# Solved: Please help me.......Win32 Sality



## slugger (Aug 3, 2006)

Hello

I have a problem with my pc. Every time I boot the pc i get the message that wmimgr32.dll is infected by Win32 Sality, that I then move into the container (with Avast).

I have gone through the whole procedure described in:

http://forums.techguy.org/security/485332-plz-help-rid-win32-sality.html

but I still get the message on every reboot.

I´d be very thankful if you could help me...

my hijack log is:

Logfile of HijackThis v1.99.1
Scan saved at 02:30:37, on 03.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\TBPanel.exe
C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programme\ewido anti-spyware 4.0\ewido.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\Programme\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\DOKUME~1\zulu\LOKALE~1\Temp\Rar$EX00.891\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Gainward] C:\WINDOWS\TBPanel.exe /A
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programme\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programme\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Programme\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Programme\Gemeinsame Dateien\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Konsole - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programme\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programme\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Programme\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2AF5BD25-90C5-4EEC-88C5-B44DC2905D8B} (Steuerung des DownloadManager ) - http://dlmanager.akamaitools.com.edg...ex-2.0.5.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1145659032561
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Programme\Gemeinsame Dateien\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Programme\ewido anti-spyware 4.0\guard.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Programme\Gemeinsame Dateien\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe


----------



## Cheeseball81 (Mar 3, 2004)

Hi and welcome 

* *Click here* to download *Webroot SpySweeper*.

(It's a 2 week trial.)

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.

Also post a new Hijack This log.


----------



## slugger (Aug 3, 2006)

Hi and thank you very much for your answer.

I have run Spybot twice but I still get the message on every reboot.

14:46: None
14:46: Traces Found: 0
14:46: Full Sweep has completed. Elapsed time 00:24:13
14:46: File Sweep Complete, Elapsed Time: 00:23:15
14:29: Warning: Failed to open file "c:\windows\temp\_avast4_\webshlock.txt". Der Vorgang wurde erfolgreich beendet
14:23: Starting File Sweep
14:23: Cookie Sweep Complete, Elapsed Time: 00:00:00
14:23: Starting Cookie Sweep
14:23: Registry Sweep Complete, Elapsed Time:00:00:56
14:22: Memory Sweep Complete, Elapsed Time: 00:00:00
14:22: Starting Registry Sweep
14:22: Starting Memory Sweep
14:22: Sweep initiated using definitions version 732
14:22: Spy Sweeper 5.0.5.1286 started
14:22: | Start of Session, Donnerstag, 3. August 2006

hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 19:03:52, on 03.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe
C:\Programme\Alwil Software\Avast4\ashMaiSv.exe
C:\Programme\Alwil Software\Avast4\ashWebSv.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Dokumente und Einstellungen\zulu\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: Webroot Spy Sweeper-Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Programme\Webroot\Spy Sweeper\SpySweeper.exe


----------



## Cheeseball81 (Mar 3, 2004)

Run *ActiveScan* online virus scan:
http://www.pandasoftware.com/products/activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country.
Enter your State/Province.
Enter your e-mail address and click send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. 
Post the contents of the ActiveScan report.


----------



## slugger (Aug 3, 2006)

when I try to download the panda software, avast tells me it´s infected too. should i execute this anyway?


----------



## Cheeseball81 (Mar 3, 2004)

Yes. That's a false positive from Avast


----------



## slugger (Aug 3, 2006)

Hi

The report of the Scan:

Incident Status Location

Spyware:Cookie/Falkag Not disinfected C:\Dokumente und Einstellungen\zulu\Cookies\[email protected][2].txt 
Spyware:Cookie/WebtrendsLive Not disinfected C:\Dokumente und Einstellungen\zulu\Cookies\[email protected][1].txt 
Virus:W32/Sality.O Disinfected C:\Dokumente und Einstellungen\zulu\Desktop\bf\BF2VoiceSetup.exe 
Virus:W32/Sality.O Disinfected C:\Dokumente und Einstellungen\zulu\Desktop\bf\BF2VoipServer_w32ded.exe 
Virus:W32/Sality.O Disinfected C:\Dokumente und Einstellungen\zulu\Desktop\DllCompare.exe 
Potentially unwanted tool:Application/Processor Not disinfected C:\Dokumente und Einstellungen\zulu\Desktop\SmitfraudFix.zip[SmitfraudFix/Process.exe] 
Virus:W32/Sality.O Disinfected C:\Dokumente und Einstellungen\zulu\Lokale Einstellungen\Temp\Set44.tmp

after deleting the cookies the scan cant find anything anymore.....


