Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hijack This Log - Yazzle... :(

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Hijack This Log - Yazzle... :(

Unread postby MilkmanDan » March 26th, 2006, 11:32 am

Thanks very much in advance for the help. I've gone years with no problems then yesterday, BANG!

Logfile of HijackThis v1.99.1
Scan saved at 9:22:56 AM, on 3/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ezaudio.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Lexico\CleverKeys\ClvrKeys.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wtxwd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hofanrw.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [EzAudioTray] C:\WINDOWS\ezaudio.exe TRAYAPP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleverKeys.lnk = C:\Program Files\Lexico\CleverKeys\ClvrKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/100ab3c40dc ... xIE601.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_my ... eatgpc.cab
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
MilkmanDan
Active Member
 
Posts: 4
Joined: March 26th, 2006, 11:27 am
Advertisement
Register to Remove

Unread postby agrarianmonk » March 26th, 2006, 7:55 pm

Hi MilkmanDan

Welcome to the Malware Removal forums. I will be more than happy to help you work on your problems.
Please give me some time to review your log as this can be a lengthy process. As soon as a MR Staff Expert reviews my fix, I will post it for you.
In the mean time, if any problems occur. Please let me know.
Please only use this topic to reply to. Do not start another thread.
The fixes we will use are specific to your problems and should only be used for this issue on this machine.
If you’re unsure of anything at all please stop and ask!
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby agrarianmonk » March 26th, 2006, 8:29 pm

Please remove these entries from Add/Remove Programs in the Control Panel(if present):

Viewpoint


Viewpoint components are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting "Disable auto-updating for the Viewpoint Manager" -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.

To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.


I recommend that you remove the Viewpoint products; however, decide for yourself.

Please note any other programs that you dont recognize in that list in your next response

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wtxwd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hofanrw.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/100ab3c40dc ... xIE601.cab

Now close all windows other than HiJackThis, then click Fix Checked.

Reboot

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\system32\wtxwd.exe


We need to do a search. Start | Search | For Files and Folders.
Expand Search Options, check Advanced Options, check Search system folders, Search hidden files and folders, and Search Subfolders.
Paste this into the Search for files and folders named box:

hofanrw.exe

If any of these files are found please delete them.

Reboot

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

In your next post, please include:

  • Panda Scan Log
  • new HijackThis Log
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby MilkmanDan » March 28th, 2006, 11:47 pm

Thanks so much for the help: did exactly what you suggested and rescanned with both. Following are the new logs. It didn't appear that the "F2"? lines were removed in hijack this, although I followed your instructions.
Thanks again so much!


Logfile of HijackThis v1.99.1
Scan saved at 9:43:28 PM, on 3/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\ezaudio.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Lexico\CleverKeys\ClvrKeys.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wtxwd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,hofanrw.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\ycomp5_5_5_0.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [EzAudioTray] C:\WINDOWS\ezaudio.exe TRAYAPP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CleverKeys.lnk = C:\Program Files\Lexico\CleverKeys\ClvrKeys.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.kodakgallery.com/downloads/B ... ofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004 ... scan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/softwa ... Plugin.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.c ... mplete.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_my ... eatgpc.cab
O23 - Service: Intuit Fuse Service - Intuit - C:\Program Files\Common Files\Intuit\Fuse\Service\Intuit Fuse Service.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe




PANDASCAN LOG:

