Author Topic: SOS! (Read 8684 times)

guestolo · « **Reply #60 on:** February 09, 2005, 08:43:13 PM »

Open up a Notepad file

Highlight all the information from the eScan and right click and copy it and then paste it to the Notepad file
Save this on the desktop

Open it up and click
Click FILE at the top and then PRINT

Also keep this notepad file on the desktop because your going to need it

This is important
Go back to explorer.exe
in the System32\DllCache folder

If you right click on it what is the date it was created and modified on?

The one in the C:\Windows folder, what is the date it was created and modified?
I want to ensure we have this correct
And then we'll go from there

Let me know the info and make sure you have that info saved

Also ensure that there is only one instance of
explorer.exe or Explorer.exe
in each folder
There should only be one instance>>Regardless of the capital E

boogieonrw · « **Reply #61 on:** February 09, 2005, 10:25:24 PM »

the one in the dllcache file was created on september 3, 2202
but modified 4 days ago

the one in the windows file was created january 18,and modified then too

when i searched for it, however- i found that there is a prefetch also.

there is only one instance.

i am going to sleep in a few, i'll print out the log stuff tomorrow, is that alright or should this stuff be tackled asap

it's been running ever since the last hijackthis, and hasn't frozen yet

guestolo · « **Reply #62 on:** February 09, 2005, 10:46:48 PM »

Both seem to be corrupt, I think we're dealing with a new bad guy

Can you do me a favor and navigate to this
file
C:\WINDOWS\ServicePackFiles\i386\explorer.exe
If you can find it>>it's a legit file

Right click on it and left click properties

Let me know the size
Creation date
and
Modification date

Don't double click on it or click OPEN, Just what I asked above

boogieonrw · « **Reply #63 on:** February 10, 2005, 02:16:29 AM »

i don't have a folder with that name- can it be under another?

EXPLORER.exe was running at one point in the hight of my virus...i'll search the hard drive to see how many of them i have and where

boogieonrw · « **Reply #64 on:** February 10, 2005, 02:25:59 AM »

yeah...no more ...in the search of c:\ it only came up with the one under windows, however we did manually find 2...

guestolo · « **Reply #65 on:** February 10, 2005, 12:15:51 PM »

Do you have your XP CD
Can you put it in
Expand >>Perform additional tasks and browse the cd
Do you see the i386 folder
If you open it up do you see
EXPLORE.EX_
if you right click on it, should be about
340kb in size
Can you copy and paste from the CD to let's say>>>MyDocuments

boogieonrw · « **Reply #66 on:** February 10, 2005, 12:27:48 PM »

i'll look for the cd, may take a while
is there a spot i can search for it online?

guestolo · « **Reply #67 on:** February 10, 2005, 12:38:13 PM »

I've PM'ed you, can you check your messages

[attachment=23:attachment]

======================================================

PRINT THIS OUT

Ensure all other Users on the computer are logged out

Can you access your Internet options via Control Panel
Under the Security tab..Custom level
ensure these are marked
o Download signed ActiveX controls (Prompt)
o Download unsigned ActiveX controls (Disable)
o Initialize and script ActiveX controls not marked as safe (Disable)
o Run ActiveX controls and plug-ins (Enabled)
o Script ActiveX controls marked safe for scripting (Prompt)

IF you can I need you to DISABLE System Restore
This link will explain how to do it
http://vil.nai.com/vil/SystemHelpDocs/DisableSysRestore.htm
After you have System Restore disabled>>Carry on if it won't disable, but this is preferred

Go to this link >>>Online virus scan at Panda's
http://www.pandasoftware.com/activescan/co...n_principal.htm
Don't start it yet
Now, this is VERY IMPORTANT
Close out all unnecessary programs running in the background
Close out all Windows, that includes Outlook Express>>>Only leave the Page to Panda's open

Bring up the Task Manager(right click the bottom taskbar and select Task Manager)
End process on these if you can

