 |  |  |  |  |  |  |  |
Winlogon.exe infected or not?
Thread Solved |
I recently had problems with spy sheriff, but I'm pretty sure i was able to get rid of it. However, since then I've been getting two pop-up windows each time I login telling me that winlogon.exe cannot be found. I've looked on the web and different sites say different things about winlogon (it is for sure winlogon.exe and not winlogin.exe). Should i try to find a way to replace the file? Is it there, just infected with something? Any info would be appreciated.
Here's my HTJ log...
Logfile of HijackThis v1.99.1
Scan saved at 12:21:31 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\mpcsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\system.exe
C:\WINDOWS\System32\6e730662.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phillipswest.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS2\system32\userinit.exe,
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 aol.com
O1 - Hosts: 84.252.148.80 www.aol.com
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\Windows\system32\winbrume.dll (file missing)
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\TOM~1.KIT\LOCALS~1\Temp\MegaHost.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\System32\mpcsvc.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
O4 - HKLM\..\Run: [6e730662.exe] C:\WINDOWS\System32\6e730662.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [6e730662.exe] C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.c...aInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/c...-1_4_1-win.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: KnBzcvycFuzo - {5C735185-F6D9-FB2F-6E29-E91A77CFAB94} - C:\WINDOWS\System32\obp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
Here's my HTJ log...
Logfile of HijackThis v1.99.1
Scan saved at 12:21:31 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\mpcsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\system.exe
C:\WINDOWS\System32\6e730662.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phillipswest.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS2\system32\userinit.exe,
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 aol.com
O1 - Hosts: 84.252.148.80 www.aol.com
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\Windows\system32\winbrume.dll (file missing)
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\TOM~1.KIT\LOCALS~1\Temp\MegaHost.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\System32\mpcsvc.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
O4 - HKLM\..\Run: [6e730662.exe] C:\WINDOWS\System32\6e730662.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [6e730662.exe] C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.c...aInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/c...-1_4_1-win.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: KnBzcvycFuzo - {5C735185-F6D9-FB2F-6E29-E91A77CFAB94} - C:\WINDOWS\System32\obp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
•
•
Join Date: Jul 2005
Posts: 1,542
Reputation: 
Solved Threads: 98
Hi, and welcome to DaniWeb. Please run HJT again, select Do system scan only. Then check these items.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS2\system32\userinit.exe,
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\Windows\system32\winbrume.dll (file missing)
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\TOM~1.KIT\LOCALS~1\Temp\MegaHost.dll (file missing)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\System32\mpcsvc.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [6e730662.exe] C:\WINDOWS\System32\6e730662.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [6e730662.exe] C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS
O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.c...aInstaller.e xe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O21 - SSODL: KnBzcvycFuzo - {5C735185-F6D9-FB2F-6E29-E91A77CFAB94} - C:\WINDOWS\System32\obp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
Close ALL browsers and click Fix Checked
________________________________________________________
Begin by downloading CCleaner, and specifically choosing the most recent version.
Then, follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.
Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):
C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch
After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.
Next, after following all of these steps, you're ready to scan. Run scans in both the 'Cleaner' and 'Issues'. Note: It might take several scans in each to remove all of the junk.
________________________________________________________
Download Hoster.
________________________________________________________
Download about:buster Here.
Download CWShredder Here.
Download and install CleanUp! Here
Save all of these files somewhere you will remember like to the Desktop.
Update About:Buster
(by hitting the F8 key repeatedly until at the bootup screen until a menu shows up and choose Safe Mode from the list)
Please run about:buster:
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
Press the CleanUp! button to start the program.
It may ask you to log-off/reboot at the end, if it does please do so.
_______________________________________________________
Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:
At this point please type the following: winm32.dll
Press Enter to continue with the fix.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.
_______________________________________________________
Please download Pocket Killbox by O^E.
________________________________________________________
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
________________________________________________________
Then please run ewido and post that log, along with the aboutbuster, haxfix, smitfraudfix, and a new HJT log.
HANG IN THERE, YOU ARE LOADED!
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS2\system32\userinit.exe,
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\Windows\system32\winbrume.dll (file missing)
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\TOM~1.KIT\LOCALS~1\Temp\MegaHost.dll (file missing)
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\System32\mpcsvc.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [6e730662.exe] C:\WINDOWS\System32\6e730662.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [6e730662.exe] C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS
O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.c...aInstaller.e xe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O21 - SSODL: KnBzcvycFuzo - {5C735185-F6D9-FB2F-6E29-E91A77CFAB94} - C:\WINDOWS\System32\obp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
Close ALL browsers and click Fix Checked
________________________________________________________
Begin by downloading CCleaner, and specifically choosing the most recent version.
