvm.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\updmgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item updmgr
hkey HKLM
command C:\Program Files\Common files\updmgr\updmgr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item updmgr
hkey HKLM
command C:\Program Files\Common files\updmgr\updmgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\ViewMgr
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item ViewMgr
hkey HKLM
command C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\Weather
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Weather
hkey HKCU
command C:\Program Files\AWS\WeatherBug\Weather.EXE 1
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item Weather
hkey HKCU
command C:\Program Files\AWS\WeatherBug\Weather.EXE 1
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WebRebates0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebRebates0
hkey HKLM
command "C:\Program Files\Web_Rebates\WebRebates0.exe"
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item WebRebates0
hkey HKLM
command "C:\Program Files\Web_Rebates\WebRebates0.exe"
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\WildTangent CDA
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cdaEngine0400
hkey HKLM
command RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
inimapping 0
key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item cdaEngine0400
hkey HKLM
command RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain
inimapping 0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

•

Join Date: Jul 2005

Posts: 642

Reputation: swatkat is an unknown quantity at this point

Solved Threads: 50

swatkat

Offline

Small Town Boy

Re: Trojan Virus - WinFixer and popups

Nov 18th, 2005

Hi,
There are some more things to remove now.

Boot the PC in Safe Mode.

Make Windows to show all files:-
Go to Start > My Computer.
Go to Tools menu, click Folder Options.
Uncheck Hide protected operating system files.
Then, click to select the option Show hidden files and folders.
Click Apply and then click OK to exit.

Uninstall this Software from Add/Remove Programs in Control Panel:-
WebRebates
Wild Tangent
TV Media
eUniverse
180 Search Assistant

Delete these folders:-
C:\Program Files\Web_Rebates
C:\Program Files\WildTangent
C:\Program Files\Common files\updmgr
C:\Program Files\TV Media

Delete these files:-
C:\WINDOWS\pyguK
c:\windows\cbax.exe
c:\windows\system32\msbb.exe

Reboot the PC to normal mode.

Perform an online spyware scan at TrendMicro and save its log.

After running above scan, perform a virus scan at Panda ActiveScan with the "Disinfection" option enabled. Save the log it gives after the scan.

Post back the TrendMicro spyware scan log and Panda Activescan log along with a new HijackThis log.

"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former."
-Albert Einstein.