"explorer.exe", all instances, should be only one <---this will cause all your Icons and taskbar to disappear

Then try and end process on these if running
"desktop.exe"
"tvshdg.exe"

After that is done you will have only the Task Manager and the page from Panda's open
Click the SCAN MY PC button>>>This should bring up a pop up window from Panda's
Close down the IE page that I linked you to Panda's but keep their popup window open

Now you have Panda's popup window open and the Task Manager

Click the NEXT button>>If prompted at any time to install an Active X allow it
Supply an email address
Let it load the activex control and load the virus definitions

To start the scan ensure you select My Computer or My whole computer
Something like that

Let it completely finish scanning, don't use the computer at all

When the scan is done, this part I will have to rely on you,follow any prompts you get to close out
they may email you a report
We don't need it yet, if they do

When the scan is complete
In Task Manager click FILE at the top
Then Click NEW TASK (Run)
In the open field type in
"explorer.exe" without the quotes and then click OK

This should bring back up the Desktop Icons and Taskbar
Go back into the Control Panel>>Internet options>>Security>>Custom level and ensure that
The settings mentioned above are still set

Immediately come back to the forum
Redownload the Mwav scan from eScan
Let it scan your computer and Post back the results at the forum in your reply

And once again post back at the forum a new Hijackthis log

If Panda emailed you a log or if you can get the results later online can you post those too, thanks

But after posting the above, please don't restart your computer
And please don't logon to any other users on the computer
Try not too surf on the net, except what is needed>>>this could cause reinfection

boogieonrw · « **Reply #68 on:** February 11, 2005, 08:05:23 PM »

File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\System32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\014D63SJ\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\Documents and Settings\jordan\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\ewhtt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Local Settings\Temporary Internet Files\Content.IE5\014D63SJ\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Local Settings\Temporary Internet Files\Content.IE5\89SF0L8N\js[1].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Local Settings\Temporary Internet Files\Content.IE5\89SF0L8N\js[2].htm infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Local Settings\Temporary Internet Files\Content.IE5\89SF0L8N\ysb_prompt[1].php infected by "Exploit.HTML.CodeBaseExec" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-306.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-433.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-968.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-313.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-432.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-918.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-143714-783.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-174.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-354.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-922.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050209-004902-169.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\aim95.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\FLPIUOBA.NQF infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\RMAD2MAA.NQF infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\Program Files\TopConverting\arkanoid\arkanoid.exe infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049394.new infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049395.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049403.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049404.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049407.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050400.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050409.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050410.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050413.exe infected by "not-a-virus:AdWare.PowerScan.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050425.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050430.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050434.exe infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050443.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050444.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050447.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053438.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053444.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053445.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053446.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053450.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053456.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053457.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053458.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0054441.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0054450.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0055437.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056445.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056449.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056451.exe infected by "Trojan-Dropper.Win32.Tibsis.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056452.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056453.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056458.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056461.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056463.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056508.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056510.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056511.exe infected by "Trojan-Dropper.Win32.Small.rx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056512.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056513.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056514.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056516.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059535.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059537.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059548.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059550.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059585.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059586.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059587.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059594.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059596.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059603.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059605.dll infected by "Trojan.Win32.Golid.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059606.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059607.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059612.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059613.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059614.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059626.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059627.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059630.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059635.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059644.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059646.exe infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059647.exe infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059652.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059653.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059654.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059657.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059658.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059659.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059660.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059661.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059662.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059664.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059667.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059669.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062695.exe infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062696.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062698.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062699.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062700.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062701.exe infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062703.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0063694.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065690.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065691.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065693.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065695.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065701.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065704.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0067740.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077740.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077743.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077756.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077765.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077766.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077768.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077769.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077771.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077772.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077774.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077794.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077796.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077979.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078202.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078219.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078222.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078224.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078250.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078252.dll infected by "Trojan.Win32.Golid.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078253.hta infected by "Trojan-Dropper.VBS.Inor.cj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078254.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078256.dll infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\YSBactivex.dll infected by "Trojan-Downloader.Win32.IstBar.gz" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\inst\3p1.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\system32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.

