# Solved: Dreaded explorer.exe trojan =/ (Admin's please help)



## skate4lifee (May 14, 2007)

Hey admins/user's who know how to deal with the explorer.exe virus. I have had it only for a day or two but i could tell the symptoms of the adware/trojan because 1) my computer was running slow. 2) random pop ups. 3) random new desktop icons. and 4) my mcafee anti-virus kept showing new viruses and most of them it could delete but there was always one that kept showing up which i believe is the main virus that it could not delete. ill be on here every day waiting for help.

Thank you,

The Indian Guy


----------



## cybertech (Apr 16, 2002)

Hi, Welcome to TSG!!

Click *here* to download *HJTsetup.exe*
Save HJTsetup.exe to your desktop.

Double click on the HJTsetup.exe icon on your desktop.
By default it will install to *C:\Program Files\Hijack This*.
Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
Put a check by Create a desktop icon then click Next again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click Finish and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## skate4lifee (May 14, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 3:14:36 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Apache HTTP Server\bin\httpd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
G:\Program Files\Apache HTTP Server\bin\httpd.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\WINDOWS\retadpu1000272.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\messenger\msmsgs.exe
G:\Program Files\Apache HTTP Server\bin\ApacheMonitor.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.com/0SEENUS/SAOS01
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.playmacro.co.kr
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.dragonballz.com/"); (C:\Documents and Settings\Dustin\Application Data\Mozilla\Profiles\default\57ihib45.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Dustin\Application Data\Mozilla\Profiles\default\57ihib45.slt\prefs.js)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\cuqwqcmh.dll",realset
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iinl] "C:\PROGRA~1\RACLE~1\mmc.exe" -vt ndrv
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = G:\Program Files\Apache HTTP Server\bin\ApacheMonitor.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - D:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - 
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zan...ffce0e0ba0a8:7b1601be9f83b906d9b1a279c57bb948
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - G:\Program Files\Apache HTTP Server\bin\httpd.exe" -k runservice (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe


----------



## skate4lifee (May 14, 2007)

a friend told me to try and use avast in boot-scan mode. I really don't want to get a new OS but as a last resort i guess i will download a new one


----------



## cybertech (Apr 16, 2002)

You don't *download *a new OS you install it again from your original source.

*Click Here* and download Killbox and save it to your desktop.

*Run HJT again and put a check in the following:*

O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\cuqwqcmh.dll",realset
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310
O4 - HKCU\..\Run: [Iinl] "C:\PROGRA~1\RACLE~1\mmc.exe" -vt ndrv
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe

*Close all applications and browser windows before you click "fix checked".*

Double-click on Killbox.exe to run it. 
Put a tick by *Delete on Reboot*. 
Copy the following list of files to clipboard, CTRL+C to copy

*C:\WINDOWS\system32\cuqwqcmh.dll
C:\WINDOWS\WindowsUpdates.exe
C:\WINDOWS\retadpu1000272.exe 
C:\WINDOWS\system32\smanager.7.exe
*

Now in Killbox go to File, Paste from clipboard.
Click the *All Files* button.
Click on the button that has the red circle with the X in the middle.
It will ask for confimation to delete the file. 
Click Yes. 
It will ask if you want to reboot now,
Click Yes.

*Note:* It is possible that Killbox will tell you that the file does not exist.

If your computer does not restart automatically then please restart it manually. 
If you get an error message "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.

Download this tool to your desktop:
http://www.uploads.ejvindh.net/rootchk.exe
Run the program. After a short time a logfile will turn up. Copy the contents of the log into the thread.

Notice: Some security-programs prevent the creation of dummy drivers with certain names. This may cause false positives. If the log of rootchk contains a lot of hidden drivers, you may want to turn of your security programs while rootchk is scanning (you should then unhook your network connection as well)

Download ComboFix from *Here* or *Here* to your Desktop. 