Then, follow these steps:
1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.
Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):
C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch
After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.
Next, after following all of these steps, you're ready to scan. Run scans in both the 'Cleaner' and 'Issues'. Note: It might take several scans in each to remove all of the junk.
________________________________________________________
Download Hoster.
- Unzip Hoster to C:\Hoster .
- Run Hoster.exe from its new home
- Click "Make Hosts Writable?" in the upper right corner (If available) .
- Click Restore Original Hosts and then click OK.
- Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
________________________________________________________
Download about:buster Here.
Download CWShredder Here.
Download and install CleanUp! Here
Save all of these files somewhere you will remember like to the Desktop.
Update About:Buster
- Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
- Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
- Click "OK" at the prompt with instructions.
- Click "Update" and then "Check For Update" to begin the update process.
- If any updates exist please download them by clicking "Download Update" then click the X to close that window.
- Now close About:Buster
- Open CWShredder and click I AGREE
- Click Check For Update
- Close CWShredder
(by hitting the F8 key repeatedly until at the bootup screen until a menu shows up and choose Safe Mode from the list)
Please run about:buster:
- Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
- Click Yes to allow it to shutdown explorer.exe.
- It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
- When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
- Reboot your computer into safe mode again
Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.
Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
- Empty Recycle Bins
- Delete Cookies
- Delete Prefetch files (if present)
- Cleanup! All Users
Press the CleanUp! button to start the program.
It may ask you to log-off/reboot at the end, if it does please do so.
_______________________________________________________
Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:
•
•
•
•
Insert the haxdoor notify subkey without the numbers,
and then press enter:
Press Enter to continue with the fix.
If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.
_______________________________________________________
Please download Pocket Killbox by O^E.
- Save it to your desktop.
- Please double-click Killbox.exe to run it.
- Select:
- Delete on Reboot
- then Click on the All Files button.
- Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\Windows\system32\winbrume.dll
C:\WINDOWS\inet20001\socks.exe
C:\WINDOWS\System32\6e730662.exe
C:\winstall.exe
C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\inet20001\winlogon.exe
C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll
C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll
C:\WINDOWS\System32\obp.dll
- Return to Killbox, go to the File menu, and choose Paste from Clipboard.
- Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
________________________________________________________
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
- Restart your computer
- After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
- Instead of Windows loading as normal, a menu with options should appear;
- Select the first option, to run Windows in Safe Mode, then press "Enter".
- Choose your usual account.
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
________________________________________________________
Then please run ewido and post that log, along with the aboutbuster, haxfix, smitfraudfix, and a new HJT log.
HANG IN THERE, YOU ARE LOADED!
Last edited by tayspen; May 17th, 2006 at 3:09 pm. Reason: Forgot Hoster...smitfraud fix added JIC
Firefox
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
oh boy, guess i am...well, I am thoroughly depressed.
But anyway, I am trying to go through the steps you gave (thank you very much by the way) but every time I try to clean with CCleaner it gives me the "has encountered an error and needs to close" message. do I need to run this in safe mode as well?
It does clean out all the "issues" though.
Thanks again.
But anyway, I am trying to go through the steps you gave (thank you very much by the way) but every time I try to clean with CCleaner it gives me the "has encountered an error and needs to close" message. do I need to run this in safe mode as well?
It does clean out all the "issues" though.
Thanks again.
•
•
Join Date: Jul 2005
Posts: 1,542
Reputation:
Solved Threads: 98
Sure, try it in safe mode. If it fails, just skip that step.
Firefox
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
Alright, finally got through it all. Here are the logs you requested, although I couldn't figure out how to get a log from aboutBuster.
SmitFraudFix After cleaning
SmitFraudFix v2.44
Scan done at 18:48:15.17, Wed 05/17/2006
Run from C:\Documents and Settings\Tom.KITCHEN\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\country.exe Deleted
C:\exit Deleted
C:\kl1.exe Deleted
C:\ms1.exe Deleted
C:\tool1.exe Deleted
C:\tool4.exe Deleted
C:\tool5.exe Deleted
C:\toolbar.exe Deleted
C:\uniq Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\taskdir.dll Deleted
C:\WINDOWS\system32\taskdir.exe Deleted
C:\WINDOWS\system32\vxgame?.exe Deleted
C:\WINDOWS\system32\vxgame?.exe????.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted
C:\Documents and Settings\Tom.KITCHEN\Application Data\Install.dat Deleted
C:\Program Files\secure32.html Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» End
HaxFix after cleaning (I didn't get the message you said would come up, but i typed in that code at the main screen and I think it still worked...)
