View Full Version : My HJT Log
Lythium
07-23-2005, 09:58 PM
Hey, Lately I've been having some probs, and some since I finished building this PC.. My pc runs stably usually, and is very fast, but I think it's performance is sub-par for what it should be, especially in games. I've been thinkin about reformatting lately, but after seeing this stuff on here about HJT and such I decided to try this. Here goes:
Logfile of HijackThis v1.99.1
Scan saved at 9:52:16 PM, on 7/23/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\TopThemes\ThemeTray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\onrs\iass.exe
C:\WINDOWS\System32\??rss.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe
C:\Program Files\Xfire\Xfire.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Main\LOCALS~1\Temp\Rar$EX00.281\Hijack This.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {BAFF9C05-7B98-2C42-C4AA-5430291821B5} - C:\WINDOWS\System32\saq.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ThemeTray] "C:\Program Files\TopThemes\ThemeTray.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /T
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKCU\..\Run: [Rers] C:\Program Files\onrs\iass.exe
O4 - HKCU\..\Run: [Xxxzhzt] C:\WINDOWS\System32\??rss.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - [url]http://www.ysbweb.com/ist/softwares/v4.0/ysb_regular.cab[/url]
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dl l
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-------------------
Sometimes I'll get a blue screen windows error message where it says something about nv4_disp.dll i know that is the main file for my display driver, but i've tried many diff driver versions, and this happened when i had an ATI card as well, with it's driver file.dll. In demanding games, such as CS:S, my FPS and performance seems WAY below what it should be.. Here's some of my pc's specs:
Mobo: Soyo VT8763 Apollo PT800 VIA
AGP 8x
FSB: 800MHz - 6400 MB/s
PCI x3
supports 2GB of DDR 400/pc3200 RAM
CPU: INTEL P4 2.8GHz Prescott
L2 Cache: 1MB (On-Die, ATC, Full-Speed)
RAM: 2x 512MB Ultra DDR 400/pc3200 RAM (1GB total)
Hard Drive: Western Digital: WD1200JB - 120GB
GPU(Video Card): LeadTek - GeForce 6600GT
AGP 8x
128MB
Core Clock: 500MHz, OC'd to 600.
Mem Clock: 900MHz, OC'd to 1050
PSU: Aspire 520w
All temps are well cooled, when/if I try to play my BF2 I cannot, because the screen will turn all grey, and have triangle'ish lights flashing all around, and i just have to end the process(bf2 process). I'm mostly concerned with my FPS and such, because I see other people with this same GPU, and similar speed CPU/mobo's, and same amount of RAM, and they get 100FPS and such things.. On the same settings or higher as I am trying to run. I know my RAM is not a great brand name, but that could not possibly cause all my errors.. Plz help
Budfred
07-23-2005, 10:32 PM
Please open and HJT scan and put checks by these:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: iMeshBar BHO - {5345A7A1-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O2 - BHO: (no name) - {BAFF9C05-7B98-2C42-C4AA-5430291821B5} - C:\WINDOWS\System32\saq.dll
O3 - Toolbar: iMeshBar - {5345A7A9-805A-4923-B505-86B2FEBA3FE0} - C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL
O4 - HKCU\..\Run: [WebSpecials] rundll32 "C:\Program Files\WebSpecials\webspec.dll",run
O4 - HKCU\..\Run: [Rers] C:\Program Files\onrs\iass.exe
O4 - HKCU\..\Run: [Xxxzhzt] C:\WINDOWS\System32\??rss.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.com/ist/softwares...ysb_regular.cab
It is not clear what this is and I suggest fixing it... It looks suspicious... You could also find the file and check Properties to see if it is from a legit program:
O4 - HKLM\..\Run: [ThemeTray] "C:\Program Files\TopThemes\ThemeTray.exe"
Close all open windows except HJT and click Fix checked...
Find and delete:
C:\Program Files\WebSpecials (the folder)
C:\Program Files\onrs\iass.exe
C:\WINDOWS\System32\??rss.exe
On that last one, the ?? will be two odd characters, probably in Unicode... Be sure not to delete the legit Windows file... You may have to set Windows to show all Hidden and System files to find them...
Reboot and post a fresh log with a report on how things are going...
Lythium
07-24-2005, 12:57 AM
I used to get an error for some .dll file once i got to my desktop, and that is now gone. :) Also my windowblinds 4.0 thing doesnt pop-up on startup now, I knew about that webspecials folder b4, but it would not let me delete it for some reason, and also when i tried deleting that rss.exe file, the only thing i could find was csrss.exe it was a microsoft server runtime app. And it said i could not delete it, had no autorization, etc.. A problem i forget to mention in my other post is that, I can't defrag my HD, I'm unsure why, i'll try again later after doing this stuff, but i just thought i'd mention that. Also do you think these things could be effecting my FPS in games? Here's the new HJT:
Logfile of HijackThis v1.99.1
Scan saved at 12:54:02 AM, on 7/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\snmp.exe
C:\Documents and Settings\Main\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O2 - BHO: (no name) - {BAFF9C05-7B98-2C42-C4AA-5430291821B5} - C:\WINDOWS\System32\saq.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /T
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dl l
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
-----
Thx a bunch man!!
Budfred
07-24-2005, 01:11 AM
You got most of it, but some still lingers... As for whether it effects your games, probably... Generally malware will slow down the entire system... We will try the HJT fix again, but another scan would be a good idea to see what we are missing...
Open an HJT scan and put a check by:
O2 - BHO: (no name) - {BAFF9C05-7B98-2C42-C4AA-5430291821B5} - C:\WINDOWS\System32\saq.dll
Then close all open windows except HJT and click Fix checked...
Find and delete:
C:\WINDOWS\System32\saq.dll
Try running an MWavScan... It will produce a log in the lower window that has the bad list and you will need to use Ctrl-C to copy it and then paste it here for review.... If the list is extremely long, you can just paste the lines that begin with the word "File" since those are the ones we need to be most concerned about...
http://www.mwti.net/antivirus/free_utilities.asp
It will suggest that you buy the product to fix what it finds, but that is not necessary... Just post the bad part of the scan and we will deal with it...
Lythium
07-24-2005, 02:10 AM
Well, here's the new HJT scan:
Logfile of HijackThis v1.99.1
Scan saved at 2:09:58 AM, on 7/24/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\RunDll32.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\DOCUME~1\Main\LOCALS~1\Temp\mwavscan.com
C:\DOCUME~1\Main\LOCALS~1\Temp\kavss.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Main\Desktop\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CM-SmWizard] C:\WINDOWS\System\SmWizard.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [WinFast Schedule] C:\Program Files\WinFast\WFTVFM\WFWIZ.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RivaTunerStartupDaemon] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /S
O4 - HKLM\..\Run: [RivaTuner] "C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /T
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dl l
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
Lythium
07-24-2005, 02:12 AM
And Here's the Mwav scan(you got your work cut-out for u i think..):
File C:\WINDOWS\system32\DrPMon.dll infected by "Trojan.Win32.Agent.db" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\srchbar.dll tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Desktop\Desktop Cache\aida32pe_393.zip tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\BankMod.zip tagged as not-a-virus:CrackTool.Win32.HotHook. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\crack22a.exe infected by "Trojan-Dropper.Win32.ExeBundle.286" Virus! Action Taken: No Action Taken.
Lythium
07-24-2005, 02:13 AM
File C:\WINDOWS\dugspe.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
File C:\WINDOWS\EDow_AS2.exe infected by "Trojan-Downloader.Win32.QDown.m" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\libfushqbab.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\WINDOWS\mm15201518.Stub.exe tagged as "not-a-virus:AdWare.EZula.ah". Action Taken: No Action Taken.
File C:\WINDOWS\mm63.ocx tagged as "not-a-virus:AdWare.MediaMotor.a". Action Taken: No Action Taken.
File C:\WINDOWS\Nail.exe tagged as "not-a-virus:AdWare.BetterInternet.b". Action Taken: No Action Taken.
File C:\WINDOWS\neti.dll infected by "Trojan-Spy.Win32.Spung.a" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\wsem303.dll infected by "Trojan-Downloader.Win32.Dyfuca.dt" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\AcsProxy.dll tagged as "not-a-virus:AdWare.ToolBar.FWN.a". Action Taken: No Action Taken.
File C:\WINDOWS\System32\DrPMon.dll infected by "Trojan.Win32.Agent.db" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\elitecup32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\elitedun32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\unregister.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\180sainstaller.exe tagged as "not-a-virus:AdWare.180Solutions.b". Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\8x1EsB.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\AcsProxyStub.exe infected by "Trojan-Clicker.Win32.Agent.di" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\Del29.tmp infected by "Trojan-Downloader.Win32.Small.asf" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\download-mattie--.exe tagged as "not-a-virus:AdWare.MediaMotor.a". Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\iinstall.exe infected by "Trojan-Downloader.Win32.IstBar.je" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\mediatickets.exe infected by "Trojan-PSW.Win32.Agent.h" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\Rar$EX00.297\aida32 .bin tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\Rar$EX00.297\aida32 .exe tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\Rar$EX00.297\aida_d irectx.dll tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\Rar$EX00.594\backup s\backup-20050724-004240-639.dll infected by "Trojan-Downloader.Win32.IstBar.gen" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\Rar$EX00.765\aida32 .bin tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\Rar$EX00.765\aida32 .exe tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\Rar$EX00.765\aida_d irectx.dll tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\run.exe tagged as "not-a-virus:AdWare.Sahat.z". Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\simpletraffic.exe infected by "Trojan-Dropper.Win32.Small.nm" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\TMP1D.tmp tagged as "not-a-virus:AdWare.WebSpecial.a". Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\TMP1E.tmp tagged as "not-a-virus:AdWare.WebSpecial.a". Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\uppicsvr.exe tagged as "not-a-virus:AdWare.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\webr.exe tagged as "not-a-virus:AdWare.WebRebates.a". Action Taken: No Action Taken.
File C:\DOCUME~1\Main\LOCALS~1\Temp\~vis0000\rebootnt.e xe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Desktop Cache\aida32pe_393.zip tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\BankMod.zip tagged as not-a-virus:CrackTool.Win32.HotHook. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\crack22a.exe infected by "Trojan-Dropper.Win32.ExeBundle.286" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\180sainstaller.exe tagged as "not-a-virus:AdWare.180Solutions.b". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\8x1EsB.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\AcsProxyStub.exe infected by "Trojan-Clicker.Win32.Agent.di" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\Del29.tmp infected by "Trojan-Downloader.Win32.Small.asf" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\download-mattie--.exe tagged as "not-a-virus:AdWare.MediaMotor.a". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\iinstall.exe infected by "Trojan-Downloader.Win32.IstBar.je" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\mediatickets.exe infected by "Trojan-PSW.Win32.Agent.h" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\Rar$EX00.297\aida32.bin tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\Rar$EX00.297\aida32.exe tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\Rar$EX00.297\aida_directx.dll tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\Rar$EX00.594\backups\backup-20050724-004240-639.dll infected by "Trojan-Downloader.Win32.IstBar.gen" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\Rar$EX00.765\aida32.bin tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\Rar$EX00.765\aida32.exe tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\Rar$EX00.765\aida_directx.dll tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\run.exe tagged as "not-a-virus:AdWare.Sahat.z". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\simpletraffic.exe infected by "Trojan-Dropper.Win32.Small.nm" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\TMP1D.tmp tagged as "not-a-virus:AdWare.WebSpecial.a". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\TMP1E.tmp tagged as "not-a-virus:AdWare.WebSpecial.a". Action Taken: No Action Taken.