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## skate4lifee (May 14, 2007)

********************************* ROOTCHK-(02-05-07)-LOG, by ejvindh
Mon 05/14/2007 16:12:54.32

Driver pe386 (hidden) is present. Run RUSTBFIX by ejvindh.
Driver pe386 (visible) is present. Run RUSTBFIX by ejvindh.

********************************* ROOTCHK-LOG-end

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-14 16:12:54
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32:lzx32.sys 71354 bytes executable hidden from API
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1


----------



## skate4lifee (May 14, 2007)

i dont think this will help but here is a picture of the explorer.exe virus that pops up everytime i turn on my computer and also the combofix made me restart because of a rootkit it found but its still scanning.


----------



## skate4lifee (May 14, 2007)

I THINK YOU FIXED IT!!! when i ran my computer just now i didnt get the explorer.exe pop up but i dont think its completly gone not sure yet here is the ComboFix:

"Dustin" - 2007-05-14 16:20:36 Service Pack 2 
ComboFix 07-05.13.V - Running from: ""

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\isrorbaw.dll
C:\WINDOWS\system32\nmmpmpyq.dll
C:\WINDOWS\system32\cbxyyxv.dll
C:\WINDOWS\system32\mljiifg.dll
C:\WINDOWS\system32\qommmjk.dll
C:\WINDOWS\system32\winexz32.dll
C:\WINDOWS\system32\qtstv.bak2
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\qtstv.tmp
C:\WINDOWS\system32\vtstq.dll
C:\WINDOWS\system32\cbxyawv.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\Program Files\inetget2
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\Program Files\RACLE~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\pe386

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-14 ))))))))))))))))))))))))))))))))))

2007-05-14 16:17 d--------	C:\WINDOWS\system32\LogFiles
2007-05-14 16:00 d--------	C:\!KillBox
2007-05-14 15:45	95,872	--a------	C:\WINDOWS\system32\AvastSS.scr
2007-05-14 15:45	94,552	--a------	C:\WINDOWS\system32\drivers\aswmon2.sys
2007-05-14 15:45	85,952	--a------	C:\WINDOWS\system32\drivers\aswmon.sys
2007-05-14 15:45	745,600	--a------	C:\WINDOWS\system32\aswBoot.exe
2007-05-14 15:45	43,176	--a------	C:\WINDOWS\system32\drivers\aswTdi.sys
2007-05-14 15:45	26,888	--a------	C:\WINDOWS\system32\drivers\aavmker4.sys
2007-05-14 15:45	23,416	--a------	C:\WINDOWS\system32\drivers\aswRdr.sys
2007-05-13 20:29 d--------	C:\DOCUME~1\Dustin\APPLIC~1\RegistrySmart
2007-05-13 20:23 d--------	C:\DOCUME~1\Dustin\APPLIC~1\Uniblue
2007-05-13 19:55 d--------	C:\DOCUME~1\Dustin\APPLIC~1\Lavasoft
2007-05-13 18:18	0	--a------	C:\WINDOWS\system32\CMMGR32.EXE
2007-05-13 18:18	0	--a------	C:\WINDOWS\ORUN32.EXE
2007-05-13 18:15 d--------	C:\DOCUME~1\Dustin\APPLIC~1\SuperAdBlocker.com
2007-05-13 17:26 d--------	C:\Program Files\Enigma Software Group
2007-05-13 12:47	417,792	--a------	C:\WINDOWS\Nero PhotoShow.scr
2007-05-13 12:40	5,504	---------	C:\WINDOWS\system32\drivers\imagedrv.sys
2007-05-13 12:40	125,184	---------	C:\WINDOWS\system32\drivers\imagesrv.sys
2007-05-12 14:40	1,994,752	---------	C:\WINDOWS\UNNeroVision.exe
2007-05-12 14:18	155,648	--a------	C:\WINDOWS\system32\NeroCheck.exe
2007-05-12 14:18 d--------	C:\Program Files\Ahead
2007-05-12 09:25 d--------	C:\WINDOWS\system32\bak
2007-05-12 09:25 d--------	C:\WINDOWS\bak
2007-05-11 23:27 d--------	C:\Program Files\àdobe
2007-05-09 16:21 d--------	C:\DOCUME~1\Dustin\APPLIC~1\Opera
2007-05-08 17:30 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe Systems
2007-05-08 17:10 d--------	C:\Program Files\Common Files\Adobe Systems Shared
2007-05-08 15:33	356,352	--a------	C:\WINDOWS\eSellerateEngine.dll
2007-05-08 15:24 d--------	C:\Program Files\Common Files\DistributeShield
2007-04-26 18:53 d--------	C:\Program Files\Neffy
2007-04-26 18:20	180,224	--a------	C:\WINDOWS\system32\nvudisp.exe
2007-04-26 18:19	180,224	--a------	C:\WINDOWS\system32\NVUNINST.EXE
2007-04-18 22:03	24,575	--a------	C:\WINDOWS\system32\mssetwinsyspios55.dll
2007-04-18 22:02	73,728	--a------	C:\WINDOWS\system32\ltlst14N.dll
2007-04-18 22:02	57,344	--a------	C:\WINDOWS\system32\lfbmp14N.dll
2007-04-18 22:02	53,248	--a------	C:\WINDOWS\system32\zlib.dll
2007-04-18 22:02	53,248	--a------	C:\WINDOWS\system32\lttmb14N.dll
2007-04-18 22:02	487,424	--a------	C:\WINDOWS\system32\LTKRN14n.DLL
2007-04-18 22:02	303,104	--a------	C:\WINDOWS\system32\LTDIS14n.DLL
2007-04-18 22:02	274,432	--a------	C:\WINDOWS\system32\LTEFX14n.DLL
2007-04-18 22:02	180,224	--a------	C:\WINDOWS\system32\LTFIL14n.DLL
2007-04-18 22:02	1,126,400	--a------	C:\WINDOWS\system32\LTIMG14n.DLL
2007-04-16 19:00 d--------	C:\Program Files\Windows Live Safety Center
2007-04-14 22:15 d--------	C:\DOCUME~1\Dustin\.borland

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

* Rootkit driver pe386 is present. ... attempting disinfection *
 pe386 ...... driver unloaded successfully.
_ ADS removed - system32: deleted 71354 bytes in 1 streams. _

2007-05-14 06:28:34	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\uTorrent
2007-05-13 22:52:55	--------	d-----w	C:\Program Files\Common Files\Blizzard Entertainment
2007-05-12 16:35:05	--------	d-----w	C:\Program Files\AviSynth 2.5
2007-05-12 16:25:50	--------	d-----w	C:\Program Files\QuickTime
2007-05-12 16:25:50	--------	d-----w	C:\Program Files\Microsoft AntiSpyware
2007-05-12 16:25:47	--------	d-----w	C:\Program Files\MSN Messenger
2007-05-12 16:25:47	--------	d-----w	C:\Program Files\messenger
2007-05-12 16:25:47	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\Gpl Meta
2007-05-12 06:27:57	--------	d-----w	C:\Program Files\?dobe
2007-04-27 05:38:09	--------	d--h--w	C:\Program Files\InstallShield Installation Information
2007-04-27 00:00:35	14,297	-c--a-w	C:\WINDOWS\mozver.dat
2007-04-25 04:26:03	249,856	------w	C:\WINDOWS\Setup1.exe
2007-04-25 04:26:02	73,216	----a-w	C:\WINDOWS\ST6UNST.EXE
2007-04-10 22:32:12	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\PE Explorer
2007-04-07 22:17:46	24	-c--a-w	C:\WINDOWS\system32\kadmdc.dll
2007-04-05 20:21:04	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\Xfire
2007-04-02 04:22:04	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\Hamachi
2007-04-02 02:43:05	26,056	----a-w	C:\WINDOWS\system32\drivers\hamachi.sys
2007-04-01 20:23:11	--------	d-----w	C:\Program Files\Real
2007-03-31 09:25:43	32,768	----a-w	C:\WINDOWS\SecureWin33.exe
2007-03-31 09:25:29	45,056	----a-w	C:\WINDOWS\SecureWin32.exe
2007-03-24 19:27:04	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\BitTorrent
2007-03-24 17:08:42	65,536	----a-w	C:\WINDOWS\IFinst27.exe
2007-03-16 03:55:58	40,960	----a-w	C:\WINDOWS\system32\frapsvid.dll
2007-03-15 19:23:16	497,496	----a-w	C:\WINDOWS\system32\XceedZip.dll
2007-03-15 19:19:58	526,184	----a-w	C:\WINDOWS\system32\XceedCry.dll
2007-03-10 09:04:28	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\Leadertech
2007-03-10 08:05:01	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\AdobeAUM
2007-03-10 07:05:01	--------	d-----w	C:\Program Files\uTorrent
2007-03-10 06:25:36	--------	d-----w	C:\DOCUME~1\Dustin\APPLIC~1\Swigart Consulting

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 04:23]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIModeChange"="Ati2mdxx.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"ShStatEXE"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"RegistrySmart"="\"C:\\Program Files\\RegistrySmart\\RegistrySmart.exe\" -boot"
"avast!"="G:\\PROGRA~1\\AVASTA~1\\ashDisp.exe"
"Adobe Photo Downloader"="\"G:\\Program Files\\Adobe Photoshop\\3.0\\Apps\\apdproxy.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"PSPVideo9"="G:\\Program Files\\PSPVideo9\\pspVideo9.exe -t"
"SeekmoToolbar"="C:\\Program Files\\SeekmoToolbar\\Bin\\4.8.4.0\\${HOOKOE_FILE}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\system32\Ati2mdxx.exe])
"AGRSMMSG"="AGRSMMSG.exe" [])
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" [2003-09-29 07:10]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" []
"RegistrySmart"="C:\Program Files\RegistrySmart\RegistrySmart.exe" []
"avast!"="G:\PROGRA~1\AVASTA~1\ashDisp.exe" [2007-04-30 08:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MSMSGS"="C:\Program Files\messenger\msmsgs.exe" [2004-08-04 01:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"MSMSGS"="\"C:\\Program Files\\messenger\\msmsgs.exe\" /background"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"BitTorrent"="\"G:\\Program Files\\bittorrent.exe\" --force_start_minimized"
"DefaultBind"="C:\\DOCUME~1\\Dustin\\APPLIC~1\\GPLMET~1\\nurb fast bin.exe"
"Free Download Manager"="D:\\Free Download Manager\\fdm.exe -autorun"
"Ozdgze"="\"C:\\Program Files\\?dobe\\nslookup.exe\""
"PhotoShow Deluxe Media Manager"="C:\\PROGRA~1\\Ahead\\Ahead\\data\\Xtras\\mssysmgr.exe"
"Yahoo! Pager"="\"D:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-02-10 22:32]

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	msv1_0\0\0
Security Packages	kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	scecli\0\0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService	Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	DnsCache\0\0
rpcss	RpcSs\0\0
imgsvc	StiSvc\0\0
termsvcs	TermService\0\0
HTTPFilter	HTTPFilter\0\0
DcomLaunch	DcomLaunch\0TermService\0\0

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost

~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070514-160251-483 
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
backup-20070514-160251-607 
O4 - HKCU\..\Run: [Iinl] "C:\PROGRA~1\RACLE~1\mmc.exe" -vt ndrv
backup-20070514-160251-730 
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
backup-20070514-160251-493 
O4 - HKLM\..\Run: [SManager] smanager.7.exe
backup-20070514-160251-335 
O4 - HKLM\..\Run: [WindowsUpdate] rundll32.exe "C:\WINDOWS\system32\cuqwqcmh.dll",realset
backup-20070514-160251-576 
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\B1E548EA977AFFFA.job
C:\WINDOWS\tasks\Registration reminder 1.job
C:\WINDOWS\tasks\Registration reminder 3.job
C:\WINDOWS\tasks\RegistrySmart Scheduled Scan.job
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Uniblue SpyEraser Nag.job
C:\WINDOWS\tasks\Uniblue SpyEraser.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-14 16:29:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 2007-05-14 16:30:48 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-14 16:30

________________________________________________________________

Here is Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 4:33:57 PM, on 5/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
G:\Program Files\Avast Anti-virus\aswUpdSv.exe
G:\Program Files\Avast Anti-virus\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
G:\Program Files\Apache HTTP Server\bin\httpd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
G:\Program Files\Apache HTTP Server\bin\httpd.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
G:\PROGRA~1\AVASTA~1\ashDisp.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\messenger\msmsgs.exe
G:\Program Files\Apache HTTP Server\bin\ApacheMonitor.exe
C:\Program Files\NETGEAR\WG121 Configuration Utility\wlancfg8.exe
C:\WINDOWS\explorer.exe
G:\Program Files\Avast Anti-virus\ashMaiSv.exe
G:\Program Files\Avast Anti-virus\ashWebSv.exe
C:\WINDOWS\System32\imapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
G:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr7/*http://www.yahoo.com/ext/search/search.html
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.dragonballz.com/"); (C:\Documents and Settings\Dustin\Application Data\Mozilla\Profiles\default\57ihib45.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src"); (C:\Documents and Settings\Dustin\Application Data\Mozilla\Profiles\default\57ihib45.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RegistrySmart] "C:\Program Files\RegistrySmart\RegistrySmart.exe" -boot
O4 - HKLM\..\Run: [avast!] G:\PROGRA~1\AVASTA~1\ashDisp.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Monitor Apache Servers.lnk = G:\Program Files\Apache HTTP Server\bin\ApacheMonitor.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim_v4.cab
O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://disteng.nefficient.com/disteng/neffy/NeffyLauncher.cab
O16 - DPF: {CAFEEFAC-0014-0001-0002-ABCDEFFEDCBA} (Java Runtime Environment 1.4.1) - 
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} (SAIX) - http://static.zangocash.com/cab/Zan...ffce0e0ba0a8:7b1601be9f83b906d9b1a279c57bb948
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - G:\Program Files\Apache HTTP Server\bin\httpd.exe" -k runservice (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - G:\Program Files\Avast Anti-virus\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - G:\Program Files\Avast Anti-virus\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - G:\Program Files\Avast Anti-virus\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - G:\Program Files\Avast Anti-virus\ashWebSv.exe" /service (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe


----------



## skate4lifee (May 14, 2007)

i am preaty confident that the virus is gone but i need your word and thank you so much for all your help =D


----------



## skate4lifee (May 14, 2007)

sorry to bump up my thread but could you confirm if my computer is now clean?


----------



## cybertech (Apr 16, 2002)

Sorry for the delay, I am not getting all of the replies to threads! 

Please download *ATF Cleaner* by Atribune. 
*This program is for XP and Windows 2000 only*
 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button.

*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt. 
Click *Exit* on the Main menu to close the program. 
For *Technical Support*, double-click the e-mail address located at the bottom of each menu.

*Download and scan with* *SUPERAntiSpyware* Free for Home Users
Double-click *SUPERAntiSpyware.exe* and use the default settings for installation. 
An icon will be created on your desktop. Double-click that icon to launch the program. 
If asked to update the program definitions, click "*Yes*". If not, update the definitions before scanning by selecting "*Check for Updates*". (_If you encounter any problems while downloading the updates, manually download and unzip them from here._) 
Under "*Configuration and Preferences*", click the *Preferences* button. 
Click the *Scanning Control* tab. 
Under *Scanner Options* make sure the following are checked _(leave all others unchecked)_:
_Close browsers before scanning._ 
_Scan for tracking cookies._ 
_Terminate memory threats before quarantining._

Click the "*Close*" button to leave the control center screen. 
Back on the main screen, under "*Scan for Harmful Software*" click *Scan your computer*. 
On the left, make sure you check *C:\Fixed Drive*. 
On the right, under "*Complete Scan*", choose *Perform Complete Scan*. 
Click "*Next*" to start the scan. Please be patient while it scans your computer. 
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "*OK*". 
Make sure everything has a checkmark next to it and click "*Next*". 
A notification will appear that "_Quarantine and Removal is Complete_". Click "*OK*" and then click the "*Finish*" button to return to the main menu. 
If asked if you want to reboot, click "*Yes*". 
To retrieve the removal information after reboot, launch SUPERAntispyware again.
_Click *Preferences*, then click the *Statistics/Logs* tab._ 
_Under Scanner Logs, double-click *SUPERAntiSpyware Scan Log*._ 
_If there are several logs, click the current dated log and press *View log*. A text file will open in your default text editor._ 
_Please copy and paste the Scan Log results in your next reply *with a new hijackthis log*._

Click *Close* to exit the program.


----------



## skate4lifee (May 14, 2007)

I also discovered a new dial up connection that i have never seen and the name was really weird i was wondering if you could help me fix that too. Here is picture


----------



## skate4lifee (May 14, 2007)

the scan takes a long time =/


----------



## cybertech (Apr 16, 2002)

Yes the scan can take a while and I suggest you quit using the machine as it will keep scanning your temporary files if you don't.

I can't say where it cam from but I would just delete/remove it.


----------



## skate4lifee (May 14, 2007)

so your saying even if i shutdown my computer it will continue to scan?

yea i was trying to find the source of the dial up connection and the SUPERAntiSpyware found a program "Dialer.Dial/Gen Variant" so i think thats what the program is. so once the scan is complete and i remove all the viruses that the scan mentioned i will make sure to check if it is still there and if it is ill just delete myself


----------



## skate4lifee (May 14, 2007)

my Mcafee Anti virus found a program called Keylog-Ardamax.dll which was in C:\WINDOWS\system32\Sys32\UNGF.007 and it was unable to do anything to it (clean,delete,move ect.)


----------



## skate4lifee (May 14, 2007)

well there is a problem =/ the SUPERAntiSpyware stop scanning it says it is running but it isnt scanning anymore and my computer starts running slow randomly while its been scanning =/ any suggestions? you said earlier to turn off my computer i think not sure but i would like an update on the situation if you dont mind thank you


----------



## skate4lifee (May 14, 2007)

i stopped first scan but did all of C drive just didnt finish scanning D drive and i found some new stuff in the D drive but i was confused because some of the previous stuff that was scanned before and showed up and said was just deleted right before i did the second scan reappeared on the second scan so im confused. All that is left is 6 adwares, it is still scanning but its almost done


----------



## cybertech (Apr 16, 2002)

Download GMER http://majorgeeks.com/download.php?det=5198 and save it somewhere on
your hard drive and unzip it to desktop.

Double click the gmer.exe to run it and select the rootkit tab, press scan and when
it has finished press save and copy the log back here please.


----------



## skate4lifee (May 14, 2007)

link was not working so i just googled it and downloaded fro major geeks


----------



## skate4lifee (May 14, 2007)

GMER 1.0.12.12244 - http://www.gmer.net
Rootkit scan 2007-05-16 16:02:12
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

? C:\WINDOWS\System32\DRIVERS\update.sys

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\MSN Messenger\msnmsgr.exe[184] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 004DE392 C:\Program Files\MSN Messenger\MsnMsgr.Exe

---- EOF - GMER 1.0.12 ----


----------



## skate4lifee (May 14, 2007)

my website run by apache doesnt load now =/


----------