Incident Status Location

Adware:Adware/Qoologic Not disinfected C:\WINDOWS\system32\mrhsuti.dll
Adware:adware/maxifiles Not disinfected C:\WINDOWS\SYSTEM32\mmxp2passion.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@112.2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@2o7[2].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@64.62.232[1].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@abetterinternet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@advertising[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@anm.co[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@burstnet[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@c.enhance[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@doubleclick[1].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@empnads[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@entrepreneur[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@gostats[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@go[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@go[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@go[3].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@hitbox[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@image.checkmystats.com[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@kinghost[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@kmpads[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@kount[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@mediaplex[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@offeroptimizer[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@paypopup[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@revenue[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@searchportal.information[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@stats1.reliablestats[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@statse.webtrendslive[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@target[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@www.burstbeacon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@yadro[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@zedo[1].txt
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\Dummy.class-7b6e8b4e-4972f621.class
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\VerifierBug.class-40ad46a4-39009dd4.class
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6f71db98-38a3d2e5.zip[Mein.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6f71db98-38a3d2e5.zip[ProbeLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6f71db98-38a3d2e5.zip[Dummy.class]
Virus:Trojan Horse Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6f71db98-38a3d2e5.zip[Beyond.class]
Virus:Trj/Shinwow.L Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-6f71db98-38a3d2e5.zip[binny.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-77914e34-41f9d208.zip[GetAccess.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-77914e34-41f9d208.zip[InsecureClassLoader.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-77914e34-41f9d208.zip[Dummy.class]
Virus:Exploit/ByteVerify Not disinfected C:\Documents and Settings\Ashley Cheek\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-77914e34-41f9d208.zip[Installer.class]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@112.2o7[2].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@2o7[2].txt
Spyware:Cookie/64.62.232 Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@64.62.232[1].txt
Spyware:Cookie/Abetterinternet Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@abetterinternet[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@ad.sensismediasmart.com[1].txt
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@adopt.hbmediapro[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@advertising[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@anm.co[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@atdmt[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@ath.belnk[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@azjmp[2].txt
Spyware:Cookie/Banner Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@banner[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@belnk[1].txt
Spyware:Cookie/Bluestreak Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@bluestreak[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@burstnet[2].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@c.enhance[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@ccbill[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@com[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@ct.360i[2].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@did-it[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@dist.belnk[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@doubleclick[1].txt
Spyware:Cookie/empnads Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@empnads[1].txt
Spyware:Cookie/Entrepreneur Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@entrepreneur[1].txt
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@gostats[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@go[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@go[2].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@go[3].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@hitbox[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@image.checkmystats.com[2].txt
Spyware:Cookie/MediaTickets Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@kinghost[1].txt
Spyware:Cookie/Kmpads Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@kmpads[2].txt
Spyware:Cookie/Kount Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@kount[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@mediaplex[1].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@offeroptimizer[2].txt
Spyware:Cookie/Paypopup Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@paypopup[1].txt
Spyware:Cookie/WUpd Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@revenue[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@rn11[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@searchportal.information[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@stats1.reliablestats[2].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@statse.webtrendslive[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@target[2].txt
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@trafficmp[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@tribalfusion[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@www.burstbeacon[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@yadro[2].txt
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@z1.adserver[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Ashley Cheek\Cookies\ashley cheek@zedo[1].txt
Virus:W32/Sober.AG.worm Not disinfected Hotmail\Deleted Items\Password Confirmation\packed-password_text.zip[mail-packed_password.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Hotmail\Deleted Items\Your Password\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Hotmail\Deleted Items\Paris Hilton & Nicole Richie\downloadm.zip[File-packed_dataInfo.exe]
Virus:W32/Sober.AH.worm!CME-681 Not disinfected Hotmail\Deleted Items\Registration Confirmation\reg_pass-data.zip[File-packed_dataInfo.exe]
Virus:Trj/Downloader.AYV Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\637win.exe
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\Cookies\ashley cheek@ad.yieldmanager[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\Cookies\ashley cheek@atwola[1].txt
Spyware:Cookie/go Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\Cookies\ashley cheek@go[2].txt
Virus:Trj/Downloader.AYV Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\exp.exe
Adware:Adware/Qoologic Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\f9037785.exe
Virus:Trj/Downloader.AYV Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\mcwin.exe
Virus:Trj/Downloader.AYV Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\million.exe
Virus:Trj/Downloader.AYV Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\pre1.exe
Virus:Trj/Downloader.AYV Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\pre2.exe
Virus:Trj/Downloader.AYV Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\z1.exe
Virus:Trj/Downloader.AYV Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temp\z3.exe
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temporary Internet Files\Content.IE5\SF1ZIIVX\CA6J4TAZ.HTM
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temporary Internet Files\Content.IE5\SF1ZIIVX\CAM7CFYR.HTM
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temporary Internet Files\Content.IE5\SF1ZIIVX\CAQ50VR9.HTM
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temporary Internet Files\Content.IE5\SF1ZIIVX\CAUZRCSN.HTM
Adware:Adware/IST.YourSiteBar Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temporary Internet Files\Content.IE5\T3J7TXKE\CAQEBRXS.HTM
Adware:Adware/Exact.BargainBuddy Not disinfected C:\Documents and Settings\Ashley Cheek\Local Settings\Temporary Internet Files\Content.IE5\YD4DWXCN\marketing48[1].htm
Spyware:Cookie/24/7 Realmedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10B.tmp
Spyware:Cookie/2o7 Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq10C.tmp
Spyware:Cookie/Advertising Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq112.tmp
Spyware:Cookie/Atlas DMT Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq113.tmp
Spyware:Cookie/Bfast Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq115.tmp
Spyware:Cookie/Bluestreak Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq117.tmp
Spyware:Cookie/bravenetA Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq118.tmp
Spyware:Cookie/Bs.serving-sys Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq119.tmp
Spyware:Cookie/Casalemedia Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11A.tmp
Spyware:Cookie/CentrPort Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11B.tmp
Spyware:Cookie/Com.com Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq11F.tmp
Spyware:Cookie/Coremetrics Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq121.tmp
Spyware:Cookie/Doubleclick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq124.tmp
Spyware:Cookie/Euniverseads Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq128.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq129.tmp
Spyware:Cookie/Falkag Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12A.tmp
Spyware:Cookie/FastClick Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12B.tmp
Spyware:Cookie/Gator Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12C.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq12D.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq130.tmp
Spyware:Cookie/Hitbox Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq131.tmp
Spyware:Cookie/HotLog Not disinfected C:\Program Files\Yahoo!\YPSR\Quarantine\ppq135.tmp
MilkmanDan
Active Member
 