boogieonrw · « **Reply #69 on:** February 11, 2005, 08:06:01 PM »

Incident Status Location

Virus:Trj/Admincash.A Disinfected C:\Documents and Settings\jordan\dfe.exe
Virus:Trojan Horse Disinfected C:\HJT\backups\backup-20050208-104237-651.dll
Virus:VBS/Inor.gen Disinfected C:\ntdetect.hta
Virus:Trj/Admincash.A Disinfected C:\WINDOWS\explorer.exe
Virus:Trj/Admincash.A Disinfected C:\WINDOWS\system32\dllcache\explorer.exe
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050204-014604.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050204-014606.backup
Virus:Trj/Qhost.gen Disinfected C:\WINDOWS\system32\drivers\etc\hosts.20050204-111220.backup
Virus:Trj/Agent.FN Disinfected C:\WINDOWS\system32\dvqbyeqz.dll
Virus:Trj/Agent.FN Disinfected C:\WINDOWS\system32\wbfkfebl.dll

boogieonrw · « **Reply #70 on:** February 11, 2005, 08:22:19 PM »

Logfile of HijackThis v1.99.0
Scan saved at 8:23:10 PM, on 2/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.f1organizer.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2[censored]ed.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.vse-moe.biz
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.ysbweb.com
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe

boogieonrw · « **Reply #71 on:** February 11, 2005, 09:16:18 PM »

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\jordan\Desktop\Find_It_NT_2K_XP-2\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/09/2005 12:43 AM <DIR> dllcache
02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 01:45 AM 229,736 k644lghq164e.dll
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 01:03 PM <DIR> Microsoft
17 File(s) 1,222,104 bytes
2 Dir(s) 5,989,429,248 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/09/2005 12:43 AM <DIR> dllcache
02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 12:38 PM 488 WindowsLogon.manifest
12/18/2003 12:38 PM 488 logonui.exe.manifest
12/18/2003 12:38 PM 749 sapi.cpl.manifest
12/18/2003 12:38 PM 749 cdplayer.exe.manifest
12/18/2003 12:38 PM 749 ncpa.cpl.manifest
12/18/2003 12:38 PM 749 nwc.cpl.manifest
12/18/2003 12:38 PM 749 wuaucpl.cpl.manifest
23 File(s) 997,089 bytes
1 Dir(s) 5,989,425,152 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D2AD9633-36F1-4338-AA11-469CA091B890}"=""

------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
d3ea.exe Thu Feb 3 2005 2:31:00p A.SH. 10,824 10.57 K
d3wq.exe Fri Feb 4 2005 1:29:44a A.SH. 0 0.00 K
ipxm32.exe Thu Jan 20 2005 8:55:58a A.SH. 10,824 10.57 K
k644lg~1.dll Fri Feb 4 2005 1:45:12a ..S.R 229,736 224.35 K
kwxle.txt Mon Feb 7 2005 4:02:12p A.SH. 0 0.00 K
msjy32.exe Sun Jan 30 2005 8:39:30a A.SH. 11,467 11.20 K
msyz.exe Sun Jan 23 2005 7:37:42p A.SH. 29,256 28.57 K
miexec~1.exe Tue Feb 1 2005 9:42:42a ..SHR 413,696 404.00 K
netxh32.exe Sun Jan 23 2005 3:41:36p A.SH. 29,256 28.57 K
ntod.exe Sun Jan 23 2005 8:27:44p A.SH. 29,256 28.57 K
ntqm.exe Sun Jan 23 2005 9:10:40p A.SH. 10,824 10.57 K
rgsvr3~1.exe Tue Feb 1 2005 9:45:40a ..SHR 413,696 404.00 K
sdklk.exe Thu Jan 20 2005 8:35:14p A.SH. 11,550 11.28 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1,200,385 bytes 1.14 M

-------- Strings.exe Qoologic Results --------

C:\WINDOWS\system32\pav.sig: Qoologic
C:\WINDOWS\system32\pav.sig: Qoologic

--------- Strings.exe Aspack Results ---------

C:\WINDOWS\system32\pav.sig: AsPack

-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"

guestolo · « **Reply #72 on:** February 11, 2005, 09:21:49 PM »

One more log boogie and then you can sit back and let me write up a hopeful fix

I'm stepping out for a bit, not long
So please don't try and restart your computer or use it to browse until we do some cleaning

If you can, do it right now, Disable System Restore
Right-click My Computer -> Properties -> System Restore tab -> Check Disable System Restore.
Let me know if you can do it.....

Go to START>>RUN>>type in cmd
Hit OK
At the prompt type in these entries, excluding the = signs, see note

cd\WINDOWS\Downloaded Program Files (hit Enter)
dir=/a=/Q=*=>C:\dpflist.txt (hit Enter)
start=C:\dpflist.txt (hit Enter)

NOTE* DON'T enter the = signs when typing in those commands
Those are just there to let you know where the spaces are

Copy and Paste the log that appears and then Close out the command prompt

boogieonrw · « **Reply #73 on:** February 11, 2005, 09:27:30 PM »

thank you for your help man, you rock

my daughter named the computer, by the way.. haha...

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\Downloaded Program Files

02/11/2005 10:10 AM <DIR> BUILTIN\Administrators .
02/11/2005 10:10 AM <DIR> BUILTIN\Administrators ..
01/26/2005 04:03 PM 110,592 POOPYA\jordan asinst.dll
01/27/2005 09:09 AM 525 POOPYA\jordan asinst.inf
02/08/2005 10:42 AM <DIR> POOPYA\jordan CONFLICT.1
02/08/2005 10:42 PM <DIR> POOPYA\jordan CONFLICT.10
02/07/2005 05:13 PM <DIR> POOPYA\jordan CONFLICT.11
02/07/2005 05:13 PM <DIR> POOPYA\jordan CONFLICT.12
02/07/2005 06:45 PM <DIR> POOPYA\jordan CONFLICT.13
02/07/2005 06:45 PM <DIR> POOPYA\jordan CONFLICT.14
02/07/2005 09:43 PM <DIR> POOPYA\Administrator CONFLICT.15
02/07/2005 09:43 PM <DIR> POOPYA\Administrator CONFLICT.16
02/07/2005 10:24 PM <DIR> POOPYA\Administrator CONFLICT.17
02/07/2005 02:28 PM <DIR> POOPYA\jordan CONFLICT.2
02/07/2005 03:44 PM <DIR> POOPYA\jordan CONFLICT.3
02/07/2005 05:12 PM <DIR> POOPYA\jordan CONFLICT.4
02/07/2005 06:46 PM <DIR> POOPYA\jordan CONFLICT.5
02/07/2005 09:08 PM <DIR> POOPYA\jordan CONFLICT.6
02/07/2005 10:06 PM <DIR> POOPYA\jordan CONFLICT.7
02/08/2005 10:33 AM <DIR> POOPYA\jordan CONFLICT.8
02/08/2005 10:42 AM <DIR> POOPYA\jordan CONFLICT.9
12/18/2003 12:38 PM 65 BUILTIN\Administrators desktop.ini
10/14/1997 06:52 PM 697 BUILTIN\Administrators DirectAnimation Java Classes.osd
08/24/2004 02:39 PM 59,556 POOPYA\jordan Doremi.ttf
07/25/2002 03:13 PM 24,576 BUILTIN\Administrators dwusplay.dll
07/25/2002 03:13 PM 196,608 BUILTIN\Administrators dwusplay.exe
03/28/2002 04:05 PM 1,268 POOPYA\jordan erma.inf
07/12/2000 03:02 AM 36,864 POOPYA\jordan fxfileop.dll
09/15/2003 06:49 PM 388 POOPYA\ben imbum.inf
01/20/2003 09:44 AM 176,128 BUILTIN\Administrators isusweb.dll
11/20/2003 12:22 AM 740 POOPYA\jordan jinstall-1_4_2_03.inf
02/04/2005 01:31 AM 62,616 POOPYA\jordan loader2.ocx
01/20/2000 02:25 PM 1,162 BUILTIN\Administrators Microsoft XML Parser for Java.osd
11/18/1999 01:49 PM 992 POOPYA\ben msaudio.inf
12/01/2004 01:30 AM 551 POOPYA\jordan OSDEB.OSD
10/09/2003 10:32 AM 144 POOPYA\ben QTPlugin.inf
03/13/2004 08:39 PM 9,807,846 POOPYA\jordan QuickTimeInstallCache.qdat
05/29/2002 11:12 PM 9,488 POOPYA\ben sporder.dll
12/08/2003 01:58 PM 3,759 POOPYA\jordan swflash.inf
04/05/2004 05:21 PM 20,480 POOPYA\ben UCSearch.ocx
10/31/2001 11:37 AM 118 POOPYA\jordan uninst.bat
12/01/2004 01:30 AM 13,824 POOPYA\jordan v3.dll
06/30/2003 10:41 PM 1,689 POOPYA\jordan WMV9VCM.inf
01/24/2005 01:14 PM 15,872 POOPYA\jordan YSBactivex.dll
08/17/2004 01:58 PM 227 POOPYA\jordan ysbactivex.inf
26 File(s) 10,546,775 bytes
19 Dir(s) 6,228,783,104 bytes free

guestolo · « **Reply #74 on:** February 12, 2005, 01:24:38 AM »

Let's go thru the steps
Some may not be necessary, but let's do it anyways

Ensure you have Hoster still in a convenient spot
Also ensure you still have fix.reg placed on your desktop for easy access
If not you can save it too notepad again>>>on page 2 of our replies
Related too the ZoneMap\Domains registry fix

Print this out so you can use it as a checklist
Also
Please save this too a Notepad file on your desktop >>>
Disconnect from the Internet>>>Disable System Restore, if you can and you haven't done so already
Close down All unnecessary programs running in the background
Keep all other users of the computer logged off

Do another scan with Hijackthis and put a check next to these entries:

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/landingpages/cd....ystempopup=true (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe

ALL the 015 entries

O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)

After you have ticked the above entries, close All other open windows, including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

With only your Notepad file open
Open Killbox.exe
Then bring up Taskmanager

Now you have this Notepad file that you saved>>>Killbox>>taskmanager open
End process on explorer.exe as you did before
May not be necessary at this point but let's not take a chance
Icons and Taskbar disappear

In Task Manager go to FILE>>>NEW TASK (RUN)
Type in cmd.exe
Hit OK

At the command prompt
type this again, remember there are no = signs, see Note below

cd\WINDOWS\Downloaded Program Files (hit Enter)
del=YSBactivex.dll (hit Enter)
del=ysbactivex.inf (hit Enter)
del=loader2.ocx (hit Enter)
del=OSDEB.OSD (hit Enter)
del=v3.dll (hit Enter)
Rmdir=/s=CONFLICT.1 (hit Enter)
Rmdir=/s=CONFLICT.2 (hit Enter)
Rmdir=/s=CONFLICT.3 (hit Enter)
Rmdir=/s=CONFLICT.4 (hit Enter)
Rmdir=/s=CONFLICT.5 (hit Enter)
Rmdir=/s=CONFLICT.6 (hit Enter)
Rmdir=/s=CONFLICT.7 (hit Enter)
Rmdir=/s=CONFLICT.8 (hit Enter)
Rmdir=/s=CONFLICT.9 (hit Enter)
Rmdir=/s=CONFLICT.10 (hit Enter)
Rmdir=/s=CONFLICT.11 (hit Enter)
Rmdir=/s=CONFLICT.12 (hit Enter)
Rmdir=/s=CONFLICT.13 (hit Enter)
Rmdir=/s=CONFLICT.14 (hit Enter)
Rmdir=/s=CONFLICT.15 (hit Enter)
Rmdir=/s=CONFLICT.16 (hit Enter)
Rmdir=/s=CONFLICT.17 (hit Enter)

NOTE* = signs should be replaced by a space

After you have entered all those close the command promp

Now you have just the Notepad file open and Killbox
In Killbox
Copy and paste each of the following lines into the "Full Path of File to Delete"
Click the RED X button that looks like the Stop sign
Keep track of any files that won't delete
You'll need those later

C:\WINDOWS\NDNuninstall6_22.exe

C:\WINDOWS\SSK_B5.EXE

C:\WINDOWS\woinstall.exe

C:\WINDOWS\System32\304390.exe

C:\WINDOWS\System32\311375.exe

C:\WINDOWS\System32\cp.exe

C:\WINDOWS\System32\dfe.exe

C:\WINDOWS\System32\eree.exe

C:\WINDOWS\System32\fgrr.exe

C:\WINDOWS\System32\htt.exe

C:\WINDOWS\System32\iwdwin.dll

C:\WINDOWS\System32\KVIF_7.dll

C:\WINDOWS\System32\mac80ex.idf

C:\WINDOWS\System32\mqexdlm.srg

C:\WINDOWS\System32\netut80ex.vxd

C:\WINDOWS\System32\SHAgentNew.dll

C:\WINDOWS\System32\WinSuck.dll

C:\WINDOWS\System32\Xcite2.exe

C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\014D63SJ\ysb_prompt[1].php

C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[1].htm

C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\js[2].htm

C:\DOCUME~1\jordan\LOCALS~1\TEMPOR~1\Content.IE5\89SF0L8N\ysb_prompt[1].php

C:\Documents and Settings\jordan\eree.exe

C:\Documents and Settings\jordan\ewhtt.exe

C:\Program Files\AIM\aim95.exe

C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll

C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE

C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL

C:\Program Files\TopConverting\arkanoid\arkanoid.exe

C:\WINDOWS\Downloaded Program Files\CONFLICT.10\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.2\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.3\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.4\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.5\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.6\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.7\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.8\v3.dll

C:\WINDOWS\Downloaded Program Files\CONFLICT.9\v3.dll

C:\WINDOWS\Downloaded Program Files\v3.dll

C:\WINDOWS\System32\ntqm.exe

C:\WINDOWS\System32\d3wq.exe

C:\WINDOWS\System32\msjy32.exe

C:\WINDOWS\System32\netxh32.exe

C:\WINDOWS\System32\ipxm32.exe

C:\WINDOWS\System32\kwxle.txt

C:\WINDOWS\System32\sdklk.exe

C:\WINDOWS\System32\d3wq.exe

C:\WINDOWS\System32\d3ea.exe

C:\WINDOWS\isrvs\ffisearch.exe

Copy and paste each of the following lines into the "Full Path of File to Delete" box in Killbox.
Put a mark next to Replace on Reboot
Also mark Use Dummy

Click the red button with the X after each. It will ask you if you want to reboot each time you click it, answer "No"

C:\WINDOWS\System32\brew.dll

C:\WINDOWS\BTGrab.dll

C:\WINDOWS\System32\dOnim.dll

C:\WINDOWS\System32\l06olaj31do.dll

C:\WINDOWS\System32\LMWND13n.DLL

C:\WINDOWS\System32\o884lilq18qe.dll

C:\WINDOWS\System32\s8pu0i79e8.dll

C:\WINDOWS\System32\tarmmgr.dll

C:\WINDOWS\System32\Xcite.dll

C:\WINDOWS\Downloaded Program Files\YSBactivex.dll

C:\WINDOWS\inst\3p1.exe

At this point copy and paste any file that wouldn't delete earlier with just the
Delete file button and use the
"Replace on Reboot"
"Use Dummy"
options

On the last path to file to delete is entered
Answer YES
And allow the system to Reboot
or use the option in the Taskmanager under Shutdown>>Restart

Please reboot into safe mode at this time

Look for these 2 files in the C:\Windows\System32 folder
02/01/2005 09:45 AM 413,696 r?gsvr32.exe <--this file
02/01/2005 09:42 AM 413,696 m?iexec.exe <--this file
They may contain the ? mark in them, if you see them delete them
Careful as they like too disguise as legitimate file
You can see if you right click on them and left click properties
There file size is about 413 kb and created on the date above

Find and delete these folders if they exist
C:\WINDOWS\isrvs <--this folder
C:\Program Files\AWS <--folder
C:\Program Files\MyWay <--folder
C:\Program Files\TopConverting <--folder

Take a look for any of those files killed with killbox manually and ensure they don't exist

Some of the files should of been removed by RubberDucky's About:Buster
If you still have it
Can you please run About:Buster again in safe mode
Let it scan twice>>Save the log afterwards

Open HOSTER and RESTORE ORIGNAL HOSTS

Double click on fix.reg and allow it to merge to the registry

Well your in safe mode can you open your Registry editor
just be careful and do just what I ask

Go to START>>RUN>>Type in regedit
Hit OK

Navigate to this entry

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage]
Left click to Highlight ModuleUsage
Right click on it and Choose EXPORT
Name it and save it to MyDocuments folder
Exit the Registry

Temp files should of been deleted, but because you have Windows CleanUp! can you run it also in safe mode just to be safe

Restart back to Normal mode

Enable System Restore

At this time let's try another scan with the newer L2mfix>>>Can you redownload it please, don't use your old copy>>Here's the instructions again

Quote

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

[color=\"red\"]IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so![/color]

Hopefully one last time
Can you run another scan with Mwav scan from eSecan
and post another log

Also post back another Hijackthis log
Also include the About:Buster logs if you have them

Could you also go to the MyDocuments folder, find that entry you exported from the Registry
RIGHT CLICK on it and select EDIT
Copy and paste back here the contents, thanks

boogieonrw · « **Reply #75 on:** February 12, 2005, 05:10:42 PM »

all of the v3.dll's and the ffisearch.exe couldn't be found

also ysbactivex.dll

should i search for every one of the files we replaced or deleted?

Guest · « **Reply #76 on:** February 12, 2005, 05:16:00 PM »

It was just precautionary
If you wouldn't mind, but I would think they would all be gone

Just carry on, I'm stepping out for a bit, so I won't be able to answer these questions
I hope to see a better log when I get back , crossing my fingers

Well I got you here, Before restarting back to Normal mode could you try the fixes with hijackthis in Safe mode again, if your past that point, DON'T worry about it.........
Thanks

Don't worry if there back when you reboot to normal mode and don't restart your computer again when you get back to normal mode if you can help it

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

Woops>>that was me boogie
~guestolo~

boogieonrw · « **Reply #77 on:** February 12, 2005, 06:40:31 PM »

hey, we seem to be still having a problem with the l2mfix

it isn't opening...if i have to restart my computer, what do i have to do?

guestolo · « **Reply #78 on:** February 12, 2005, 10:09:40 PM »

I keep removing these question and answer replies

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' />

If you had to reboot instead of ending process on it
I will need you to run Find.bat from Find It NT-2K-XP and post the log

I was hoping to see some logs boogieonrw

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/cool.gif\' class=\'bbc_emoticon\' alt=\'B)\' />

Let me say this again boogieonrw, do what you can, post all the required logs if you can

boogieonrw · « **Reply #79 on:** February 13, 2005, 04:03:50 PM »

unfortunately not even find it is working,
the log files just never open...it freezes

i don't know if its a memory issue or what but it still pretends to be working, but isn't

i'll post hijackthis and the reg file after a quick restart

News:

Author Topic: SOS! (Read 8684 times)

Guest