Unknown Virus-----PLEASE PLEASE HELP VERY URGENTLY

Hallo All!!!

Sorry for being so bold. I have a big problem with some virus. It's not on this PC. If I connect to the internet with the other PC all the bandwidth is taken up by this Virus - It's downloading something and I'd rather not go on the net with it.

The problem is as follows: If I start up the PC it wants to connect to the internet and no matter what I do it tries to connect to the internet again and again and again, and I have to press cancel a million times. It opens a box with my network connections and a message says:

"You (or a program) is trying to retrieve information from
pulse.cbz1.biz. Select a network connection:"

If I do connect to the internet some Spam sites opens and opens again and again.

Another thing I’ve noticed is when I start up my pc and it opens windows XP a tiny grey spot opens in the middle of the screen. I clicked on it and it's a link, obviously to a spam/spyware site.

GET THIS - When I try to open Ewido or try to install Nortan 2005 they automatically close after a second or so. Just like that. Obviously this virus is serious.

HijackThis also doesent work, so I cant even give you a log.

I've tried to run everything in safe mode but I still get the same results.

PLESE HELP URGENTLY - WE USE THIS COMPUTER FOR BUSINEES AND TIME IS MONEY. You guys can help as fast as you can though. I don't want to be rude.

 

Damn, wish we could get a log of some sort.

My advice would be to download some antiviruses from the computer you are on now, burn them to a disc and try installing them to the infected computer. Top 3 you should try to install:

Microsoft Malicious Antivirus
AVG
Spybot(may be helpful)

Try to install [bold]any[/bold] other antiviruses you have or can get. If we can get just one log, we will be doing great!

Let me know how things go.

Edit: Also try this:
http://www.atribune.org/ccount/click.php?id=4 get VundoFix. There is no install required so, this may be of some use.

Here are the instructions just incase you can use it:

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt

 

If burning to a disc is not possible, you can try using a USB drive or an external hard drive...

Here's a stand-alone virus scanner from McAfee, called Stinger: http://download.nai.com/products/mcafee-avert/stng260.exe

This will scan for a limited number of viruses and their variants...

CoolWebShredder: http://www.trendmicro.com/ftp/products/online-tools/cwshredder.exe

Another Anti-spyware you can try to get: SuperAnti-Spyware

http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE

If you manage to get the programs that Niobis and I mentioned, I would recommend updating for latest signatures before disconnecting that computer from the internet...

 

@thugs121,

I was asking dayglow to download those programs from the [bold]un[/bold]infected computer. Then, install them on the infected computer from a disc and as you said a external device. The infection continuously tries to connect to the internet and this is what we [bold] do not[/bold] want to happen. So therefore, a stand alone scanner is out of the question until this beast is contained.

 

Niobis:

Maybe my comments confused you. Sometimes I confuse myself, too ...

Now that I looked back on my statement, I forgot to mention using the uninfected comp to get the progs onto the USB drive or an external drive. My bad...

The stand-alone anti-virus scanner (Stinger) does not have the ability to update for the latest signatures. The signatures are within the program itself so it is safe to download and use it. Also, there is no need for installation as it is an executable and can be used right off the bat.

Sorry if there was confusion on my previous statements.

@dayglow

Good luck in getting rid of that infection...

 

yeah, I got a little confused there. I thought you was asking him to use the virus scanner from the infected computer. Sorry mate...

Edit: @dayglow, I thought you said "time is money"? Here you've wasted an entire day.

Just kidding mate, let us know how things are going. I'm anxious to see what this virus is as it seems damn serious!

 

Thanks guys for the help.

I tried all the anti virus programmes u gave me but only the stand-alone stinger worked slightly. It managed to open wich none of other programmes did and it found a single Trojan and a single virus .exe file. It cleaned it but the problem remains. I want to try and do the online scans but the virus eats up all the bandwidth so I dont think that'll work very well.

Everything else including AVG, cwshredder, VundoFix and Windows SUPER Anti Spy ware didn’t work. The virus keeps on closing the applications automatically rendering them completely useless.

I managed to stop the virus from connecting to the internet by temporarily deleting the internet connection under network connections - it'll be easy to set it up again.

One thing I want to try out is SpyBot but the SpyBot website has a million little applications and I don’t know which ones to use. Can you guys give me any advice on which SpyBot apps to use?

any other ideas or advice will be more than welcome.

This Virus is a killer!!!!! A definate challenge........

 

Spybot Search and Destroy

Microsoft Malicious Antivirus


Your Windows has to be verified so I'm not sure how to trasfer to a different PC, try it.

If trasfer cannot be done restart in "safe mode with networking"(press F8 upon boot, select "Safe Mode With Networking" from menu).
Then, try to download Malicious Antivirus or use an online scanner.

 

@dayglow

Download WinPFind
http://www.bleepingcomputer.com/files/winpfind.php
Right Click the Zip Folder and Select "Extract All"
Extract it somewhere you will remember like the Desktop
Don’t do anything with it yet!

Reboot into Safe Mode.


Double click WinPFind.exe
Click "Start Scan"
It will scan the entire System, so please be patient and let it complete.


Reboot back to Normal Mode!

Go to the WinPFind folder
Locate WinPFind.txt
Copy and paste WinPFind.txt in your next post here please.

 

@maca1

Heya! Thanks for the help.......

Here's the results for the WinPFind scan u requested........



WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.