Lythium
07-24-2005, 02:14 AM
File C:\Documents and Settings\Main\Local Settings\Temp\uppicsvr.exe tagged as "not-a-virus:AdWare.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\webr.exe tagged as "not-a-virus:AdWare.WebRebates.a". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Local Settings\Temp\~vis0000\rebootnt.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe tagged as "not-a-virus:AdWare.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\Program Files\Common Files\updater\sui.exe infected by "Trojan-Downloader.Win32.Keenval" Virus! Action Taken: No Action Taken.
File C:\Program Files\Media Access\MediaAccC.dll tagged as "not-a-virus:AdWare.WinAD.ao". Action Taken: No Action Taken.
File C:\Program Files\Mozilla Firefox\plugins\npzango.dll tagged as "not-a-virus:AdWare.WinAD.aw". Action Taken: No Action Taken.
File C:\Program Files\YourSiteBar\ysb.dll tagged as "not-a-virus:AdWare.ToolBar.YourSiteBar.c". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-448539723-1682526488-725345543-1003\Dc1.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP10\A0000738.exe tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP10\A0000739.dll tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP10\A0000748.exe tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP10\snapshot\MFEX-2.DAT tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP10\snapshot\MFEX-3.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP10\snapshot\MFEX-4.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP10\snapshot\MFEX-5.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP10\snapshot\MFEX-6.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP102\A0078513.exe tagged as "not-a-virus:AdWare.WebSpecial.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP11\A0001081.exe tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP11\A0001082.exe tagged as "not-a-virus:AdWare.Wintol.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001087.exe infected by "Trojan-Downloader.Win32.Dyfuca.dp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001088.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001089.exe infected by "Trojan-Downloader.Win32.Dyfuca.dp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001090.exe infected by "Trojan-Downloader.Win32.Keenval" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001091.exe infected by "Trojan-Downloader.Win32.Keenval" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001093.exe tagged as "not-a-virus:AdWare.Sahat.o". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001094.exe tagged as "not-a-virus:AdWare.Sahat.o". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001101.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001103.exe infected by "Trojan-Dropper.Win32.Agent.hh" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001104.dll tagged as "not-a-virus:AdWare.Sahat.l". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001105.exe tagged as "not-a-virus:AdWare.Sahat.o". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001109.exe tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001110.exe tagged as "not-a-virus:AdWare.Wintol.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP12\A0001112.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001115.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001122.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001123.exe tagged as "not-a-virus:AdWare.WebRebates.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001124.exe tagged as "not-a-virus:AdWare.WebRebates.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001125.exe tagged as not-a-virus:Tool.Win32.Exporun. No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001126.exe tagged as "not-a-virus:AdWare.WebSearch.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001127.exe tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001128.exe tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001129.dll tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001133.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001135.exe tagged as "not-a-virus:AdWare.WebRebates.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001136.dll tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001137.exe tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001142.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001143.exe tagged as "not-a-virus:AdWare.Wintol.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001149.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
Lythium
07-24-2005, 02:15 AM
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001165.exe tagged as "not-a-virus:AdWare.Wintol.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001167.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP13\A0001182.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001185.dll infected by "Trojan-Downloader.Win32.Dyfuca.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001186.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001187.exe tagged as "not-a-virus:AdWare.180Solutions". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001188.exe infected by "Trojan-Downloader.Win32.Wintool.f" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001189.exe infected by "Trojan.Win32.Stervis.c" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001190.exe tagged as "not-a-virus:AdWare.WinAD.an". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001191.exe infected by "Trojan-Downloader.Win32.IstBar.ij" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001192.dll tagged as "not-a-virus:AdWare.WebSpecial.a". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001193.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001195.exe infected by "Trojan-Downloader.Win32.Delmed.b" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001196.exe tagged as "not-a-virus:AdWare.WinAD.as". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001197.exe tagged as "not-a-virus:AdWare.MediaMotor.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001200.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001201.dll tagged as "not-a-virus:AdWare.Wintol.y". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001202.exe tagged as "not-a-virus:AdWare.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001203.exe tagged as "not-a-virus:AdWare.Wintol.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001204.exe tagged as "not-a-virus:AdWare.Wintol.aa". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001205.exe tagged as "not-a-virus:AdWare.PurityScan.w". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001217.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001219.ocx tagged as "not-a-virus:AdWare.DelphinMediaViewer.c". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001220.dll tagged as "not-a-virus:AdWare.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP14\A0001221.exe tagged as "not-a-virus:AdWare.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP15\A0001226.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP15\A0001250.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001418.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001419.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001420.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001421.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001422.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001423.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001424.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001425.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001426.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001427.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001428.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001429.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001430.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001431.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001432.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001433.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001434.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001435.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP17\A0001438.exe infected by "Trojan.Win32.Agent.cp" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP7\A0000525.exe tagged as "not-a-virus:AdWare.WebSearch.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP8\A0000580.exe tagged as "not-a-virus:AdWare.WebSearch.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP8\A0000581.dll tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
Lythium
07-24-2005, 02:16 AM
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP8\snapshot\MFEX-2.DAT tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP8\snapshot\MFEX-3.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP8\snapshot\MFEX-4.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP9\A0000594.dll tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP9\A0000595.exe tagged as "not-a-virus:AdWare.WebSearch.f". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP9\snapshot\MFEX-2.DAT tagged as "not-a-virus:AdWare.WebSearch.aj". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP9\snapshot\MFEX-3.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP9\snapshot\MFEX-4.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP9\snapshot\MFEX-5.DAT tagged as "not-a-virus:AdWare.WebSearch.al". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP91\A0061721.exe tagged as not-a-virus:CrackTool.Win32.HotHook. No Action Taken.
File C:\temp\salmhook.dll tagged as "not-a-virus:AdWare.180Solutions". Action Taken: No Action Taken.
File C:\WINDOWS\dugspe.exe tagged as "not-a-virus:AdWare.BetterInternet.c". Action Taken: No Action Taken.
File C:\WINDOWS\EDow_AS2.exe infected by "Trojan-Downloader.Win32.QDown.m" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll tagged as "not-a-virus:AdWare.ToolBar.EliteBar.af". Action Taken: No Action Taken.
File C:\WINDOWS\libfushqbab.exe tagged as "not-a-virus:AdWare.BetterInternet". Action Taken: No Action Taken.
File C:\WINDOWS\mm15201518.Stub.exe tagged as "not-a-virus:AdWare.EZula.ah". Action Taken: No Action Taken.
File C:\WINDOWS\mm63.ocx tagged as "not-a-virus:AdWare.MediaMotor.a". Action Taken: No Action Taken.
File C:\WINDOWS\Nail.exe tagged as "not-a-virus:AdWare.BetterInternet.b". Action Taken: No Action Taken.
File C:\WINDOWS\neti.dll infected by "Trojan-Spy.Win32.Spung.a" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\optimize.exe infected by "Trojan-Downloader.Win32.Dyfuca.dx" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\AcsProxy.dll tagged as "not-a-virus:AdWare.ToolBar.FWN.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\DrPMon.dll infected by "Trojan.Win32.Agent.db" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\elitecup32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\elitedun32.exe infected by "Trojan.Win32.StartPage.nk" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\nsvsvc\nsv.ocx tagged as "not-a-virus:AdWare.DelphinMediaViewer.c". Action Taken: No Action Taken.
File C:\WINDOWS\system32\nsvsvc\nsvs.dll tagged as "not-a-virus:AdWare.DelphinMedia.Viewer.f". Action Taken: No Action Taken.
File C:\WINDOWS\system32\unregister.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
File C:\WINDOWS\wsem303.dll infected by "Trojan-Downloader.Win32.Dyfuca.dt" Virus! Action Taken: No Action Taken.
----------------
AHHH That's it! Wow I am SO surprised... I mean, honestly, that is soo many things. I hope you can help me!
Budfred
07-24-2005, 02:30 AM
Okay, I was afraid we might see something like this... Before I break this down to a manual fix try a few automatic scans to clean it out...
Please download, install, and update the NEW free version of Ewido trojan scanner (http://www.ewido.net/en/download/):
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. We have been finding some cases of false positives with the new version of Ewido, so we need to step through the fixes one-by-one. If Ewido finds something that you KNOW is legitimate (for example, parts of AVG Antivirus, pcAnywhere and the game "Risk" have been flagged), select "none" as the action. DO NOT check "Perform action with all infections". If you are unsure of an entry, select "none" for the time being. I'll see that in the log you will post later and let you know if ewido needs to be run again.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.
Then run one of the online virus scans in my signature... Housecall is probably the best choice right now...
Then download, install and update Ad-Aware SE and Spybot... Do not set up resident protection in either of them... Here are links to instructions for how to use them...
http://forums.spywareinfo.com/index.php?showtopic=11150
http://forums.spywareinfo.com/index.php?showtopic=18080
Much of what is in that log is in System Restore, so do a reset of System Restore to set up a new Restore Point after these scans...
Turn off System Restore
To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.
Turn on System Restore
To turn on System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
Then download and run CCleaner to clear out Temporary folders:
http://www.ccleaner.com/
Once you complete all of these steps, run another MWavScan and post it here... We will clean up whatever is left...
Lythium
07-24-2005, 04:09 AM
New Mwav scan:
File C:\Documents and Settings\Main\Desktop\Desktop Cache\aida32pe_393.zip tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\BankMod.zip tagged as not-a-virus:CrackTool.Win32.HotHook. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\crack22a.exe infected by "Trojan-Dropper.Win32.ExeBundle.286" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\unregister.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Desktop\Desktop Cache\aida32pe_393.zip tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\BankMod.zip tagged as not-a-virus:CrackTool.Win32.HotHook. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\crack22a.exe infected by "Trojan-Dropper.Win32.ExeBundle.286" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP103\A0078706.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.
File C:\WINDOWS\system32\unregister.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
----
Much better, only 16 or so instead of 200 n somethin. Ways to go to, I'll check back in a bit for your next instructions. THX
Budfred
07-24-2005, 11:41 AM
Actually there are really only 3...
First please download Killbox:
http://www.downloads.subratam.org/KillBox.zip
Then copy/paste this list into a Notepad file so that you can access it in Safe Mode... Boot to Safe Mode (tap F8 just before Windows starts loading and select Safe Mode)... Choose the "Delete on reboot" and "End Explorer Shell while Killing file" options... Copy/paste the entire list into the line for the file... It should be able to accept the whole list, but if it doesn't you will need to enter them one at a time... Do not click through to close it out and reboot until they have all been entered... Once they are all entered, click through to kill them...
C:\Documents and Settings\Main\Desktop\Installs\BankMod.zip
C:\Documents and Settings\Main\Desktop\Installs\crack22a.exe
C:\WINDOWS\System32\unregister.exe
This suggests that your latest Restore Point is still contaminated, so you will need to reset that again:
C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP103\A0078706.dll
Once you finish these, reboot to Normal Mode and post a fresh MWavScan...
Lythium
07-24-2005, 12:40 PM
New Mwav scan. ( I forgot to reset the restore points...) In a hurry b4 work. I'll do that and post a newer one when i get home. Here's this(after running killbox):
File C:\Documents and Settings\Main\Desktop\Desktop Cache\aida32pe_393.zip tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\crack22a.exe infected by "Trojan-Dropper.Win32.ExeBundle.286" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\System32\unregister.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Desktop\Desktop Cache\aida32pe_393.zip tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\Documents and Settings\Main\Desktop\Installs\crack22a.exe infected by "Trojan-Dropper.Win32.ExeBundle.286" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP103\A0078706.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.
File C:\WINDOWS\system32\unregister.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
Budfred
07-24-2005, 03:29 PM
Two of the 3 files are still there... Are you sure you used Safe Mode?? If not, do it with Safe Mode and try going directly to the files and deleting them manually... It is possible that they are reinstated by some other program, so we need to make sure you try the direct approach before we go for other scans to try to find it...
If they are still there, try a Silent Runners scan...
Please download SilentRunners from here:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the desktop and double-click on it. If you get any kind of warning message about scripts, please choose to allow the script to run. When the scan is finished, it will create a logfile on the desktop. Please post the entire contents of this logfile for me to see.
Lythium
07-24-2005, 10:42 PM
Newest Mwav:
File C:\WINDOWS\System32\unregister.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
File C:\RECYCLER\S-1-5-21-448539723-1682526488-725345543-1003\Dc15.exe infected by "Trojan-Dropper.Win32.ExeBundle.286" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP103\A0078706.dll tagged as "not-a-virus:AdWare.PurityScan.ak". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP103\A0078795.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
File C:\WINDOWS\system32\unregister.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
Budfred
07-24-2005, 10:59 PM
Well one of them is still there and now there is another new one and a new one in System Restore... Again, are you using Safe Mode??
Go with the Silent Runners log...
Lythium
07-24-2005, 11:07 PM
It won't allow me to delete the unregister.exe because it says it's a valid microsoft file.. and Yes I am using safe mode. I'll run silent runners and post that
Lythium
07-24-2005, 11:09 PM
Silent Runners Log:
"Silent Runners.vbs", revision 39, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"
Startup items buried in registry:
---------------------------------
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"AIM" = "C:\Program Files\AIM\aim.exe -cnetwait.odl" ["America Online, Inc."]
"Steam" = "C:\Program Files\Valve\Steam\\Steam.exe -silent" ["Valve Corporation"]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ {++}
"WinampAgent" = "C:\Program Files\Winamp\winampa.exe" [null data]
"Cmaudio" = "RunDll32 cmicnfg.cpl,CMICtrlWnd" [MS]
"CM-SmWizard" = "C:\WINDOWS\System\SmWizard.exe" ["C-Media Electronics Inc."]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"ViewMgr" = "C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe" ["Viewpoint Corporation"]
"WinFast Schedule" = "C:\Program Files\WinFast\WFTVFM\WFWIZ.exe" ["Leadtek Research Inc."]
"NvCplDaemon" = "RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup" [MS]
"nwiz" = "nwiz.exe /install" ["NVIDIA Corporation"]
"NvMediaCenter" = "RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit" [MS]
"RivaTunerStartupDaemon" = ""C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /S" [empty string]
"RivaTuner" = ""C:\Program Files\RivaTuner v2.0 RC 15.6\RivaTuner.exe" /T" [empty string]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run OnceEx\ {++}
"Flag" = 2
HKLM\Software\Microsoft\Active Setup\Installed Components\
{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}\(Default) = "Internet Explorer Access"
\StubPath = "rundll32 iesetup.dll,IEAccessUserInst" [MS]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\
{A7327C09-B521-4EDB-8509-7D2660C9EC98}\(Default) = "Viewpoint Toolbar BHO" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll" ["Viewpoint Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\She ll Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{2F5AC606-70CF-461C-BFE1-734234536262}" = "WindowBlinds CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbui.dll" ["Stardock.Net, Inc"]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{A70C977A-BF00-412C-90B7-034C51DA2439}" = "NvCpl DesktopContext Class"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{FFB699E0-306A-11d3-8BD1-00104B6F7516}" = "Play on my TV helper"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvcpl.dll" ["NVIDIA Corporation"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A48}" = "nView Desktop Context Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\
INFECTION WARNING! "AppInit_DLLs" = "wbsys.dll" ["Stardock.Net, Inc"]
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! WB\DLLName = "C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dl l" ["Stardock"]
HKLM\Software\Classes\*\shellex\ContextMenuHandler s\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Directory\shellex\ContextMen uHandlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
HKLM\Software\Classes\Folder\shellex\ContextMenuHa ndlers\
WinRAR\(Default) = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
Active Desktop and Wallpaper:
-----------------------------
Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\ShellState
HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\WINDOWS\Firefox Wallpaper.bmp"
Enabled Screen Saver:
---------------------
HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\ssmarque.scr" [MS]
Startup items in "Main" & "All Users" startup folders:
------------------------------------------------------
C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]
"VIA RAID TOOL" -> shortcut to: "C:\Program Files\VIA\RAID\raid_tool.exe" ["VIA Technologies"]
Winsock2 Service Provider DLLs:
-------------------------------
Namespace Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
Transport Service Providers
HKLM\System\CurrentControlSet\Services\Winsock2\Pa rameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 11
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05
Toolbars, Explorer Bars, Extensions:
------------------------------------
Toolbars
HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{5345A7A9-805A-4923-B505-86B2FEBA3FE0}" = "iMeshBar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iMeshBar\bar\1.bin\IMESHBAR.DLL" [file not found]
HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{F8AD5AA5-D966-4667-9DAF-2561D68B2012}" = "Viewpoint Toolbar" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll" ["Viewpoint Corporation"]
Explorer Bars
Dormant Explorer Bars in "View, Explorer Bar" menu
HKLM\Software\Classes\CLSID\{5345A7AE-805A-4923-B505-86B2FEBA3FE0}\ = "iMeshBar Quick View"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\WINDOWS\System32\shdocvw.dll" [MS]
Extensions (Tools menu items, main toolbar menu buttons)
HKLM\Software\Microsoft\Internet Explorer\Extensions\
{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]
Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
NVIDIA Display Driver Service, NVSvc, "C:\WINDOWS\System32\nvsvc32.exe" ["NVIDIA Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]
----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 12 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 7 seconds.
---------- (total run time: 54 seconds)
Budfred
07-24-2005, 11:32 PM
Okay... Find and delete this folder:
C:\Program Files\iMeshBar
Find this file and check Properties to see if it is really an MS file and if it is listed as ReadOnly...
C:\WINDOWS\System32\unregister.exe
If it is not MS, change the Attribute to Archive and kill it... Rename it to unregister.old if you are not sure...
Use KillBox on this one:
C:\RECYCLER\S-1-5-21-448539723-1682526488-725345543-1003\Dc15.exe
And reset System Restore...
Post a fresh MWavScan when done...
Lythium
07-25-2005, 12:06 AM
Newest Mwav:
File C:\Documents and Settings\Main\Desktop\Desktop Cache\aida32pe_393.zip tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\WINDOWS\System32\unregister.old.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
File C:\Documents and Settings\Main\Desktop\Desktop Cache\aida32pe_393.zip tagged as not-a-virus:Tool.Win32.AIDA.3862. No Action Taken.
File C:\System Volume Information\_restore{3DA96D4E-4484-4309-948F-9237BDB5832B}\RP104\A0078903.exe infected by "Trojan-Dropper.Win32.ExeBundle.286" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\unregister.old.exe tagged as "not-a-virus:AdWare.ToolBar.VB.f". Action Taken: No Action Taken.
Budfred
07-25-2005, 07:52 AM
What did you find on this one??
C:\WINDOWS\system32\unregister.old.exe
That needs to be unregister.old or unregister.exe.old to make sure it doesn't run...
You still have one in System Restore which suggests that something is still loading it there... Time to try another scan... Try running this RKfiles and post the log:
http://skads.org/special/rkfiles.zip
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.