Posts: 4
Joined: March 26th, 2006, 11:27 am

Unread postby agrarianmonk » March 29th, 2006, 7:36 pm

Download and Save Blacklight to C:\

Go to Start-->Run, and type in the following syntax and press enter:

C:\blbeta.exe /expert

accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. There will also be a log in C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply. Don't choose the rename option yet! I want to see the log first, because legitimate items can also be present there, such as "wbemtest.exe"
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby MilkmanDan » March 30th, 2006, 12:28 am

AM: Thanks again. Here is the log:

03/29/06 22:05:58 [Info]: BlackLight Engine 1.0.33 initialized
03/29/06 22:05:58 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/29/06 22:05:58 [Note]: 7019 4
03/29/06 22:05:58 [Note]: 7005 0
03/29/06 22:06:16 [Note]: 7006 0
03/29/06 22:06:16 [Note]: 7022 0
03/29/06 22:06:16 [Note]: 7011 1680
03/29/06 22:06:17 [Note]: 7024 3
03/29/06 22:06:17 [Info]: Hidden process: C:\WINDOWS\system32\gkhsdl.exe
03/29/06 22:06:17 [Note]: 7024 3
03/29/06 22:06:17 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/29/06 22:06:17 [Note]: 7024 3
03/29/06 22:06:17 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/29/06 22:06:17 [Note]: 7024 3
03/29/06 22:06:17 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/29/06 22:06:17 [Note]: FSRAW library version 1.7.1015
03/29/06 22:06:20 [Info]: Hidden file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xrstj.exe
03/29/06 22:06:20 [Note]: 10002 1
03/29/06 22:26:08 [Info]: Hidden file: C:\WINDOWS\system32\gkhsdl.exe
03/29/06 22:26:08 [Note]: 10002 1
03/29/06 22:26:09 [Info]: Hidden file: C:\WINDOWS\system32\hofanrw.exe
03/29/06 22:26:09 [Note]: 10002 1
03/29/06 22:26:10 [Info]: Hidden file: C:\WINDOWS\system32\mrhsuti.dll
03/29/06 22:26:10 [Note]: 10002 1
03/29/06 22:26:13 [Info]: Hidden file: C:\WINDOWS\system32\wtxwd.exe
03/29/06 22:26:13 [Note]: 10002 1
03/29/06 22:26:41 [Info]: Hidden file: C:\WINDOWS\efnyu.dll
03/29/06 22:26:41 [Note]: 10002 1
03/29/06 22:27:37 [Note]: 7007 0
MilkmanDan
Active Member
 
Posts: 4
Joined: March 26th, 2006, 11:27 am

Unread postby agrarianmonk » March 30th, 2006, 12:55 pm

We're going to do the same thing except this time I want you to use Blacklight's rename function.

Go to Start-->Run, and type in the following syntax and press enter:

C:\blbeta.exe /expert

accept the agreement, leave [X]scan through Windows Explorer checked, click > scan then > next

You'll see a list of all items found. Now click 'rename'

There will also be a log in C:\ with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

Copy and paste this log in your next reply.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby MilkmanDan » April 2nd, 2006, 1:35 pm

Ok, did Blacklight, scanned, rename all items, but looks like it found them again the very next scan. Hmm. Heres the log after scanning, and then I did another scan and another log.
Thanks for all the help!


LOG 1

03/30/06 20:03:34 [Info]: BlackLight Engine 1.0.33 initialized
03/30/06 20:03:34 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/30/06 20:03:34 [Note]: 7019 4
03/30/06 20:03:34 [Note]: 7005 0
03/30/06 20:03:39 [Note]: 7006 0
03/30/06 20:03:39 [Note]: 7022 0
03/30/06 20:03:39 [Note]: 7011 1676
03/30/06 20:03:39 [Note]: 7024 3
03/30/06 20:03:39 [Info]: Hidden process: C:\WINDOWS\system32\gkhsdl.exe
03/30/06 20:03:39 [Note]: 7024 3
03/30/06 20:03:39 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/30/06 20:03:39 [Note]: 7024 3
03/30/06 20:03:39 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/30/06 20:03:39 [Note]: 7024 3
03/30/06 20:03:39 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/30/06 20:03:39 [Note]: FSRAW library version 1.7.1015
03/30/06 20:03:44 [Info]: Hidden file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xrstj.exe
03/30/06 20:03:44 [Note]: 10002 1
03/30/06 20:23:23 [Info]: Hidden file: C:\WINDOWS\system32\gkhsdl.exe
03/30/06 20:23:23 [Note]: 10002 1
03/30/06 20:23:23 [Info]: Hidden file: C:\WINDOWS\system32\hofanrw.exe
03/30/06 20:23:23 [Note]: 10002 1
03/30/06 20:23:24 [Info]: Hidden file: C:\WINDOWS\system32\mrhsuti.dll
03/30/06 20:23:24 [Note]: 10002 1
03/30/06 20:23:28 [Info]: Hidden file: C:\WINDOWS\system32\wtxwd.exe
03/30/06 20:23:28 [Note]: 10002 1
03/30/06 20:23:55 [Info]: Hidden file: C:\WINDOWS\efnyu.dll
03/30/06 20:23:55 [Note]: 10002 1
03/30/06 20:36:13 [Note]: 7007 0