If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Current Build Number: 2600
Internet Explorer Version: 6.0.2600.0000

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...
UPX! 8/30/2006 11:04:32 PM 25105 C:\MTE3NDI6ODoxNg.exe

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
Umonitor 11/3/1998 1:01:02 AM 324608 C:\WINDOWS\SYSTEM32\ipebase11.dll
WinShutDown 9/1/2006 10:02:48 AM R S 236765 C:\WINDOWS\SYSTEM32\kvdmon.dll
ad-w-a-r-e.com 9/1/2006 10:02:48 AM R S 236765 C:\WINDOWS\SYSTEM32\kvdmon.dll
WinShutDown 9/1/2006 10:22:48 AM R S 233963 C:\WINDOWS\SYSTEM32\ksdtuf.dll
ad-w-a-r-e.com 9/1/2006 10:22:48 AM R S 233963 C:\WINDOWS\SYSTEM32\ksdtuf.dll
WinShutDown 9/1/2006 10:27:18 AM R S 236765 C:\WINDOWS\SYSTEM32\mhaudite.dll
ad-w-a-r-e.com 9/1/2006 10:27:18 AM R S 236765 C:\WINDOWS\SYSTEM32\mhaudite.dll
PEC2 8/23/2001 12:00:00 PM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
Umonitor 8/23/2001 12:00:00 PM 630784 C:\WINDOWS\SYSTEM32\rasdlg.dll
winsync 8/23/2001 12:00:00 PM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
WinShutDown 9/2/2006 2:16:00 PM R S 233963 C:\WINDOWS\SYSTEM32\mbrui.dll
ad-w-a-r-e.com 9/2/2006 2:16:00 PM R S 233963 C:\WINDOWS\SYSTEM32\mbrui.dll
UPX! 8/23/2001 12:00:00 PM RHS 173056 C:\WINDOWS\SYSTEM32\wkssvr.exe
UPX! 8/30/2006 11:03:12 AM 173056 C:\WINDOWS\SYSTEM32\26274_netapi.exe
PEC2 8/30/2006 10:17:32 PM 73216 C:\WINDOWS\SYSTEM32\winocx.exe
WinShutDown 8/30/2006 10:18:04 PM R S 234272 C:\WINDOWS\SYSTEM32\rdr20.dll
ad-w-a-r-e.com 8/30/2006 10:18:04 PM R S 234272 C:\WINDOWS\SYSTEM32\rdr20.dll
WinShutDown 8/30/2006 10:18:12 PM R S 234272 C:\WINDOWS\SYSTEM32\rxcns4.dll
ad-w-a-r-e.com 8/30/2006 10:18:12 PM R S 234272 C:\WINDOWS\SYSTEM32\rxcns4.dll
UPX! 8/30/2006 10:18:42 PM 29696 C:\WINDOWS\SYSTEM32\w0d1af91.dll
UPX! 8/30/2006 10:19:22 PM 61952 C:\WINDOWS\SYSTEM32\xjdc9638.dll
WinShutDown 8/30/2006 11:06:02 PM R S 234272 C:\WINDOWS\SYSTEM32\doskmon.dll
ad-w-a-r-e.com 8/30/2006 11:06:02 PM R S 234272 C:\WINDOWS\SYSTEM32\doskmon.dll
WinShutDown 8/31/2006 9:10:04 AM R S 234272 C:\WINDOWS\SYSTEM32\nainst32.dll
ad-w-a-r-e.com 8/31/2006 9:10:04 AM R S 234272 C:\WINDOWS\SYSTEM32\nainst32.dll
WinShutDown 8/31/2006 9:17:04 AM R S 234272 C:\WINDOWS\SYSTEM32\e0jmla111d.dll
ad-w-a-r-e.com 8/31/2006 9:17:04 AM R S 234272 C:\WINDOWS\SYSTEM32\e0jmla111d.dll
WinShutDown 8/31/2006 9:18:04 AM R S 234272 C:\WINDOWS\SYSTEM32\cvcui.dll
ad-w-a-r-e.com 8/31/2006 9:18:04 AM R S 234272 C:\WINDOWS\SYSTEM32\cvcui.dll
WinShutDown 8/31/2006 9:52:50 AM R S 235546 C:\WINDOWS\SYSTEM32\l4p2le7o1h.dll
ad-w-a-r-e.com 8/31/2006 9:52:50 AM R S 235546 C:\WINDOWS\SYSTEM32\l4p2le7o1h.dll
WinShutDown 8/31/2006 9:52:50 AM R S 234272 C:\WINDOWS\SYSTEM32\lJprxy.dll
ad-w-a-r-e.com 8/31/2006 9:52:50 AM R S 234272 C:\WINDOWS\SYSTEM32\lJprxy.dll
WinShutDown 8/31/2006 10:00:36 AM R S 234272 C:\WINDOWS\SYSTEM32\oiedlg.dll
ad-w-a-r-e.com 8/31/2006 10:00:36 AM R S 234272 C:\WINDOWS\SYSTEM32\oiedlg.dll
WinShutDown 8/31/2006 10:36:42 AM R S 235676 C:\WINDOWS\SYSTEM32\phrfctrs.dll
ad-w-a-r-e.com 8/31/2006 10:36:42 AM R S 235676 C:\WINDOWS\SYSTEM32\phrfctrs.dll
WinShutDown 8/31/2006 2:34:24 PM R S 235950 C:\WINDOWS\SYSTEM32\dunet.dll
ad-w-a-r-e.com 8/31/2006 2:34:24 PM R S 235950 C:\WINDOWS\SYSTEM32\dunet.dll
WinShutDown 8/31/2006 6:53:46 PM R S 235676 C:\WINDOWS\SYSTEM32\fpr0039me.dll
ad-w-a-r-e.com 8/31/2006 6:53:46 PM R S 235676 C:\WINDOWS\SYSTEM32\fpr0039me.dll
WinShutDown 8/31/2006 6:55:20 PM R S 235950 C:\WINDOWS\SYSTEM32\wbnrnr.dll
ad-w-a-r-e.com 8/31/2006 6:55:20 PM R S 235950 C:\WINDOWS\SYSTEM32\wbnrnr.dll
WinShutDown 8/31/2006 8:39:40 PM R S 235676 C:\WINDOWS\SYSTEM32\MPIMUSIC.DLL
ad-w-a-r-e.com 8/31/2006 8:39:40 PM R S 235676 C:\WINDOWS\SYSTEM32\MPIMUSIC.DLL
WinShutDown 8/31/2006 9:10:10 PM R S 235980 C:\WINDOWS\SYSTEM32\okbcconf.dll
ad-w-a-r-e.com 8/31/2006 9:10:10 PM R S 235980 C:\WINDOWS\SYSTEM32\okbcconf.dll
WinShutDown 8/31/2006 9:23:32 PM R S 237039 C:\WINDOWS\SYSTEM32\l4p20e7oeh.dll
ad-w-a-r-e.com 8/31/2006 9:23:32 PM R S 237039 C:\WINDOWS\SYSTEM32\l4p20e7oeh.dll
WinShutDown 8/31/2006 9:42:54 PM R S 236765 C:\WINDOWS\SYSTEM32\tJpi32.dll
ad-w-a-r-e.com 8/31/2006 9:42:54 PM R S 236765 C:\WINDOWS\SYSTEM32\tJpi32.dll
WinShutDown 8/31/2006 10:00:28 PM R S 234219 C:\WINDOWS\SYSTEM32\p24ulch91f4.dll
ad-w-a-r-e.com 8/31/2006 10:00:28 PM R S 234219 C:\WINDOWS\SYSTEM32\p24ulch91f4.dll
WinShutDown 8/31/2006 10:00:28 PM R S 236765 C:\WINDOWS\SYSTEM32\adwav.dll
ad-w-a-r-e.com 8/31/2006 10:00:28 PM R S 236765 C:\WINDOWS\SYSTEM32\adwav.dll
WinShutDown 8/31/2006 11:06:50 PM R S 236765 C:\WINDOWS\SYSTEM32\mcmdd.dll
ad-w-a-r-e.com 8/31/2006 11:06:50 PM R S 236765 C:\WINDOWS\SYSTEM32\mcmdd.dll
WinShutDown 9/1/2006 9:09:12 AM R S 233677 C:\WINDOWS\SYSTEM32\orexl32.dll
ad-w-a-r-e.com 9/1/2006 9:09:12 AM R S 233677 C:\WINDOWS\SYSTEM32\orexl32.dll
WinShutDown 9/1/2006 9:46:12 AM R S 233677 C:\WINDOWS\SYSTEM32\enj4l11q1.dll
ad-w-a-r-e.com 9/1/2006 9:46:12 AM R S 233677 C:\WINDOWS\SYSTEM32\enj4l11q1.dll
WinShutDown 9/1/2006 9:47:38 AM R S 236765 C:\WINDOWS\SYSTEM32\ncprovau.dll
ad-w-a-r-e.com 9/1/2006 9:47:38 AM R S 236765 C:\WINDOWS\SYSTEM32\ncprovau.dll

Checking %System%\Drivers folder and sub-folders...

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
8/12/2006 11:00:02 PM RH 749 C:\WINDOWS\WindowsShell.Manifest
9/2/2006 2:19:18 PM S 2048 C:\WINDOWS\bootstat.dat
8/5/2006 5:49:18 PM H 89913 C:\WINDOWS\ttfCache
9/1/2006 10:02:48 AM R S 236765 C:\WINDOWS\SYSTEM32\kvdmon.dll
9/1/2006 10:22:48 AM R S 233963 C:\WINDOWS\SYSTEM32\ksdtuf.dll
9/1/2006 10:27:18 AM R S 236765 C:\WINDOWS\SYSTEM32\mhaudite.dll
9/2/2006 2:18:00 PM R S 233963 C:\WINDOWS\SYSTEM32\ir02l5do1.dll
9/2/2006 2:16:00 PM R S 233963 C:\WINDOWS\SYSTEM32\mbrui.dll
9/1/2006 2:30:20 PM R S 236765 C:\WINDOWS\SYSTEM32\l86o0ij3e8o.dll
9/2/2006 2:19:32 PM R S 236765 C:\WINDOWS\SYSTEM32\lcrmonui.dll
8/12/2006 11:00:02 PM RH 749 C:\WINDOWS\SYSTEM32\ncpa.cpl.manifest
8/12/2006 11:00:02 PM RH 749 C:\WINDOWS\SYSTEM32\nwc.cpl.manifest
8/12/2006 11:00:02 PM RH 749 C:\WINDOWS\SYSTEM32\sapi.cpl.manifest
8/12/2006 11:00:02 PM RH 749 C:\WINDOWS\SYSTEM32\wuaucpl.cpl.manifest
8/12/2006 11:00:02 PM RH 749 C:\WINDOWS\SYSTEM32\cdplayer.exe.manifest
8/12/2006 11:00:10 PM RH 488 C:\WINDOWS\SYSTEM32\logonui.exe.manifest
8/12/2006 11:00:10 PM RH 488 C:\WINDOWS\SYSTEM32\WindowsLogon.manifest
8/24/2006 8:54:00 PM RHS 101376 C:\WINDOWS\SYSTEM32\wsap32.exe
8/30/2006 10:18:04 PM R S 234272 C:\WINDOWS\SYSTEM32\rdr20.dll
8/30/2006 10:18:12 PM R S 234272 C:\WINDOWS\SYSTEM32\rxcns4.dll
8/30/2006 11:06:02 PM R S 234272 C:\WINDOWS\SYSTEM32\doskmon.dll
8/31/2006 9:10:04 AM R S 234272 C:\WINDOWS\SYSTEM32\nainst32.dll
8/31/2006 9:17:04 AM R S 234272 C:\WINDOWS\SYSTEM32\e0jmla111d.dll
8/31/2006 9:18:04 AM R S 234272 C:\WINDOWS\SYSTEM32\cvcui.dll
8/31/2006 9:52:50 AM R S 235546 C:\WINDOWS\SYSTEM32\l4p2le7o1h.dll
8/31/2006 9:52:50 AM R S 234272 C:\WINDOWS\SYSTEM32\lJprxy.dll
8/31/2006 10:00:36 AM R S 234272 C:\WINDOWS\SYSTEM32\oiedlg.dll
8/31/2006 10:36:42 AM R S 235676 C:\WINDOWS\SYSTEM32\phrfctrs.dll
8/31/2006 2:34:24 PM R S 235950 C:\WINDOWS\SYSTEM32\dunet.dll
8/31/2006 6:53:46 PM R S 235676 C:\WINDOWS\SYSTEM32\fpr0039me.dll
8/31/2006 6:55:20 PM R S 235950 C:\WINDOWS\SYSTEM32\wbnrnr.dll
8/31/2006 8:39:40 PM R S 235676 C:\WINDOWS\SYSTEM32\MPIMUSIC.DLL
8/31/2006 9:10:10 PM R S 235980 C:\WINDOWS\SYSTEM32\okbcconf.dll
8/31/2006 9:23:32 PM R S 237039 C:\WINDOWS\SYSTEM32\l4p20e7oeh.dll
8/31/2006 9:42:54 PM R S 236765 C:\WINDOWS\SYSTEM32\tJpi32.dll
8/31/2006 10:00:28 PM R S 234219 C:\WINDOWS\SYSTEM32\p24ulch91f4.dll
8/31/2006 10:00:28 PM R S 236765 C:\WINDOWS\SYSTEM32\adwav.dll
8/31/2006 11:06:50 PM R S 236765 C:\WINDOWS\SYSTEM32\mcmdd.dll
9/1/2006 9:09:12 AM R S 233677 C:\WINDOWS\SYSTEM32\orexl32.dll
9/1/2006 9:46:12 AM R S 233677 C:\WINDOWS\SYSTEM32\enj4l11q1.dll
9/1/2006 9:47:38 AM R S 236765 C:\WINDOWS\SYSTEM32\ncprovau.dll
9/2/2006 2:18:24 PM H 778240 C:\WINDOWS\SYSTEM32\config\system.LOG
9/2/2006 2:18:24 PM H 180224 C:\WINDOWS\SYSTEM32\config\software.LOG
9/2/2006 2:18:24 PM H 12288 C:\WINDOWS\SYSTEM32\config\default.LOG
8/12/2006 10:50:20 PM H 1024 C:\WINDOWS\SYSTEM32\config\userdiff.LOG
8/12/2006 10:50:18 PM H 1024 C:\WINDOWS\SYSTEM32\config\TempKey.LOG
9/2/2006 2:19:30 PM H 1024 C:\WINDOWS\SYSTEM32\config\SAM.LOG
9/2/2006 2:19:20 PM H 12288 C:\WINDOWS\SYSTEM32\config\SECURITY.LOG
8/12/2006 10:51:24 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\desktop.ini
8/12/2006 11:00:42 PM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\desktop.ini
8/12/2006 11:00:42 PM HS 113 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\History\History.IE5\desktop.ini
8/12/2006 11:00:42 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\desktop.ini
8/12/2006 11:00:42 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
8/12/2006 11:00:42 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\89AFCPA3\desktop.ini
8/12/2006 11:00:42 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\4HERO52R\desktop.ini
8/12/2006 11:00:42 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\M1I96ZAB\desktop.ini
8/12/2006 11:00:42 PM HS 67 C:\WINDOWS\SYSTEM32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\09S3K7WX\desktop.ini
8/12/2006 10:51:24 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\desktop.ini
8/12/2006 11:01:54 PM HS 206 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\desktop.ini
8/12/2006 11:01:52 PM HS 482 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\desktop.ini
8/12/2006 11:01:54 PM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Entertainment\desktop.ini
8/12/2006 11:01:54 PM HS 348 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Accessories\Accessibility\desktop.ini
8/12/2006 11:01:54 PM HS 84 C:\WINDOWS\SYSTEM32\config\systemprofile\Start Menu\Programs\Startup\desktop.ini
8/12/2006 11:00:12 PM HS 181 C:\WINDOWS\SYSTEM32\config\systemprofile\SendTo\desktop.ini
8/12/2006 10:51:24 PM HS 62 C:\WINDOWS\SYSTEM32\config\systemprofile\Application Data\desktop.ini
8/12/2006 11:18:02 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\14110ad6-c112-40c8-ac29-6ef9f15c1804
8/12/2006 11:18:02 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
8/12/2006 11:01:12 PM HS 67 C:\WINDOWS\FONTS\desktop.ini
8/12/2006 11:00:38 PM RHS 242478 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_1.cab
8/12/2006 11:00:38 PM RHS 19959 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_2.cab
8/12/2006 11:00:38 PM RHS 727 C:\WINDOWS\PCHEALTH\HELPCTR\PackageStore\package_3.cab
8/31/2006 8:39:32 PM S 64 C:\WINDOWS\CSC\00000002
8/31/2006 8:41:12 PM S 64 C:\WINDOWS\CSC\00000001
8/12/2006 11:00:10 PM H 65 C:\WINDOWS\Offline Web Pages\desktop.ini
8/12/2006 11:00:10 PM H 65 C:\WINDOWS\Downloaded Program Files\desktop.ini
9/2/2006 2:18:06 PM H 6 C:\WINDOWS\Tasks\SA.DAT
8/12/2006 11:08:18 PM H 1310720 C:\WINDOWS\repair\ntuser.dat

Checking for CPL files...
Adobe Systems, Inc. 8/24/2000 3:46:38 PM 266240 C:\WINDOWS\SYSTEM32\Adobe Gamma.cpl
11/12/1999 7:11:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 130048 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 558592 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 294912 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 119808 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 65536 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 270848 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\access.cpl
Avance Logic, Inc. 8/29/2002 4:23:48 PM R 1064960 C:\WINDOWS\SYSTEM32\ALSNDMGR.CPL
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 66048 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 558592 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/23/2001 2:00:00 PM 130048 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 150016 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 294912 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 119808 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 65536 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 559616 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 256000 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 147456 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 109056 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 270848 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/23/2001 12:00:00 PM 90112 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
1/20/2005 11:43:40 PM 565 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
9/2/2006 2:16:24 PM 2654 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\CorelCENTRAL 10.lnk
8/12/2006 11:01:54 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
8/12/2006 11:07:38 PM 1487 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

Checking files in %ALLUSERSPROFILE%\Application Data folder...
8/12/2006 10:51:24 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
8/12/2006 11:01:54 PM HS 84 C:\Documents and Settings\louisevn@mics.co.za\Start Menu\Programs\Startup\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
8/12/2006 10:51:24 PM HS 62 C:\Documents and Settings\louisevn@mics.co.za\Application Data\desktop.ini
4/27/2006 8:13:24 PM 125 C:\Documents and Settings\louisevn@mics.co.za\Application Data\dw.log
4/19/2005 8:00:00 PM 36888 C:\Documents and Settings\louisevn@mics.co.za\Application Data\GDIPFONTCACHEV1.DAT
8/6/2006 11:07:54 AM 12358 C:\Documents and Settings\louisevn@mics.co.za\Application Data\PFP100JCM.{PB
8/6/2006 11:07:54 AM 61678 C:\Documents and Settings\louisevn@mics.co.za\Application Data\PFP100JPR.{PB
8/22/2005 7:36:56 PM 2492 C:\Documents and Settings\louisevn@mics.co.za\Application Data\ViewerApp.dat

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{7FBF4EBC-981C-495D-A582-701C60F550D7} = C:\WINDOWS\system32\lcrmonui.dll
{6E09A9B9-49F0-4216-8061-87E59EF72BCF} = C:\WINDOWS\system32\wbnrnr.dll
{69D5F94D-B04F-4C44-8FF1-D4226B16C8DC} = C:\WINDOWS\system32\MPIMUSIC.DLL

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ewido anti-spyware
{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\ewido anti-spyware 4.0\context.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinZip
{E0D79304-84BE-11CE-9641-444553540000} = C:\PROGRA~1\WINZIP\WZSHLSTB.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{FED7043D-346A-414D-ACD7-550D052499A7}
= C:\PROGRAM FILES\ILLUSTRATE\DBPOWERAMP\DBSHELL.DLL

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = C:\WINDOWS\SYSTEM32\SHDOCVW.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{8E718888-423F-11D2-876E-00A0C9082467} = &Radio : C:\WINDOWS\System32\msdxm.ocx
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{327C2873-E90D-4c37-AA9D-10AC9BABA46C} = Easy-WebPrint : C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}
ButtonText = @shdoclc.dll,-866 :

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
Media Band = C:\WINDOWS\SYSTEM32\BROWSEUI.DLL
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SystemTray SysTray.Exe
SoundMan SOUNDMAN.EXE
NvCplDaemon RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
!ewido "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
Microsoft Windows Updates wsap32.exe
defender C:\\dfndrff_14.exe
keyboard C:\\kybrdff_14.exe
Windows Ocx Service winocx.exe
xjdc9638 RUNDLL32.EXE w0d1af91.dll,n 003c96350000000a0d1af91
newname C:\\nwnmff_14.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Microsoft Windows Updates wsap32.exe
Windows Kernel System Service wkssvr.exe
Windows Ocx Service winocx.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
Windows Ocx Service winocx.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
Windows Kernel System Service wkssvr.exe
Windows Ocx Service winocx.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network
HideSharePwds _

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
CDRAutoRun
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Network

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\System32\userinit.exe,wkssvr.exe
Shell = Explorer.exe wkssvr.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Shell Extensions
= C:\WINDOWS\system32\l86o0ij3e8o.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 9/2/2006 2:25:59 PM


.........Thanks for the help again!!!

 

.........I also tried Spybot guys, but the same happens when I want to install it, the virus shuts down the installation automatically.............

 

Please download The Avenger by Swandog46 to your Desktop.
http://swandog46.geekstogo.com/avenger.zip
Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained [bold]inside[/bold] the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):
[bold]INCLUDING: Files to delete[/bold]

============================================
Files to delete:
C:\WINDOWS\SYSTEM32\winocx.exe
C:\WINDOWS\SYSTEM32\wkssvr.exe
C:\nwnmff_14.exe
C:\kybrdff_14.exe
C:\dfndrff_14.exe
================================================

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply.


Next:

Click here http://www.atribune.org/ccount/click.php?id=7
to download Look2Me-Destroyer.exe and save it to your desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.
Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from here http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX
and place it in your C:\Windows\System32 Folder.

I want to see [bold]avenger txt[/bold], and [bold]look2medestroyer [/bold]log

 

@maca1

Thanks maca1! thanks alot!!! I think I got rid of this horrid monster. Everything is working OK. I managed to open all the anti virus/spam/malaware software now.

There are a couple of bugs with windowsXP though........

.....I don't get a runtime 339 error, but two errors saying that:

wkssvr.exe
and
w0d1af91.dll

can't load, or are missing. Are these files needed by WinXP or are they part of the virus? Do I need to find them somewhere, if so, where?

anyway, here's the log files...........
1)Avenger:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\wyiepkjf

*******************

Script file located at: \??\C:\rcahbrgt.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\winocx.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\wkssvr.exe deleted successfully.
File C:\nwnmff_14.exe deleted successfully.
File C:\kybrdff_14.exe deleted successfully.
File C:\dfndrff_14.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

2)Look2Me-Destroyer

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 9/2/2006 11:58:12 PM

Infected! C:\WINDOWS\SYSTEM32\kvdmon.dll
Infected! C:\WINDOWS\SYSTEM32\ksdtuf.dll
Infected! C:\WINDOWS\SYSTEM32\mhaudite.dll
Infected! C:\WINDOWS\SYSTEM32\mbvfw32.dll
Infected! C:\WINDOWS\SYSTEM32\mbrui.dll
Infected! C:\WINDOWS\SYSTEM32\en82l1lo1.dll
Infected! C:\WINDOWS\SYSTEM32\jldw400.dll
Infected! C:\WINDOWS\SYSTEM32\lcrmonui.dll
Infected! C:\WINDOWS\SYSTEM32\i0lo0a33ed.dll
Infected! C:\WINDOWS\SYSTEM32\rdr20.dll
Infected! C:\WINDOWS\SYSTEM32\rxcns4.dll
Infected! C:\WINDOWS\SYSTEM32\doskmon.dll
Infected! C:\WINDOWS\SYSTEM32\nainst32.dll
Infected! C:\WINDOWS\SYSTEM32\e0jmla111d.dll
Infected! C:\WINDOWS\SYSTEM32\cvcui.dll
Infected! C:\WINDOWS\SYSTEM32\l4p2le7o1h.dll
Infected! C:\WINDOWS\SYSTEM32\lJprxy.dll
Infected! C:\WINDOWS\SYSTEM32\oiedlg.dll
Infected! C:\WINDOWS\SYSTEM32\phrfctrs.dll
Infected! C:\WINDOWS\SYSTEM32\dunet.dll
Infected! C:\WINDOWS\SYSTEM32\fpr0039me.dll
Infected! C:\WINDOWS\SYSTEM32\wbnrnr.dll
Infected! C:\WINDOWS\SYSTEM32\okbcconf.dll
Infected! C:\WINDOWS\SYSTEM32\l4p20e7oeh.dll
Infected! C:\WINDOWS\SYSTEM32\tJpi32.dll
Infected! C:\WINDOWS\SYSTEM32\p24ulch91f4.dll
Infected! C:\WINDOWS\SYSTEM32\adwav.dll
Infected! C:\WINDOWS\SYSTEM32\mcmdd.dll
Infected! C:\WINDOWS\SYSTEM32\orexl32.dll
Infected! C:\WINDOWS\SYSTEM32\enj4l11q1.dll
Infected! C:\WINDOWS\SYSTEM32\ncprovau.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0004739.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006749.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006764.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006787.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006795.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006797.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0007818.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0007827.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010026.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010038.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010051.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010058.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011065.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011073.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011077.dll
Infected! C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011087.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\SYSTEM32\kvdmon.dll
C:\WINDOWS\SYSTEM32\kvdmon.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ksdtuf.dll
C:\WINDOWS\SYSTEM32\ksdtuf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mhaudite.dll
C:\WINDOWS\SYSTEM32\mhaudite.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mbvfw32.dll
C:\WINDOWS\SYSTEM32\mbvfw32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mbrui.dll
C:\WINDOWS\SYSTEM32\mbrui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\en82l1lo1.dll
C:\WINDOWS\SYSTEM32\en82l1lo1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\jldw400.dll
C:\WINDOWS\SYSTEM32\jldw400.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lcrmonui.dll
C:\WINDOWS\SYSTEM32\lcrmonui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\i0lo0a33ed.dll
C:\WINDOWS\SYSTEM32\i0lo0a33ed.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\rdr20.dll
C:\WINDOWS\SYSTEM32\rdr20.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\rxcns4.dll
C:\WINDOWS\SYSTEM32\rxcns4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\doskmon.dll
C:\WINDOWS\SYSTEM32\doskmon.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\nainst32.dll
C:\WINDOWS\SYSTEM32\nainst32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\e0jmla111d.dll
C:\WINDOWS\SYSTEM32\e0jmla111d.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\cvcui.dll
C:\WINDOWS\SYSTEM32\cvcui.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\l4p2le7o1h.dll
C:\WINDOWS\SYSTEM32\l4p2le7o1h.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lJprxy.dll
C:\WINDOWS\SYSTEM32\lJprxy.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\oiedlg.dll
C:\WINDOWS\SYSTEM32\oiedlg.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\phrfctrs.dll
C:\WINDOWS\SYSTEM32\phrfctrs.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\dunet.dll
C:\WINDOWS\SYSTEM32\dunet.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\fpr0039me.dll
C:\WINDOWS\SYSTEM32\fpr0039me.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\wbnrnr.dll
C:\WINDOWS\SYSTEM32\wbnrnr.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\okbcconf.dll
C:\WINDOWS\SYSTEM32\okbcconf.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\l4p20e7oeh.dll
C:\WINDOWS\SYSTEM32\l4p20e7oeh.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\tJpi32.dll
C:\WINDOWS\SYSTEM32\tJpi32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\p24ulch91f4.dll
C:\WINDOWS\SYSTEM32\p24ulch91f4.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\adwav.dll
C:\WINDOWS\SYSTEM32\adwav.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\mcmdd.dll
C:\WINDOWS\SYSTEM32\mcmdd.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\orexl32.dll
C:\WINDOWS\SYSTEM32\orexl32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\enj4l11q1.dll
C:\WINDOWS\SYSTEM32\enj4l11q1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\ncprovau.dll
C:\WINDOWS\SYSTEM32\ncprovau.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0004739.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0004739.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006749.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006749.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006764.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006764.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006787.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006787.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006795.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006795.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006797.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0006797.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0007818.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0007818.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0007827.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP11\A0007827.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010026.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010026.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010038.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010038.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010051.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010051.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010058.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0010058.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011065.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011065.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011073.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011073.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011077.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011077.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011087.dll
C:\System Volume Information\_restore{C4512ABD-B41D-4FCD-BBD6-2F9278145927}\RP12\A0011087.dll Deleted successfully!

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{7FBF4EBC-981C-495D-A582-701C60F550D7}"
HKCR\Clsid\{7FBF4EBC-981C-495D-A582-701C60F550D7}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6E09A9B9-49F0-4216-8061-87E59EF72BCF}"
HKCR\Clsid\{6E09A9B9-49F0-4216-8061-87E59EF72BCF}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{69D5F94D-B04F-4C44-8FF1-D4226B16C8DC}"
HKCR\Clsid\{69D5F94D-B04F-4C44-8FF1-D4226B16C8DC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

3)HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 12:05:31 AM, on 9/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\wsap32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\louisevn@mics.co.za\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.za/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe wkssvr.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,wkssvr.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [Microsoft Windows Updates] wsap32.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_14.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_14.exe
O4 - HKLM\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKLM\..\Run: [xjdc9638] RUNDLL32.EXE w0d1af91.dll,n 003c96350000000a0d1af91
O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updates] wsap32.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKLM\..\RunServices: [Windows Ocx Service] winocx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\RunServices: [Windows Ocx Service] winocx.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_cracks.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5623905A-A274-420E-968D-5345DFC05FB1}: NameServer = 196.43.1.13
O20 - Winlogon Notify: SysDM - C:\WINDOWS\system32\en82l1lo1.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG91aXNlIHZhbiBOaWVrZXJr\command.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


I can't express my gratitude!!! If I had to take this PC in to a specialist (or so they call themselves) it would of cost me a pretty penny!!!

Thanks again!

 

You don't need those files, they are bad.

rescan with hijackthis and place a check beside

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
F2 - REG:system.ini: Shell=Explorer.exe wkssvr.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,wkssvr.exe
O4 - HKLM\..\Run: [defender] C:\\dfndrff_14.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_14.exe
O4 - HKLM\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKLM\..\Run: [xjdc9638] RUNDLL32.EXE w0d1af91.dll,n 003c96350000000a0d1af91
O4 - HKLM\..\Run: [newname] C:\\nwnmff_14.exe
O4 - HKLM\..\RunServices: [Microsoft Windows Updates] wsap32.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKLM\..\RunServices: [Windows Ocx Service] winocx.exe
O4 - HKCU\..\Run: [Windows Ocx Service] winocx.exe
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\RunServices: [Windows Ocx Service] winocx.exe
O16 - DPF: Win32 Classes -
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} (Installer Class) - http://www.xxxtoolbar.com/ist/softwares/v4.0/0006_cracks.cab
O20 - Winlogon Notify: SysDM - C:\WINDOWS\system32\en82l1lo1.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG91aXNlIHZhbiBOaWVrZXJr\command.exe (file missing)

make sure all other windows are closed and click fix checked

Click Start > Run > and type in:

services.msc

Click OK.

In the services window find this exact name (if there):

Command Service

Rightclick and choose "Properties". Beside "Startup Type" in the dropdown menu select "Disabled". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Click Apply then OK. File-Exit the Services utility.

Run ActiveScan online virus scan:
http://www.pandasoftware.com/products/activescan.htm
When the scan is finished, save the results from the scan!

Come back here and post a new Hijack This log along with the logs from the Panda scan.

 

@maca1

Hallo again! I'm conected to the internet with the infected computer now. All the worst symptoms are gone and it seems that this internet connection is fine. I still have a couple of windows bugs though. Might be connected to the registry?

I ran a couple of anti spyware and anti virus programs before I read your previous mesage so the HijackThis info was slightly different. Some of the strings you provided was still there but not all of them. The strings that was there I did fix with HiJackThis. There was also no command service.

The pandascan found a couple of thins including two viruses and a couple of spyware devices. The panadascan closed automatically though and I cant find a log file for it. I'll do it again if you want.

thanks again and heres the HijackThis log............

Logfile of HijackThis v1.99.1
Scan saved at 10:07:47 PM, on 9/3/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\louisevn@mics.co.za\Desktop\New Folder\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.za
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\PROGRAM FILES\CANON\EASY-WEBPRINT\TOOLBAND.DLL
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = C:\Program Files\Corel\WordPerfect Office 2002\Programs\CCWin10.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\PROGRAM FILES\CANON\EASY-WEBPRINT\Resource.dll/RC_Print.html
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5623905A-A274-420E-968D-5345DFC05FB1}: NameServer = 196.43.1.13
O17 - HKLM\System\CCS\Services\Tcpip\..\{75C2D838-9BC9-4F17-854D-7E8FDAFFD97F}: NameServer = 168.210.2.2 196.14.239.2
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Tnax!!!!!!!!!!!!!

 

Hey maca1, what is the 'name' of this virus? I'm very curious as to what this is and I'm not familar with those WinPFind logs.

Very nice job by the way.

 

@maca1

Dayglow here again............
I did the pandascan again and saved the log file for you..........

here it is...............


Incident Status Location

Spyware:spyware/aveo-attune
Not disinfected
c:\program files\Aveo
Potentially unwanted tool:Application/Processor
Not disinfected
C:\WINDOWS\SYSTEM32\Process.exe
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLED\Dc2.exe
Adware:Adware/DopeWars
Not disinfected
C:\Documents and Settings\louisevn@mics.co.za\My Documents\OU HARDESKYF MY DOCUMENTS\My Documents\Philips scans\dw22.exe
Potentially unwanted tool:
Application/Processor

Not disinfected
C:\Documents and Settings\louisevn@mics.co.za\Desktop\New Folder\SmitfraudFix\Process.exe
Spyware:Spyware/BetterInet Not disinfected
E:\OLD HDD\Program Files\Common Files\updmgr\data2.dat
Spyware:Cookie/Peel Not disinfected
E:\OLD HDD\WINDOWS\Cookies\pvt@peel[1].txt
Spyware:Cookie/Hypercount Not disinfected
E:\OLD HDD\WINDOWS\Cookies\pvt@hypercount[2].txt
Spyware:Cookie/Tickle Not disinfected
E:\OLD HDD\WINDOWS\Cookies\pvt@tickle[1].txt
Spyware:Cookie/Kazaa Networks
Not disinfected
E:\OLD HDD\WINDOWS\Cookies\pvt@desktop.kazaa[1].txt
Spyware:Cookie/Cgi-bin
Not disinfected
E:\OLD HDD\WINDOWS\Cookies\pvt@cgi-bin[1].txt
Spyware:Cookie/Rn11 Not disinfected
E:\OLD HDD\WINDOWS\Cookies\pvt@rn11[1].txt
Spyware:Cookie/Kazaa Networks
Not disinfected
E:\OLD HDD\WINDOWS\Cookies\pvt@276[1].txt
Potentially unwanted tool:Application/P2PNetworking
Not disinfected
E:\OLD HDD\WINDOWS\SYSTEM\P2P Networking v125.cpl
Potentially unwanted tool:Application/P2PNetworking
Not disinfected
E:\OLD HDD\WINDOWS\SYSTEM\P2P Networking\MARSHAL.DLL
Potentially unwanted tool:Application/P2PNetworking
Not disinfected
E:\OLD HDD\WINDOWS\SYSTEM\P2P Networking\P2P Networking.exe
Adware:Adware/NetPals Not disinfected
E:\OLD HDD\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\HKT15QAL\b0ba34a[1].cab[ATPartners.inf]
Dialerialer.UN Not disinfected
E:\OLD HDD\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\S5O86ERO\explorer9[1].cab
Virus:VBS/Psyme.gen Not disinfected
E:\OLD HDD\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\G5EV01UR\explorer[1].chm[/explorer.htm]
Potentially unwanted tool:Application/P2PNetworking
Not disinfected
E:\OLD HDD\WINDOWS\TEMP\p2psetup.exe
Potentially unwanted tool:Application/Altnet
Not disinfected
E:\OLD HDD\WINDOWS\TEMP\asmfiles.cab
Potentially unwanted tool:Application/Processor
Not disinfected
H:\SmitfraudFix\Process.exe

Hope I can finally rest in peace..........tanks again, I dont know how guys know so much, but you guys should get paid for this, unfortunatelly i'm a student on a bank loan.........yep no trust fund for me

 

will you open the panda scan in notepad again and make sure
wordwrap under format is deselected, and paste it here again I can't read the panda scan results like that,


@Niobis, see the files deleted with avenger and also was very infected with
the look2me infection.

 

@maca1

sorry for the panadascan log and the late reply, life is crazy busy at the moment............... wordwrap was not selected in notepad, its just the format of the log that makes it impssible to paste. Can I maybe mail it to you?

 

It's fine, i can read it, just not as easily


DownLoad http://www.downloads.subratam.org/KillBox.zip

you may want to copy these instrcutions as youll be going in to safe mode soon.

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.

c:\program files\Aveo

C:\RECYCLED\Dc2.exe

C:\Documents and Settings\louisevn@mics.co.za\My Documents\OU HARDESKYF MY DOCUMENTS\My Documents\Philips scans\dw22.exe

E:\OLD HDD\Program Files\Common Files\updmgr\data2.dat

E:\OLD HDD\WINDOWS\SYSTEM\P2P Networking v125.cpl

E:\OLD HDD\WINDOWS\SYSTEM\P2P Networking\MARSHAL.DLL

E:\OLD HDD\WINDOWS\SYSTEM\P2P Networking\P2P Networking.exe

E:\OLD HDD\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\HKT15QAL\

E:\OLD HDD\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\S5O86ERO\

E:\OLD HDD\WINDOWS\Local Settings\Temporary Internet Files\Content.IE5\G5EV01UR\

E:\OLD HDD\WINDOWS\TEMP\p2psetup.exe

E:\OLD HDD\WINDOWS\TEMP\asmfiles.cab


in normal mode

post a new hijackthis log