Virus Jumped On GF's computer, here is the logfile

Discussion in 'Windows - Virus and spyware problems' started by alcocerpi, May 3, 2006.

  1. alcocerpi

    alcocerpi Guest

    Here is her log file

    Logfile of HijackThis v1.99.1
    Scan saved at 11:06:38 PM, on 5/3/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\System32\atmclk.exe
    C:\WINDOWS\System32\dcomcfg.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    C:\WINDOWS\System32\iPODService.exe
    C:\WINDOWS\vsnpstd2.exe
    C:\WINDOWS\System32\winldra.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\WINDOWS\System32\intell321.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www.yahoo.com
    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} - C:\WINDOWS\System32\hp96D7.tmp
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: MSN Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Toolbar\01.01.2607.0\en-us\msntb.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler] c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
    O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
    O4 - HKLM\..\Run: [SNPSTD2] C:\WINDOWS\vsnpstd2.exe
    O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\System32\intell321.exe
    O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:eek:s_startup
    O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
    O4 - Startup: PerfectPrint.LNK = C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
    O12 - Plugin for .asp: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
     
    alcocerpi, May 3, 2006
    #1
  2. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    You don't have an antivirus on your computer. Download and install one antivirus.

    These are good (free) antiviruses:
    AVG Antivirus --> http://www.grisoft.com
    Avast --> http://www.avast.com

    Ok, you got some infections....

    Cleaning instructions:

    Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Post the contents of this textfile to here.

    (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)

    Download and install Ewido, UPDATE it, but do NOT run a scan yet. -> http://www.ewido.net/en/download
    We'll use it later.

    Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
    Do NOT run yet.

    Go to Control Panel -> Add/Remove programs -> Remove Viewpoint Manager, WeatherBug if found

    Fix the following entries with HijackThis (run HijackThis, press "Do a system scan only", close all other windows, checkmark entries and press Fix checked):

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www...
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www...
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www...
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www...
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr7/*http://www...
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/...
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr7/*http://www...
    O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
    O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
    O4 - HKLM\..\Run: [iPod USB Service] iPODService.exe
    O4 - HKLM\..\Run: [load32] C:\WINDOWS\System32\winldra.exe
    O4 - HKLM\..\RunServices: [iPod USB Service] iPODService.exe
    O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
    Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml

    Delete these folders (if found):
    C:\Program Files\Viewpoint
    C:\Program Files\AWS

    Delete these files (if found):
    C:\WINDOWS\System32\winldra.exe
    C:\WINDOWS\web\related.htm
    C:\WINDOWS\System32\iPODService.exe

    Run ATF Cleaner -> Check select all -> Press Empty selected

    Scan and clean your computer with Ewido and save the log file.
    Do NOT clean Ewidos Quarantine yet.

    Restart your computer normally.

    Post the following logs to here and we'll continue:
    -> fresh HijackThis log
    -> Ewido's log
    -> Smitfraudfix log
     
    JaPK, May 4, 2006
    #2
  3. alcocerpi

    alcocerpi Guest

    My GF's computer is a little slow but I did everything you suggested. Here are the latest logs. Thanks

    Logfile of HijackThis v1.99.1
    Scan saved at 7:39:54 PM, on 5/5/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\WINDOWS\System32\dcomcfg.exe
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
    C:\HJT\HijackThis.exe

    O2 - BHO: Nothing - {b0398eca-0bcd-4645-8261-5e9dc70248d0} -

    C:\WINDOWS\System32\hpC5BE.tmp
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program

    Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler]

    c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

    Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program

    Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program

    Files\Agnitum\Outpost Firewall\feedback.exe /dump:eek:s_startup
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program

    Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program

    Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program

    Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program

    Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft

    Office\Office\OSA.EXE
    O4 - Startup: PerfectPrint.LNK =

    C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

    Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program

    Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Outpost Firewall Pro Quick Tune -

    {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program

    Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

    - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .asp: C:\Program Files\Internet

    Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative

    Software AutoUpdate) -

    http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4}

    (PhxStudent.OeSetup15) -

    https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative

    Software AutoUpdate Support Package) -

    http://www.creative.com/su/ocx/15016/CTPID.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
    O20 - Winlogon Notify: igfxcui -