LOG 2:

03/30/06 20:38:14 [Info]: BlackLight Engine 1.0.33 initialized
03/30/06 20:38:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/30/06 20:38:14 [Note]: 7019 4
03/30/06 20:38:14 [Note]: 7005 0
03/30/06 20:38:18 [Note]: 7006 0
03/30/06 20:38:18 [Note]: 7022 0
03/30/06 20:38:18 [Note]: 7011 1676
03/30/06 20:38:18 [Note]: 7024 3
03/30/06 20:38:18 [Info]: Hidden process: C:\WINDOWS\system32\gkhsdl.exe
03/30/06 20:38:18 [Note]: 7024 3
03/30/06 20:38:18 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/30/06 20:38:18 [Note]: 7024 3
03/30/06 20:38:18 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/30/06 20:38:18 [Note]: 7024 3
03/30/06 20:38:18 [Info]: Hidden process: C:\WINDOWS\system32\wtxwd.exe
03/30/06 20:38:18 [Note]: FSRAW library version 1.7.1015
03/30/06 20:38:27 [Info]: Hidden file: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xrstj.exe
03/30/06 20:38:27 [Note]: 10002 1
03/30/06 20:58:28 [Info]: Hidden file: C:\WINDOWS\system32\gkhsdl.exe
03/30/06 20:58:28 [Note]: 10002 1
03/30/06 20:58:29 [Info]: Hidden file: C:\WINDOWS\system32\hofanrw.exe
03/30/06 20:58:29 [Note]: 10002 1
03/30/06 20:58:30 [Info]: Hidden file: C:\WINDOWS\system32\mrhsuti.dll
03/30/06 20:58:30 [Note]: 10002 1
03/30/06 20:58:33 [Info]: Hidden file: C:\WINDOWS\system32\wtxwd.exe
03/30/06 20:58:33 [Note]: 10002 1
03/30/06 20:59:00 [Info]: Hidden file: C:\WINDOWS\efnyu.dll
03/30/06 20:59:00 [Note]: 10002 1
03/30/06 21:13:33 [Note]: 7007 0
MilkmanDan
Active Member
 
Posts: 4
Joined: March 26th, 2006, 11:27 am

Unread postby agrarianmonk » April 2nd, 2006, 7:15 pm

Please download the Killbox by Option^Explicit and Save it to your desktop.

Note: In the event you already have Killbox, this is a new version that I need you to download.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

***********************************
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wtxwd.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hofanrw.exe

Now close all windows other than HiJackThis, then click Fix Checked.

*************************************

    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.
If you use Firefox browser
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

**************************************

Navigate to C:\Program Files\Yahoo!\YPSR\Quarantine\ and delete all files inside it.

Empty Hotmail Deleted items from within Hotmail. Since I'm not sure where your Hotmail\Deleted Items\ folder is, you may have to search for your hotmail folder using Start-->Search, and then navigate to the Deleted Items folder and delete all of the contents.

***************************************

  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • End Explorer Shell While Killing File
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xrstj.exe
    C:\WINDOWS\system32\gkhsdl.exe
    C:\WINDOWS\system32\wtxwd.exe
    C:\WINDOWS\system32\hofanrw.exe
    C:\WINDOWS\system32\mrhsuti.dll
    C:\WINDOWS\system32\mmxp2passion.exe
    C:\WINDOWS\efnyu.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

*************************************

After the Reboot

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

****************************

In your next post, please include:
  • Panda Log
  • fresh HijackThis log (new)
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby NonSuch » April 12th, 2006, 2:07 am

Whilst we appreciate that you may be busy, it has been 7 days or more since we heard from you.

Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Malware Removal Forum.

If you wish this topic reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid,
working link to the closed topic is required along with the user name used.
If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
NonSuch
Administrator
Administrator
 
Posts: 27226
Joined: February 23rd, 2005, 7:08 am
Location: California
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 69 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware