0

I recently had problems with spy sheriff, but I'm pretty sure i was able to get rid of it. However, since then I've been getting two pop-up windows each time I login telling me that winlogon.exe cannot be found. I've looked on the web and different sites say different things about winlogon (it is for sure winlogon.exe and not winlogin.exe). Should i try to find a way to replace the file? Is it there, just infected with something? Any info would be appreciated.

Here's my HTJ log...

Logfile of HijackThis v1.99.1
Scan saved at 12:21:31 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\mpcsvc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\system.exe
C:\WINDOWS\System32\6e730662.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.phillipswest.org
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS2\system32\userinit.exe,
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 aol.com
O1 - Hosts: 84.252.148.80 www.aol.com
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\Windows\system32\winbrume.dll (file missing)
O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\TOM~1.KIT\LOCALS~1\Temp\MegaHost.dll (file missing)
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\System32\mpcsvc.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe
O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
O4 - HKLM\..\Run: [6e730662.exe] C:\WINDOWS\System32\6e730662.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [6e730662.exe] C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.chm::/MegaInstaller.exe
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/client-lib//j2re-1_4_1-win.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - (no file)
O21 - SSODL: KnBzcvycFuzo - {5C735185-F6D9-FB2F-6E29-E91A77CFAB94} - C:\WINDOWS\System32\obp.dll (file missing)
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

3
Contributors
13
Replies
14
Views
11 Years
Discussion Span
Last Post by DMR
0

Hi, and welcome to DaniWeb. Please run HJT again, select Do system scan only. Then check these items.

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html

R3 - Default URLSearchHook is missing

F3 - REG:win.ini: run=C:\WINDOWS\inet20001\winlogon.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS2\system32\userinit.exe,

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\Windows\system32\winbrume.dll (file missing)

O2 - BHO: Mega! - {8BC6346B-FFB0-4435-ACE3-FACA6CD77816} - C:\DOCUME~1\TOM~1.KIT\LOCALS~1\Temp\MegaHost.dll (file missing)

O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe

O4 - HKLM\..\Run: [SiS Mpc Service] C:\WINDOWS\System32\mpcsvc.exe

O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe

O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20001\socks.exe

O4 - HKLM\..\Run: [6e730662.exe] C:\WINDOWS\System32\6e730662.exe

O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl

O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe

O4 - HKCU\..\Run: [6e730662.exe] C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe

O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe

O4 - HKCU\..\Run: [System] C:\WINDOWS\svchost.exe

O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe

O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20001\winlogon.exe

O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS

O16 - DPF: {564EC66E-5A1B-51D3-1DB0-5080C83DA4EB} - ms-its:mhtml:file://C:ie.mht!http://69.50.164.12/exp/mht/sext01.c...aInstaller.e xe

O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll

O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll

O20 - Winlogon Notify: winm32 - C:\WINDOWS\SYSTEM32\winm32.dll

O21 - SSODL: KnBzcvycFuzo - {5C735185-F6D9-FB2F-6E29-E91A77CFAB94} - C:\WINDOWS\System32\obp.dll (file missing)

O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - (no file)

Close ALL browsers and click Fix Checked

________________________________________________________

Begin by downloading CCleaner, and specifically choosing the most recent version.

Then, follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the "My Computer" icon.
3. Select the "Tools" menu and click "Folder Options".
4. After the new window appears select the "View" tab.
5. Place a checkmark in the checkbox labeled "Display the contents of system folders".
6. Under the "Hidden files and folders" section select the radio button labeled "Show hidden files and folders".
7. Remove the checkmark from the checkbox labeled "Hide file extensions for known file types".
8. Remove the checkmark from the checkbox labeled "Hide protected operating system files". 9. Press the "Apply" button and then the "OK" button and shutdown My Computer.
10. Now your computer is configured to show all hidden files.

Now, install the program. Open it, and choose the 'Options' tab. Inside, hit the 'Custom' tab, and add the following folders (Note: Not all of these files are on every computer. If one of these isn't present, skip it):

C:\Windows\Temp
C:\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temp
C:\Documents and Settings\<Every user listed>\Local Settings\Temporary Internet Files\Content.IE5
C:\Documents and Settings\<Every user listed>\Local Settings\History
C:\Documents and Settings\<Every user listed>\Cookies
C:\Windows\Prefetch

After doing this, move back to the 'Cleaner' tab, and inside this, be sure your open to the 'Windows' tab. Inside, check the box labeled 'Custom Files and Folders'.

Next, after following all of these steps, you're ready to scan. Run scans in both the 'Cleaner' and 'Issues'. Note: It might take several scans in each to remove all of the junk.

________________________________________________________


Download Hoster.

  • Unzip Hoster to

C:\Hoster .[*]Run Hoster.exe from its new home[*]Click "Make Hosts Writable?" in the upper right corner (If available) .[*]Click Restore Original Hosts and then click OK.[*]Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

________________________________________________________
Download about:buster Here.
Download CWShredder Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster

  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
  • Now close About:Buster

Update CWShredder

  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Close CWShredder

Boot into Safe Mode
(by hitting the F8 key repeatedly until at the bootup screen until a menu shows up and choose Safe Mode from the list)

Please run about:buster:

  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
  • Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files (if present)
  • Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

It may ask you to log-off/reboot at the end, if it does please do so.

_______________________________________________________

Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files)
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
A red "dos window" (dos box) will open.
This message will appear:

Insert the haxdoor notify subkey without the numbers,
and then press enter:

At this point please type the following: winm32.dll
Press Enter to continue with the fix.

If an infection is found, you'll get a message to close all other open windows.
Close them, except the red dos window from haxfix and press Enter.
The computer will reboot.
After reboot find the logfile c:\haxfix.txt.
Post the contents of c:\haxfix.txt along with a new hijackthislog.

_______________________________________________________

Please download Pocket Killbox by O^E.

  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Windows\system32\winbrume.dll

    C:\WINDOWS\inet20001\socks.exe

    C:\WINDOWS\System32\6e730662.exe

    C:\winstall.exe

    C:\Documents and Settings\Tom.KITCHEN\Local Settings\Application Data\6e730662.exe

    C:\WINDOWS\System32\0mcamcap.exe

    C:\Windows\xpupdate.exe

    C:\WINDOWS\inet20001\winlogon.exe

    C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll

    C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll

    C:\WINDOWS\System32\obp.dll


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

________________________________________________________

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm


You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.

Next, please reboot your computer in Safe Mode by doing the following :

  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, a menu with options should appear;
  • Select the first option, to run Windows in Safe Mode, then press "Enter".
  • Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.
________________________________________________________

Then please run ewido and post that log, along with the aboutbuster, haxfix, smitfraudfix, and a new HJT log.

HANG IN THERE, YOU ARE LOADED!

0

oh boy, guess i am...well, I am thoroughly depressed.

But anyway, I am trying to go through the steps you gave (thank you very much by the way) but every time I try to clean with CCleaner it gives me the "has encountered an error and needs to close" message. do I need to run this in safe mode as well?

It does clean out all the "issues" though.

Thanks again.

0

Alright, finally got through it all. Here are the logs you requested, although I couldn't figure out how to get a log from aboutBuster.

SmitFraudFix After cleaning

SmitFraudFix v2.44
Scan done at 18:48:15.17, Wed 05/17/2006
Run from C:\Documents and Settings\Tom.KITCHEN\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600]
»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\country.exe Deleted
C:\exit Deleted
C:\kl1.exe Deleted
C:\ms1.exe Deleted
C:\tool1.exe Deleted
C:\tool4.exe Deleted
C:\tool5.exe Deleted
C:\toolbar.exe Deleted
C:\uniq Deleted
C:\WINDOWS\system32\dlh9jkdq?.exe Deleted
C:\WINDOWS\system32\taskdir.dll Deleted
C:\WINDOWS\system32\taskdir.exe Deleted
C:\WINDOWS\system32\vxgame?.exe Deleted
C:\WINDOWS\system32\vxgame?.exe????.exe Deleted
C:\WINDOWS\system32\zlbw.dll Deleted
C:\Documents and Settings\Tom.KITCHEN\Application Data\Install.dat Deleted
C:\Program Files\secure32.html Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» End


HaxFix after cleaning (I didn't get the message you said would come up, but i typed in that code at the main screen and I think it still worked...)


--------------
version 2.42
Wed 05/17/2006 18:29:36.01

Auto Haxdoorfix


haxdoor key: winm
searching for services....
services found
deleting services.....
[SWSC] DeleteService SUCCESS
[SWSC] DeleteService SUCCESS


rebooting the computer.....


haxdoor key: winm
searching for services....
services not found

checking if files are found.....
winm32.dll
winm32.sys
winm64.sys

deleting files.....
checking if files are deleted.....

checking for other files.....
qy.sys
qz.dll
qz.sys
klogini.dll
p3.ini
ps.a3d

deleting other files.....
checking if the files are deleted.....

Finished


Ewido Log

ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 7:33:45 PM, 5/17/2006
+ Report-Checksum: D57D3784
+ Scan result:
HKU\S-1-5-21-515967899-1202660629-725345543-1004\Software\Microsoft\Internet
Explorer\Keywords -> Adware.CoolWebSearch : Cleaned with backup
[1656] C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.dll ->
Trojan.Sinowal.m : Cleaned with backup
[1800] C:\WINDOWS\System32\system.exe -> Logger.Delf.nj : Cleaned with backup
C:\!KillBox\6e730662.exe -> Downloader.Small.csn : Cleaned with backup
C:\!KillBox\6e730662.exe( 1) -> Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Local Settings\Application Data\6e730662.exe ->
Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Start Menu\Programs\SpySheriff ->
Adware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Parents.KITCHEN\Start Menu\Programs\SpySheriff\SpySheriff.lnk
-> Adware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Tom\Application
Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv479.jar-22d4df3e-32ad7393.zip/Dummy.class
-> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\Cookies\tom@citi.bridgetrack[2].txt ->
TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\My Documents\MGBSetup-dm.exe -> Adware.Trymedia :
Cleaned with backup
C:\Documents and Settings\Tom.KITCHEN\My Documents\My
downloads\zips\CelticKings_Setup-dm.exe -> Adware.Trymedia : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00060.dll ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.dll ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00061.exe ->
Trojan.Sinowal.m : Cleaned without backup
C:\Program Files\Internet Explorer\loader.exe -> Downloader.Agent.akj : Cleaned without
backup
C:\Program Files\Internet Explorer\update.exe -> Adware.BHO : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP15\A0010129.dll ->
Downloader.Small.aul : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP42\A0011244.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP43\A0011248.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP44\A0011250.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP45\A0011253.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP49\A0011279.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP50\A0011281.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP52\A0011283.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP53\A0011288.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP54\A0011289.exe -> Adware.BHO :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP55\A0011290.exe -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP56\A0011291.exe -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP56\A0011294.dll -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011709.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011710.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011711.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011712.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP57\A0011713.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011718.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011720.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011721.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011722.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011725.exe -> Proxy.Small.bo :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011726.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011729.exe -> Hijacker.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011731.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011733.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011736.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011737.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011738.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011739.exe -> Downloader.Small
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011740.dll ->
Downloader.Agent.afl : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011747.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011748.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0011749.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012698.exe ->
Downloader.Small.csn : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012702.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012705.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012709.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012712.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012713.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012714.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012715.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012716.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012717.exe -> Trojan.Sinowal.n
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012718.exe ->
Downloader.Small.ctk : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012719.exe ->
Downloader.Small.cug : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012720.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012721.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012722.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012723.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012724.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012727.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012728.exe -> Downloader.Small
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012754.exe ->
Downloader.Small.csn : Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012756.exe -> Logger.Delf.ig :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012758.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012761.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012762.exe -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012764.exe -> Proxy.Agent.jw :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012765.dll -> Trojan.Sinowal.m
: Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012768.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012769.exe -> Proxy.Small.bt :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012770.exe -> Trojan.Small :
Cleaned without backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012773.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012774.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012775.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012777.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012779.exe ->
Downloader.Small.cre : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012780.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012781.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012782.exe -> Logger.Delf.nj :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012783.dll -> Rootkit.Delf.e :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012784.dll -> Logger.Banker.wa
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012786.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012787.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012788.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012789.exe -> Downloader.Small
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012791.exe -> Hijacker.Small.kr
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012794.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012795.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012796.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012797.dll -> Adware.Spysheriff
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012844.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012850.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012856.exe -> Proxy.Agent.jw :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012859.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012860.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012861.exe -> Proxy.Small.bt :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012862.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012863.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012864.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012865.exe -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012866.exe ->
Downloader.Small.cre : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012867.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012868.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012869.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012872.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012873.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012875.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012880.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012881.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012882.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012885.exe -> Hijacker.Small.kr
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012889.dll -> Adware.Ihbo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012890.exe ->
Trojan.LdPinch.amh : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012893.exe -> Worm.Delf.i :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012896.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012897.exe -> Logger.Delf.ig :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012898.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012899.exe -> Proxy.Small.bt :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012900.exe -> Downloader.CWS.s
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012901.exe ->
Hijacker.StartPage.adi : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012902.exe ->
Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012903.dll -> Proxy.Agent.ji :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012904.exe -> Proxy.Wopla.r :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012905.dll -> Proxy.Wopla.s :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012906.exe -> Proxy.Wopla.r :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012907.dll -> Proxy.Lager.aq :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012908.exe ->
Downloader.Agent.hy : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012909.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012910.exe ->
Downloader.Small.cug : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012911.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012912.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012913.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012914.exe -> Proxy.Small.du :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012915.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012916.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012917.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012918.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012919.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012920.exe ->
Downloader.Agent.akj : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012921.sys ->
Downloader.Hanlo.r : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012922.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012923.exe -> Trojan.Dialer.ay
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012924.dll -> Proxy.Agent.df :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012925.exe -> Trojan.Spabot.x :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012926.exe -> Logger.Delf.mq :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012927.exe -> Proxy.Small.bo :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012928.exe ->
Downloader.Small.ctk : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012929.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012930.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012931.dll -> Adware.BHO :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012932.exe ->
Downloader.Agent.akj : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012933.exe -> Trojan.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012934.dll -> Trojan.Sinowal.m
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP58\A0012935.dll ->
Downloader.Agent.afl : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013039.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013113.dll ->
Downloader.Small.aul : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0013114.dll ->
Downloader.Small.aul : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015028.dll ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015033.sys ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015034.sys ->
Backdoor.Haxdoor.ig : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015035.sys ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015036.dll ->
Backdoor.Haxdoor.ii : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015037.sys ->
Backdoor.Haxdoor.ig : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015042.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015043.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015045.dll -> Proxy.Xorpix.v :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015053.exe -> Trojan.Sinowal.n
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015055.exe ->
Downloader.Small.csn : Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015057.exe -> Hijacker.Small :
Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015060.exe -> Downloader.Small
: Cleaned with backup
C:\System Volume
Information\_restore{71522226-01FF-48AE-8735-47AE474AB51D}\RP61\A0015062.dll -> Proxy.Lager.aq :
Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP816\A0095396.dll ->
Downloader.Braidupdate.d : Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP846\A0111206.dll -> Adware.Aws :
Cleaned with backup
C:\System Volume
Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP869\A0119721.DLL ->
Hijacker.Agent.dh : Cleaned with backup
C:\Windows\file1.exe -> Dropper.Agent.apb : Cleaned with backup
C:\Windows\OEM.exe -> Proxy.Agent.jw : Cleaned with backup
C:\Windows\system32\bak.tmp -> Logger.Delf.nj : Cleaned with backup
C:\Windows\system32\mpcsvc.exe -> Proxy.Small.du : Cleaned with backup
C:\Windows\system32\system.exe -> Logger.Delf.nj : Cleaned with backup
C:\Windows\system32\win32.dll -> Logger.Banker.wa : Cleaned with backup
C:\Windows\system32\winup.dll -> Rootkit.Delf.e : Cleaned with backup

::Report End


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:34:25 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
O1 - Hosts: 84.252.148.80 www.bankone.com
O1 - Hosts: 84.252.148.80 bankone.com
O1 - Hosts: 84.252.148.80 halifax.com
O1 - Hosts: 84.252.148.80 www.halifax.com
O1 - Hosts: 84.252.148.80 halifax.co.uk
O1 - Hosts: 84.252.148.80 www.halifax.co.uk
O1 - Hosts: 84.252.148.80 www.bankofamerica.com
O1 - Hosts: 84.252.148.80 bankofamerica.com
O1 - Hosts: 84.252.148.80 www.paypal.com
O1 - Hosts: 84.252.148.80 paypal.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.com
O1 - Hosts: 84.252.148.80 lloydstsb.com
O1 - Hosts: 84.252.148.80 www.lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 lloydstsb.co.uk
O1 - Hosts: 84.252.148.80 www.garanti.com.tr
O1 - Hosts: 84.252.148.80 garanti.com.tr
O1 - Hosts: 84.252.148.80 www.kocbank.com.tr
O1 - Hosts: 84.252.148.80 kocbank.com.tr
O1 - Hosts: 84.252.148.80 www.disbank.com.tr
O1 - Hosts: 84.252.148.80 disbank.com.tr
O1 - Hosts: 84.252.148.80 www.chase.com
O1 - Hosts: 84.252.148.80 chase.com
O1 - Hosts: 84.252.148.80 www.southtrust.com
O1 - Hosts: 84.252.148.80 southtrust.com
O1 - Hosts: 84.252.148.80 www.wachovia.com
O1 - Hosts: 84.252.148.80 wachovia.com
O1 - Hosts: 84.252.148.80 www.wellsfargo.com
O1 - Hosts: 84.252.148.80 wellsfargo.com
O1 - Hosts: 84.252.148.80 www.barclays.co.uk
O1 - Hosts: 84.252.148.80 barclays.co.uk
O1 - Hosts: 84.252.148.80 www.barclays.com
O1 - Hosts: 84.252.148.80 barclays.com
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.barclays.pt
O1 - Hosts: 84.252.148.80 barclays.pt
O1 - Hosts: 84.252.148.80 www.citi.com
O1 - Hosts: 84.252.148.80 citi.com
O1 - Hosts: 84.252.148.80 www.citibank.com
O1 - Hosts: 84.252.148.80 citibank.com
O1 - Hosts: 84.252.148.80 www.etrade.com
O1 - Hosts: 84.252.148.80 etrade.com
O1 - Hosts: 84.252.148.80 www.neteller.com
O1 - Hosts: 84.252.148.80 neteller.com
O1 - Hosts: 84.252.148.80 tcfbank.com
O1 - Hosts: 84.252.148.80 www.tcfbank.com
O1 - Hosts: 84.252.148.80 hsbc.com
O1 - Hosts: 84.252.148.80 www.hsbc.com
O1 - Hosts: 84.252.148.80 hsbc.co.uk
O1 - Hosts: 84.252.148.80 www.hsbc.co.uk
O1 - Hosts: 84.252.148.80 aol.com
O1 - Hosts: 84.252.148.80 www.aol.com
O1 - Hosts: 84.252.148.80 comerica.com
O1 - Hosts: 84.252.148.80 www.comerica.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.1_04\bin\npjpi141_04.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/client-lib//j2re-1_4_1-win.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll (file missing)
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll (file missing)
O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

Thanks a lot for your help, and let me know if i missed anything or still have more to do. thanks.

0

Still more to do :). Did you run Hoster? Now please check these items in HJT.


O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.4.1_04) - http://216.157.219.18:8011/webapps/c...-1_4_1-win.exe

O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\20242402.dll (file missing)

O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users.WINDOWS2\Documents\Settings\polymorph.dll (file missing)

O20 - Winlogon Notify: SensSrv - senssrv.dll (file missing)

Click Fix Checked.

________________________________________________

Reset and Re-enable your System Restore
to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

System Restore will now be active again.
store points which are likely to be infected)

Post another log

Hang in there :)

0

Alright, I re-ran hoster, (I had run it, but whatever i changed reverted back), I did the system restore stuff, and the HJT stuff
here is my new HJT log, I'm not sure what others you'd want to see, if any.

Logfile of HijackThis v1.99.1
Scan saved at 8:08:29 PM, on 5/17/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Tom.KITCHEN\Desktop\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Unknown owner - C:\WINDOWS2\System32\mnmsrvc.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Remote Desktop Help Session Manager (RDSessMgr) - Unknown owner - C:\WINDOWS2\system32\sessmgr.exe (file missing)
O23 - Service: spkrmon - Unknown owner - C:\Program Files\Analog Devices\SoundMAX\spkrmon.exe

0

Hi tsahajdack,

Your latest HJT log is clean :)
However, I'd recommend that you keep the computer off the Internet as much as possible until tayspen comes back online and is able to sign off on this.

0

Hey there. Congrats on the clean log. In order to keep your self clean you will need to do a few things. The biggest would be installing Service Pack 2. An offical Microsoft update that adds new features to windows, as well as much more security.

More info and installation of SP2: http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx

You will also need to get an antivirus. I reccomend ewido. It works well and is free for 14 days, even after the 14 days yo ucan still use it you just won't get the auto update feature.

Thats really about it, the main thing you need to do is get an AV software, and SP2.

Happy Computing:).

0

thank you so much, I appreciate the time you spent on me.

I'll work on getting that stuff as soon as i can. thanks again.

0

You will also need to get an antivirus. I reccomend ewido.

Erm... ewido is great for spyware and the like, but a dedicated anti-virus program it is not. :o

AVG is a great choice for your anti-virus utility, and it's free (forever) for personal use.

0

I thought so. See what happens to your brain when you spend 14 hours a day online here? :mrgreen:

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.