    C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: ewido security suite control - ewido networks -

    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks -

    C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software

    - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) -

    Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: Outpost Firewall Service (OutpostFirewall) -

    Agnitum Ltd. - C:\Program Files\Agnitum\Outpost

    Firewall\outpost.exe

    -----------------------------------------------------------

    SmitFraudFix v2.38

    Scan done at 7:57:01.20, Fri 05/05/2006
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

    C:\WINDOWS\uninstDsk.exe FOUND !
    C:\WINDOWS\warnhp.html FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

    C:\WINDOWS\system32\dcomcfg.exe FOUND !
    C:\WINDOWS\system32\hp????.tmp FOUND !
    C:\WINDOWS\system32\ld????.tmp FOUND !
    C:\WINDOWS\system32\oleext.dll FOUND !
    C:\WINDOWS\system32\ot.ico FOUND !
    C:\WINDOWS\system32\simpole.tlb FOUND !
    C:\WINDOWS\system32\stdole3.tlb FOUND !
    C:\WINDOWS\system32\ts.ico FOUND !
    C:\WINDOWS\system32\1024\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

    C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

    C:\Program Files\SpyFalcon\ FOUND !

    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="C:\\WINDOWS\\warnhp.html"
    "SubscribedURL"=""
    "FriendlyName"="Desktop Uninstall"

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"

    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
    "{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}"="Twain"

    [HKEY_CLASSES_ROOT\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\System32\twain32.dll"

    [HKEY_CURRENT_USER\Software\Classes\CLSID\{CA14EE13-ED15-C4A2-17FF-DA4D15C1BC5E}\InProcServer32]
    @="C:\WINDOWS\System32\twain32.dll"


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

    C:\WINDOWS\system32\wininet.dll infected !

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll backup

    Volume in drive C has no label.
    Volume Serial Number is F4D5-9D00

    Directory of C:\WINDOWS\SoftwareDistribution\Download\bc2bb94b99deb6cd7b7cb182db7109cb\rtmgdr

    02/24/2006 02:26 PM 575,488 wininet.dll
    1 File(s) 575,488 bytes

    Directory of C:\WINDOWS\SoftwareDistribution\Download\bc2bb94b99deb6cd7b7cb182db7109cb\RTMQFE

    02/24/2006 06:28 PM 586,752 wininet.dll
    1 File(s) 586,752 bytes

    Directory of C:\WINDOWS\SYSTEM32

    09/03/2002 01:12 PM 599,040 wininet.dll
    1 File(s) 599,040 bytes

    Directory of C:\WINDOWS\SYSTEM32\DLLCACHE

    09/03/2002 01:12 PM 599,040 wininet.dll
    1 File(s) 599,040 bytes

    »»»»»»»»»»»»»»»»»»»»»»»» End

    ----------------------------------------------------------

    ---------------------------------------------------------
    ewido anti-malware - Scan report
    ---------------------------------------------------------

    + Created on: 7:17:40 PM, 5/5/2006
    + Report-Checksum: 264B6825

    + Scan result:

    C:\Documents and Settings\Abby\Local Settings\Temp\Temporary Internet Files\Content.IE5\9ZMVWEW3\WinTA[1].cab/WToolsA.exe -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\Temporary Internet Files\Content.IE5\CL6SFT1E\Toolbar[2].cab/IExploreSkins.exe -> Adware.WebSearch : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\Temporary Internet Files\Content.IE5\CL6SFT1E\Toolbar[2].cab/toolbar.dll -> Adware.WebSearch : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~135676.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~146980.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~18015.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~307189.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~309264.tmp -> Downloader.Wintool.d : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~312049.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~312842.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~314255.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~314569.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~315723.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~315802.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~316635.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~316658.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~316893.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~318211.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~319410.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~320661.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~323946.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~326327.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~331219.tmp -> Downloader.Wintool.d : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~332513.tmp -> Downloader.Wintool.d : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~333808.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~337014.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~337508.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~338671.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~341086.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~341974.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~347033.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~347456.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~351116.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~351160.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~352673.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~355677.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~357009.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~360611.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~372994.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~374830.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~382902.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~384891.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~386178.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~386610.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~386869.tmp -> Downloader.Wintool.d : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~393984.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~397971.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~404577.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~404641.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~407308.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~409500.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~419630.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~423105.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~423495.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~426827.tmp -> Downloader.Wintool.d : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~428064.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~428097.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~43039.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~431421.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~432436.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~438587.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~440456.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~445912.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~448535.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~450376.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~451057.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~455523.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~457433.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~458817.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~461296.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~462047.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~464484.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~464749.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~467762.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~473762.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~474260.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~476035.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~476156.tmp -> Downloader.Wintool.d : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~482091.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~487094.tmp -> Downloader.Wintool.d : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~50076.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~505695.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~506851.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~519704.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~520226.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~522663.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~530458.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~531357.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~548061.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~559641.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~560129.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~576669.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~584896.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~586534.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~593877.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~599654.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~605723.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~635352.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~656708.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~663616.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~673957.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~674230.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~680451.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~683064.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~683642.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~687559.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~693321.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~695716.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~701839.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~709530.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~711669.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~711737.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~718903.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~721431.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~725653.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~734457.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~741999.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~752381.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~777659.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~793439.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~806669.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~830014.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~838969.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~850329.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~850633.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~856026.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~860797.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~876405.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~877503.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~893538.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~90271.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~92848.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~935037.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~94534.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~94747.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~983015.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~990026.tmp -> Downloader.Wintool.a : Cleaned with backup
    C:\Documents and Settings\Abby\Local Settings\Temp\~998972.tmp -> Adware.Wintol : Cleaned with backup
    C:\Documents and Settings\Abby\Start Menu\Programs\WeatherCast -> Adware.SaveNow : Cleaned with backup
    C:\Documents and Settings\Abby\Start Menu\Programs\WeatherCast\WeatherCast.lnk -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Common Files\GMT\egIEEngine.dll -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\GMT\GMT.exe -> Adware.Gator : Cleaned with backup
    C:\Program Files\Common Files\WinTools\Update\WToolsA.exe -> Adware.Wintol : Cleaned with backup
    C:\Program Files\Common Files\WinTools\Update\WToolsB.dll -> Adware.Wintol : Cleaned with backup
    C:\Program Files\Common Files\WinTools\WSup.exe -> Downloader.Wintool.a : Cleaned with backup
    C:\Program Files\Common Files\WinTools\WToolsA.exe -> Downloader.Wintool.a : Cleaned with backup
    C:\Program Files\Common Files\WinTools\WToolsB.dll -> Adware.Wintol : Cleaned with backup
    C:\Program Files\Common Files\WinTools\WToolsS.exe -> Downloader.Wintool.b : Cleaned with backup
    C:\Program Files\Save -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Save\save.db -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Save\Save.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Save\save.htm -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Save\SaveUninst.exe -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\Save\store.db -> Adware.SaveNow : Cleaned with backup
    C:\Program Files\whInstall -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\license.txt -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\readme.txt -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\Sporder.dll -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\Webhdll.dll -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\WhAgent.exe -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\whAgent.inf -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\whAgent.ini -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\whiehlpr.dll -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\whInstaller.exe -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\whInstaller.ini -> Adware.Webhancer : Cleaned with backup
    C:\Program Files\whInstall\WhSurvey.exe -> Adware.Webhancer : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0001004.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0002004.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP0\A0003004.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0003066.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004066.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004112.exe -> Adware.Gator : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004121.exe -> Adware.SaveNow : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004122.dll -> Adware.SaveNow : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004123.exe -> Adware.SaveNow : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004124.exe -> Adware.SaveNow : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004146.dll -> Adware.Aws : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004152.dll -> Adware.WebHancer : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004157.dll -> Adware.WebHancer : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004162.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004168.dll -> Adware.WebHancer : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004307.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0004312.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0005315.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0006253.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0010361.exe -> Adware.SaveNow : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0010363.exe -> Adware.SaveNow : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0011258.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP7\A0011290.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0011306.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0011323.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0011333.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0012333.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039677.exe -> Trojan.Small.ev : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039689.dll -> Not-A-Virus.Hoax.Win32.Renos.cu : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039718.dll -> Adware.NewDotNet : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039719.exe -> Adware.NewDotNet : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039720.dll -> Adware.Aws : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039979.exe -> Adware.WebHancer : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039981.exe -> Adware.SaveNow : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0039982.exe -> Adware.SaveNow : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040016.dll -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040017.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040018.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040019.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040020.exe -> Adware.WebSearch : Cleaned with backup
    C:\System Volume Information\_restore{DA86B93F-CD96-412F-BAD6-FC3682313A79}\RP306\A0040023.exe -> Adware.WebSearch : Cleaned with backup
    C:\WINDOWS\SYSTEM32\ld9302.tmp -> Downloader.Zlob.mr : Cleaned with backup


    ::Report End
     
    alcocerpi, May 5, 2006
    #3
  4. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok, not clean yet.

    Cleaning instructions:

    SmitfraudFix has been updated, please remove the old version and download the latest from here -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html

    Restart your computer to the safemode and choose your normal user account -> http://www.pchell.com/support/safemode.shtml

    Delete these folders (if found):
    C:\Program Files\Common Files\GMT
    C:\Program Files\Common Files\WinTools

    When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
    Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.

    You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.

    The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".

    The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
    A textfile will appear after the cleaning process, copy this file and paste it to here.
    Tha log is saved to your local diskdrive, usually C:\rapport.txt.

    Warning : Running option 2 in a clean computer will delete your desktop wallpaper.

    Post a fresh HijackThis log and the contents of C:\rapport.txt to here.
     
    Last edited: May 5, 2006
    JaPK, May 5, 2006
    #4
  5. alcocerpi

    alcocerpi Guest

    Here they go

    SmitFraudFix v2.38

    Scan done at 11:15:13.21, Sat 05/06/2006
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

    C:\WINDOWS\uninstDsk.exe Deleted
    C:\WINDOWS\warnhp.html Deleted
    C:\WINDOWS\system32\dcomcfg.exe Deleted
    C:\WINDOWS\system32\hp????.tmp Deleted
    C:\WINDOWS\system32\ld????.tmp Deleted
    Problem while deleting C:\WINDOWS\system32\oleext.dll
    C:\WINDOWS\system32\ot.ico Deleted
    C:\WINDOWS\system32\simpole.tlb Deleted
    C:\WINDOWS\system32\stdole3.tlb Deleted
    C:\WINDOWS\system32\ts.ico Deleted
    C:\WINDOWS\system32\1024\ Deleted
    C:\DOCUME~1\Owner\FAVORI~1\Antivirus Test Online.url Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll

    C:\WINDOWS\system32\wininet.dll infected !

    Searching wininet.dll backup file...
    C:\WINDOWS\SoftwareDistribution\Download\bc2bb94b99deb6cd7b7cb1

    82db7109cb\rtmgdr\wininet.dll
    C:\WINDOWS\SoftwareDistribution\Download\bc2bb94b99deb6cd7b7cb1

    82db7109cb\RTMQFE\wininet.dll
    C:\WINDOWS\SYSTEM32\wininet.dll
    C:\WINDOWS\SYSTEM32\DLLCACHE\wininet.dll

    File Found : C:\WINDOWS\SYSTEM32\DLLCACHE\\wininet.dll
    System Version : 6.0.2800.1106
    BackUp Version : 6.0.2800.1106

    Wininet.dll Remplacement (reboot necessary)

    »»»»»»»»»»»»»»»»»»»»»»»» Reboot

    C:\WINDOWS\system32\oleext.dll Deleted

    »»»»»»»»»»»»»»»»»»»»»»»» End

    ---------------------------------------------------------------

    Logfile of HijackThis v1.99.1
    Scan saved at 11:30:31 AM, on 5/6/2006
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\FSI\F-Prot\fpavupdm.exe
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\NOTEPAD.EXE
    C:\WINDOWS\System32\hkcmd.exe
    C:\Program Files\NETGEAR\WG511SCU\Utility\Gear511.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
    C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
    C:\Program Files\FSI\F-Prot\F-Sched.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\FSI\F-Prot\F-StopW.EXE
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Microsoft Office\Office\OSA.EXE
    C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\HJT\HijackThis.exe

    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
    O4 - HKLM\..\Run: [AS00_Gear511] C:\Program

    Files\NETGEAR\WG511SCU\Utility\Gear511.exe -hide
    O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
    O4 - HKLM\..\Run: [QuickFinder Scheduler]

    c:\Corel\Office7\Shared\QFinder7\QFSCHED.EXE
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

    Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

    Files\Java\jre1.5.0_06\bin\jusched.exe
    O4 - HKLM\..\Run: [Outpost Firewall] "C:\Program

    Files\Agnitum\Outpost Firewall\outpost.exe" /waitservice
    O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program

    Files\Agnitum\Outpost Firewall\feedback.exe /dump:eek:s_startup
    O4 - HKLM\..\Run: [FRISK FP-Scheduler] C:\Program

    Files\FSI\F-Prot\F-Sched.exe STARTUP
    O4 - HKLM\..\Run: [F-StopW] C:\Program

    Files\FSI\F-Prot\F-StopW.EXE
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program

    Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Microsoft Find Fast.lnk = C:\Program

    Files\Microsoft Office\Office\FINDFAST.EXE
    O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft

    Office\Office\OSA.EXE
    O4 - Startup: PerfectPrint.LNK =

    C:\Corel\Office7\Shared\PFit7\PFPPOP70.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

    Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program

    Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O9 - Extra button: (no name) -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console -

    {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

    Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
    O9 - Extra button: Outpost Firewall Pro Quick Tune -

    {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program

    Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}

    - C:\Program Files\AIM\aim.exe
    O9 - Extra button: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O9 - Extra 'Tools' menuitem: Messenger -

    {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

    Files\Messenger\MSMSGS.EXE
    O12 - Plugin for .asp: C:\Program Files\Internet

    Explorer\PLUGINS\nppdf32.dll
    O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative

    Software AutoUpdate) -

    http://www.creative.com/su/ocx/15015/CTSUEng.cab
    O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4}

    (PhxStudent.OeSetup15) -

    https://mycampus.phoenix.edu/secure/PhxStudent15.CAB
    O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative

    Software AutoUpdate Support Package) -

    http://www.creative.com/su/ocx/15016/CTPID.cab
    O20 - AppInit_DLLs: C:\PROGRA~1\Agnitum\OUTPOS~1\wl_hook.dll
    O20 - Winlogon Notify: igfxcui -

    C:\WINDOWS\SYSTEM32\igfxsrvc.dll
    O23 - Service: ewido security suite control - ewido networks -

    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks -

    C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: F-Prot Antivirus Update Monitor - FRISK Software

    - C:\Program Files\FSI\F-Prot\fpavupdm.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) -

    Macrovision Corporation - C:\Program Files\Common

    Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

    Files\iPod\bin\iPodService.exe
    O23 - Service: Outpost Firewall Service (OutpostFirewall) -

    Agnitum Ltd. - C:\Program Files\Agnitum\Outpost

    Firewall\outpost.exe









     
    alcocerpi, May 6, 2006
    #5
  6. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Ok looking quite good but you still have the old version of smitfraudfix (2.38). Delete the old smitfraudfix.zip file and the smitfraudfix folder.

    Then download SmitfraudFix.zip(version 2.40) to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip

    Unzip it (folder named SmitFraudFix) to your desktop:

    Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
    Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)

    Post the contents of this textfile to here.

    (Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
     
    JaPK, May 6, 2006
    #6
  7. alcocerpi

    alcocerpi Guest

    Here it is. Hey when you help clean my other computer a few days ago I used the old version too. Should I post you a log with this version?

    thanks

    SmitFraudFix v2.40

    Scan done at 14:37:40.38, Sat 05/06/2006
    Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600]

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

     
    alcocerpi, May 6, 2006
    #7
  8. JaPK

    JaPK Regular member

    Joined:
    Feb 23, 2006
    Messages:
    1,269
    Likes Received:
    0
    Trophy Points:
    46
    Hi alcocerpi, this one is clean :)

    But Windows and Internet Explorer are outdated.
    Go to update those -> http://update.microsoft.com/windowsupdate/

    And yes you can post that log with the new version to here. It was the latest version then, but as you can see, the fix is updated quite often:)
     
    JaPK, May 6, 2006
    #8

Share This Page