--------------
version 2.42
Wed 05/17/2006 18:29:36.01
Auto Haxdoorfix
haxdoor key: winm
searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService SUCCESS
rebooting the computer.....
haxdoor key: winm
searching for services....
services not found
checking if files are found.....
winm32.dll
winm32.sys
winm64.sys
deleting files.....
checking if files are deleted.....
checking for other files.....
qy.sys
qz.dll
qz.sys
klogini.dll
p3.ini
ps.a3d
deleting other files.....
checking if the files are deleted.....
Finished
Ewido Log
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 7:33:45 PM, 5/17/2006
+ Report-Checksum: D57D3784
+ Scan result:
HKU\S-1-5-21-515967899-1202660629-725345543-1004\Software\Microsoft\Internet
Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
[1656] C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.dll ->
Trojan.Sinowal.m : Cleaned with backup
[1800] C:\WINDOWS\System32\system.exe -> Logger.Delf.nj : Cleaned with backup
C:\!KillBox\6e730662.exe -> Downloader.Small.csn : Cleaned with backup
C:\!KillBox\6e730662.exe( 1) -> Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Local Settings\Application Data\6e730662.exe ->
Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Start Menu\Programs\SpySheriff ->
Adware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Start Menu\Programs\SpySheriff\SpySheriff.lnk
-> Adware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Tom\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-32ad7393.zip/Dummy.class
-> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\Cookies\tom@citi.bridgetrack[2].txt ->
TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\My Documents\MGBSetup-dm.exe -> Adware.Trymedia :
Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\My Documents\My
downloads\zips\CelticKings_Setup-dm.exe -> Adware.Trymedia : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00060.dll ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.dll ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.exe ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Internet Explorer\loader.exe -> Downloader.Agent.akj : Cleaned without
backup
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP15\A0010129.dll ->
Downloader.Small.aul : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP42\A0011244.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP43\A0011248.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP44\A0011250.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP45\A0011253.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP49\A0011279.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP50\A0011281.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP52\A0011283.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP53\A0011288.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP54\A0011289.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP55\A0011290.exe -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP56\A0011291.exe -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP56\A0011294.dll -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011709.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011710.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011711.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011712.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011713.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011718.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011720.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011721.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011722.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011725.exe -> Proxy.Small.bo :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011726.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011729.exe -> Hijacker.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011731.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011733.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011736.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011737.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011738.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011739.exe -> Downloader.Small
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011740.dll ->
Downloader.Agent.afl : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011747.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011748.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011749.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012698.exe ->
Downloader.Small.csn : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012702.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012705.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012709.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012712.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012713.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012714.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012715.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012716.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012717.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012718.exe ->
Downloader.Small.ctk : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012719.exe ->
Downloader.Small.cug : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012720.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012721.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012722.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012723.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012724.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012727.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012728.exe -> Downloader.Small
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012754.exe ->
Downloader.Small.csn : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012756.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012758.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012761.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012762.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012764.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012765.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012768.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012769.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012770.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012773.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012774.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012775.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012777.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012779.exe ->
Downloader.Small.cre : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012780.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012781.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012782.exe -> Logger.Delf.nj :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012783.dll -> Rootkit.Delf.e :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012784.dll -> Logger.Banker.wa
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012786.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012787.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012788.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012789.exe -> Downloader.Small
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012791.exe -> Hijacker.Small.kr
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012794.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012795.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012796.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012797.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012844.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012850.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012856.exe -> Proxy.Agent.jw :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012859.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012860.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012861.exe -> Proxy.Small.bt :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012862.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012863.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012864.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012865.exe -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012866.exe ->
Downloader.Small.cre : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012867.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012868.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012869.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012872.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012873.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012875.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012880.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012881.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012882.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012885.exe -> Hijacker.Small.kr
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012889.dll -> Adware.Ihbo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012890.exe ->
Trojan.LdPinch.amh : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012893.exe -> Worm.Delf.i :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012896.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012897.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012898.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012899.exe -> Proxy.Small.bt :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012900.exe -> Downloader.CWS.s
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012901.exe ->
Hijacker.StartPage.adi : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012902.exe ->
Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012903.dll -> Proxy.Agent.ji :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012904.exe -> Proxy.Wopla.r :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012905.dll -> Proxy.Wopla.s :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012906.exe -> Proxy.Wopla.r :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012907.dll -> Proxy.Lager.aq :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012908.exe ->
Downloader.Agent.hy : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012909.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012910.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012911.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012912.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012913.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012914.exe -> Proxy.Small.du :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012915.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012916.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012917.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012918.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012919.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012920.exe ->
Downloader.Agent.akj : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012921.sys ->
Downloader.Hanlo.r : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012922.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012923.exe -> Trojan.Dialer.ay
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012924.dll -> Proxy.Agent.df :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012925.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012926.exe -> Logger.Delf.mq :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012927.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012928.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012929.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012930.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012931.dll -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012932.exe ->
Downloader.Agent.akj : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012933.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012934.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012935.dll ->
Downloader.Agent.afl : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013039.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013113.dll ->
Downloader.Small.aul : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013114.dll ->
Downloader.Small.aul : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015028.dll ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015033.sys ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015034.sys ->
Backdoor.Haxdoor.ig : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015035.sys ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015036.dll ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015037.sys ->
Backdoor.Haxdoor.ig : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015042.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015043.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015045.dll -> Proxy.Xorpix.v :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015053.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015055.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015057.exe -> Hijacker.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015060.exe -> Downloader.Small
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015062.dll -> Proxy.Lager.aq :
Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP816\A0095396.dll ->
Downloader.Braidupdate.d : Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0111206.dll -> Adware.Aws :
Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP869\A0119721.DLL ->
Hijacker.Agent.dh : Cleaned with backup
C:\Windows\file1.exe -> Dropper.Agent.apb : Cleaned with backup
C:\Windows\OEM.exe -> Proxy.Agent.jw : Cleaned with backup
C:\Windows\system32\bak.tmp -> Logger.Delf.nj : Cleaned with backup
C:\Windows\system32\mpcsvc.exe -> Proxy.Small.du : Cleaned with backup
C:\Windows\system32\system.exe -> Logger.Delf.nj : Cleaned with backup
C:\Windows\system32\win32.dll -> Logger.Banker.wa : Cleaned with backup
C:\Windows\system32\winup.dll -> Rootkit.Delf.e : Cleaned with backup
::Report End
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 7:34:25 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 aol.com
O1 - Hosts: 84.252.148.80 www.aol.com
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/c...-1_4_1-win.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
Thanks a lot for your help, and let me know if i missed anything or still have more to do. thanks.
SmitFraudFix After cleaning
SmitFraudFix v2.44
Scan done at 18:48:15.17, Wed 05/17/2006
Run from C:\Documents and Settings\Tom.KITCHEN\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\country.exe Deleted
C:\exit Deleted
C:\kl1.exe Deleted
C:\ms1.exe Deleted
C:\tool1.exe Deleted
C:\tool4.exe Deleted
C:\tool5.exe Deleted
C:\toolbar.exe Deleted
C:\uniq Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\taskdir.dll Deleted
C:\WINDOWS\system32\taskdir.exe Deleted
C:\WINDOWS\system32\vxgame?.exe Deleted
C:\WINDOWS\system32\vxgame?.exe????.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted
C:\Documents and Settings\Tom.KITCHEN\Application Data\Install.dat Deleted
C:\Program Files\secure32.html Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» End
HaxFix after cleaning (I didn't get the message you said would come up, but i typed in that code at the main screen and I think it still worked...)
--------------
version 2.42
Wed 05/17/2006 18:29:36.01
Auto Haxdoorfix
haxdoor key: winm
searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService SUCCESS
rebooting the computer.....
haxdoor key: winm
searching for services....
services not found
checking if files are found.....
winm32.dll
winm32.sys
winm64.sys
deleting files.....
checking if files are deleted.....
checking for other files.....
qy.sys
qz.dll
qz.sys
klogini.dll
p3.ini
ps.a3d
deleting other files.....
checking if the files are deleted.....
Finished
Ewido Log
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 7:33:45 PM, 5/17/2006
+ Report-Checksum: D57D3784
+ Scan result:
HKU\S-1-5-21-515967899-1202660629-725345543-1004\Software\Microsoft\Internet
Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
[1656] C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.dll ->
Trojan.Sinowal.m : Cleaned with backup
[1800] C:\WINDOWS\System32\system.exe -> Logger.Delf.nj : Cleaned with backup
C:\!KillBox\6e730662.exe -> Downloader.Small.csn : Cleaned with backup
C:\!KillBox\6e730662.exe( 1) -> Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Local Settings\Application Data\6e730662.exe ->
Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Start Menu\Programs\SpySheriff ->
Adware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Start Menu\Programs\SpySheriff\SpySheriff.lnk
-> Adware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Tom\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-32ad7393.zip/Dummy.class
-> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\Cookies\tom@citi.bridgetrack[2].txt ->
TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\My Documents\MGBSetup-dm.exe -> Adware.Trymedia :
Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\My Documents\My
downloads\zips\CelticKings_Setup-dm.exe -> Adware.Trymedia : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00060.dll ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.dll ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.exe ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Internet Explorer\loader.exe -> Downloader.Agent.akj : Cleaned without
backup
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP15\A0010129.dll ->
Downloader.Small.aul : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP42\A0011244.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP43\A0011248.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP44\A0011250.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP45\A0011253.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP49\A0011279.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP50\A0011281.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP52\A0011283.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP53\A0011288.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP54\A0011289.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP55\A0011290.exe -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP56\A0011291.exe -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP56\A0011294.dll -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011709.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011710.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011711.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011712.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011713.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011718.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011720.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011721.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011722.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011725.exe -> Proxy.Small.bo :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011726.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011729.exe -> Hijacker.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011731.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011733.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011736.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011737.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011738.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011739.exe -> Downloader.Small
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011740.dll ->
Downloader.Agent.afl : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011747.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011748.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011749.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012698.exe ->
Downloader.Small.csn : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012702.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012705.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012709.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012712.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012713.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012714.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012715.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012716.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012717.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012718.exe ->
Downloader.Small.ctk : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012719.exe ->
Downloader.Small.cug : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012720.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012721.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012722.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012723.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012724.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012727.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012728.exe -> Downloader.Small
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012754.exe ->
Downloader.Small.csn : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012756.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012758.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012761.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012762.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012764.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012765.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012768.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012769.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012770.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012773.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012774.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012775.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012777.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012779.exe ->
Downloader.Small.cre : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012780.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012781.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012782.exe -> Logger.Delf.nj :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012783.dll -> Rootkit.Delf.e :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012784.dll -> Logger.Banker.wa
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012786.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012787.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012788.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012789.exe -> Downloader.Small
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012791.exe -> Hijacker.Small.kr
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012794.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012795.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012796.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012797.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012844.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012850.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012856.exe -> Proxy.Agent.jw :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012859.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012860.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012861.exe -> Proxy.Small.bt :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012862.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012863.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012864.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012865.exe -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012866.exe ->
Downloader.Small.cre : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012867.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012868.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012869.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012872.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012873.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012875.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012880.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012881.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012882.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012885.exe -> Hijacker.Small.kr
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012889.dll -> Adware.Ihbo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012890.exe ->
Trojan.LdPinch.amh : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012893.exe -> Worm.Delf.i :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012896.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012897.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012898.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012899.exe -> Proxy.Small.bt :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012900.exe -> Downloader.CWS.s
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012901.exe ->
Hijacker.StartPage.adi : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012902.exe ->
Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012903.dll -> Proxy.Agent.ji :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012904.exe -> Proxy.Wopla.r :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012905.dll -> Proxy.Wopla.s :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012906.exe -> Proxy.Wopla.r :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012907.dll -> Proxy.Lager.aq :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012908.exe ->
Downloader.Agent.hy : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012909.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012910.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012911.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012912.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012913.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012914.exe -> Proxy.Small.du :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012915.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012916.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012917.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012918.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012919.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012920.exe ->
Downloader.Agent.akj : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012921.sys ->
Downloader.Hanlo.r : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012922.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012923.exe -> Trojan.Dialer.ay
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012924.dll -> Proxy.Agent.df :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012925.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012926.exe -> Logger.Delf.mq :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012927.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012928.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012929.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012930.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012931.dll -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012932.exe ->
Downloader.Agent.akj : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012933.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012934.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012935.dll ->
Downloader.Agent.afl : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013039.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013113.dll ->
Downloader.Small.aul : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013114.dll ->
Downloader.Small.aul : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015028.dll ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015033.sys ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015034.sys ->
Backdoor.Haxdoor.ig : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015035.sys ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015036.dll ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015037.sys ->
Backdoor.Haxdoor.ig : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015042.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015043.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015045.dll -> Proxy.Xorpix.v :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015053.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015055.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015057.exe -> Hijacker.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015060.exe -> Downloader.Small
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015062.dll -> Proxy.Lager.aq :
Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP816\A0095396.dll ->
Downloader.Braidupdate.d : Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0111206.dll -> Adware.Aws :
Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP869\A0119721.DLL ->
Hijacker.Agent.dh : Cleaned with backup
C:\Windows\file1.exe -> Dropper.Agent.apb : Cleaned with backup
C:\Windows\OEM.exe -> Proxy.Agent.jw : Cleaned with backup
C:\Windows\system32\bak.tmp -> Logger.Delf.nj : Cleaned with backup
C:\Windows\system32\mpcsvc.exe -> Proxy.Small.du : Cleaned with backup
C:\Windows\system32\system.exe -> Logger.Delf.nj : Cleaned with backup
C:\Windows\system32\win32.dll -> Logger.Banker.wa : Cleaned with backup
C:\Windows\system32\winup.dll -> Rootkit.Delf.e : Cleaned with backup
::Report End
HJT log
Logfile of HijackThis v1.99.1
Scan saved at 7:34:25 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 aol.com
O1 - Hosts: 84.252.148.80 www.aol.com
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/c...-1_4_1-win.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
Thanks a lot for your help, and let me know if i missed anything or still have more to do. thanks.
•
•
Join Date: Jul 2005
Posts: 1,542
Reputation:
Solved Threads: 98
Still more to do 
. Did you run Hoster? Now please check these items in HJT.
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/c...-1_4_1-win.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
Click Fix Checked.
________________________________________________
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
store points which are likely to be infected)
Post another log
Hang in there
. Did you run Hoster? Now please check these items in HJT.O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/c...-1_4_1-win.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
Click Fix Checked.
________________________________________________
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
System Restore will now be active again.
store points which are likely to be infected)
Post another log
Hang in there
Firefox
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
Alright, I re-ran hoster, (I had run it, but whatever i changed reverted back), I did the system restore stuff, and the HJT stuff
here is my new HJT log, I'm not sure what others you'd want to see, if any.
Logfile of HijackThis v1.99.1
Scan saved at 8:08:29 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
here is my new HJT log, I'm not sure what others you'd want to see, if any.
Logfile of HijackThis v1.99.1
Scan saved at 8:08:29 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
Hi tsahajdack,
Your latest HJT log is clean
However, I'd recommend that you keep the computer off the Internet as much as possible until tayspen comes back online and is able to sign off on this.
Your latest HJT log is clean
However, I'd recommend that you keep the computer off the Internet as much as possible until tayspen comes back online and is able to sign off on this.
"May the Wombat of Happiness snuffle through your underbrush."
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
- Ancient Aborigine blessing
Please do not contact me by email or PM for help. We're all volunteers here, and only have so much free time to dedicate to our efforts.
However, if I've been working on a thread with you already, and seem to have "forgotten" your thread, please do send me a message. I try not to let things slip through the cracks, but it does happen sometimes.
•
•
Join Date: Jul 2005
Posts: 1,542
Reputation:
Solved Threads: 98
Hey there. Congrats on the clean log. In order to keep your self clean you will need to do a few things. The biggest would be installing Service Pack 2. An offical Microsoft update that adds new features to windows, as well as much more security.
More info and installation of SP2: http://www.microsoft.com/windowsxp/s...hattoknow.mspx
You will also need to get an antivirus. I reccomend ewido. It works well and is free for 14 days, even after the 14 days yo ucan still use it you just won't get the auto update feature.
Thats really about it, the main thing you need to do is get an AV software, and SP2.
Happy Computing.
More info and installation of SP2: http://www.microsoft.com/windowsxp/s...hattoknow.mspx
You will also need to get an antivirus. I reccomend ewido. It works well and is free for 14 days, even after the 14 days yo ucan still use it you just won't get the auto update feature.
Thats really about it, the main thing you need to do is get an AV software, and SP2.
Happy Computing
. Firefox
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
Ewido
Tune up windows
Get detailed system information
My Fixes
Member - Alliance of Security Analysis Professionals - Since 2006
 |
Similar Threads
- Explorer.exe infected with trojan.download (Viruses, Spyware and other Nasties)
- Hijack Log - winlogon.exe - Help ! (Viruses, Spyware and other Nasties)
- Winlogon.exe sucking cpu resources. (Windows NT / 2000 / XP)
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Hijackthis Log again
- Next Thread: HiJacked!- Search Result Redirect- Help!!
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus apple attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm yahoo