----------



## Cheeseball81 (Mar 3, 2004)

Looks like Panda disinfected the items found


----------



## slugger (Aug 3, 2006)

I have uninstalled the programs witch caused alerts when I opened them. The PC seems to lag a bit but I hope that I can solve that. 

thank you very much for your time and help


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome :up:


----------



## slugger (Aug 3, 2006)

and please change your ´Experience´ to ´Einstein´


----------



## slugger (Aug 3, 2006)

Damn...

for some reason when I reinstalled windows messenger it gives me a sality alert every time I open it.

C:\WINDOWS\system32\wmimgr32.dl_

Win32:Sality-T-Unk

0631-2, 02.08.2006

panda scan cant find anything anymore


It´s always that wmimgr file.... How can I stop this...


----------



## Cheeseball81 (Mar 3, 2004)

Please *download* the *Killbox by Option^Explicit*.

*Note*:* In the event you already have Killbox, this is a new version that I need you to download*.

 *Save* it to your *desktop*.
 Please double-click *Killbox.exe* to run it.
 Select:
*Delete on Reboot*
 then *Click* on the *All Files* button.

Please *copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy):

*C:\WINDOWS\system32\wmimgr32.dll*

 Return to Killbox, go to the *File* menu, and choose *Paste from Clipboard*.

Click the red-and-white *Delete File* button. Click *Yes* at the Delete on Reboot prompt. Click *OK* at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

_*If your computer does not restart automatically, please restart it manually*_.

_If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again._


----------



## slugger (Aug 3, 2006)

Hello, o captain my captain 

I can delete it normaly, but when i open messenger...bam its infected again. It´s alway the C:\WINDOWS\system32\wmimgr32.dl_ and the C:\WINDOWS\system32\wmimgr32.dll file. I have tried deleting both of them....but they come back.


----------



## Cheeseball81 (Mar 3, 2004)

Download *WinPFind*
*Right Click* the Zip Folder and Select "*Extract All*"
Extract it somewhere you will remember like the *Desktop*
Dont do anything with it yet!

*Click here* for info on how to boot to safe mode if you don't already know how.

Reboot into Safe Mode.

Double click *WinPFind.exe*
Click "*Start Scan*"
*It will scan the entire System, so please be patient and let it complete.*

Reboot back to Normal Mode!


Go to the *WinPFind folder*
Locate *WinPFind.txt*
Copy and paste WinPFind.txt in your next post here please.


----------



## slugger (Aug 3, 2006)

Hi

here is the log:

»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...
UPX! 27.07.2006 18:19:10 65536 C:\WINDOWS\IFinst27.exe

Checking %System% folder...
UPX! 31.05.2006 11:02:04 624640 C:\WINDOWS\SYSTEM32\aswBoot.exe
aspack 18.03.2005 17:19:58 2337488 C:\WINDOWS\SYSTEM32\d3dx9_25.dll
aspack 22.07.2005 19:59:04 2319568 C:\WINDOWS\SYSTEM32\d3dx9_27.dll
aspack 05.12.2005 18:09:18 2323664 C:\WINDOWS\SYSTEM32\d3dx9_28.dll
PEC2 18.08.2001 14:00:00 41118 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 19.06.2006 16:19:42 571184 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
aspack 07.07.2006 03:21:46 6757792 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 04.08.2004 09:57:08 733696 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 04.08.2004 09:57:32 686592 C:\WINDOWS\SYSTEM32\rasdlg.dll
UPX! 27.04.2006 17:49:30 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 09.01.2006 10:36:04 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 09.01.2006 10:36:06 40960 C:\WINDOWS\SYSTEM32\swsc.exe
winsync 18.08.2001 14:00:00 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
PTech 19.06.2006 16:19:26 304944 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
PTech 04.08.2004 07:41:38 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts

Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
05.08.2006 16:08:50 S 2048 C:\WINDOWS\bootstat.dat
26.06.2006 21:32:56 HS 61 C:\WINDOWS\cnerolf.dat
05.08.2006 03:00:20 H 0 C:\WINDOWS\LastGood\INF\oem7.inf
05.08.2006 03:00:20 H 0 C:\WINDOWS\LastGood\INF\oem7.PNF
04.08.2006 13:21:10 H 18666 C:\WINDOWS\system32\wmimgr32.dl_
08.06.2006 04:12:18 S 29771 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\oem3.CAT
19.06.2006 16:20:58 S 7160 C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
05.08.2006 16:08:44 H 8192 C:\WINDOWS\system32\config\default.LOG
29.06.2006 16:41:46 H 0 C:\WINDOWS\system32\config\default_TU_59979.LOG
28.07.2006 05:13:18 H 0 C:\WINDOWS\system32\config\default_TU_77883.LOG
05.08.2006 16:10:22 H 1024 C:\WINDOWS\system32\config\SAM.LOG
28.07.2006 05:13:18 H 0 C:\WINDOWS\system32\config\SAM_TU_79273.LOG
29.06.2006 16:41:46 H 0 C:\WINDOWS\system32\config\SAM_TU_88343.LOG
05.08.2006 16:08:52 H 20480 C:\WINDOWS\system32\config\SECURITY.LOG
28.07.2006 05:13:14 H 0 C:\WINDOWS\system32\config\SECURITY_TU_74642.LOG
29.06.2006 16:41:44 H 0 C:\WINDOWS\system32\config\SECURITY_TU_77750.LOG
05.08.2006 16:08:54 H 65536 C:\WINDOWS\system32\config\software.LOG
28.07.2006 05:13:16 H 0 C:\WINDOWS\system32\config\software_TU_58877.LOG
29.06.2006 16:41:44 H 0 C:\WINDOWS\system32\config\software_TU_75254.LOG
05.08.2006 16:07:40 H 1024 C:\WINDOWS\system32\config\system.LOG
28.07.2006 05:13:18 H 0 C:\WINDOWS\system32\config\system_TU_10384.LOG
29.06.2006 16:41:46 H 0 C:\WINDOWS\system32\config\system_TU_41176.LOG
03.08.2006 18:03:46 H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
14.07.2006 03:00:52 S 558 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\Content\A44F4E7CB3133FF765C39A53AD8FCFDD
14.07.2006 03:00:52 S 146 C:\WINDOWS\system32\config\systemprofile\Anwendungsdaten\Microsoft\CryptnetUrlCache\MetaData\A44F4E7CB3133FF765C39A53AD8FCFDD
21.07.2006 10:45:34 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\b87ec709-daf2-4f51-8acc-91ca48960aab
21.07.2006 10:45:34 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
21.07.2006 10:44:24 HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\08988270-ca01-47bb-9dd7-d05c4a917be3
21.07.2006 10:44:30 HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\User\Preferred
05.08.2006 16:07:36 H 6 C:\WINDOWS\Tasks\SA.DAT

Checking for CPL files...
Microsoft Corporation 04.08.2004 09:58:22 70656 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 04.08.2004 09:58:22 555008 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 138240 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 04.08.2004 09:58:22 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 04.08.2004 09:58:22 157184 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Ahead Software AG 22.07.2003 16:29:22 57344 C:\WINDOWS\SYSTEM32\ImageDrive.cpl
Microsoft Corporation 04.08.2004 09:58:22 359424 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 133120 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 04.08.2004 09:58:22 381440 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 69632 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 04.08.2004 09:58:22 625152 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 04.08.2004 09:58:22 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 04.08.2004 09:58:22 260096 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
NVIDIA Corporation 01.06.2006 17:22:00 69632  C:\WINDOWS\SYSTEM32\nvcpl.cpl
01.06.2006 17:22:00 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 04.08.2004 09:58:22 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 04.08.2004 09:58:22 117248 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 04.08.2004 09:58:22 303104 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 04.08.2004 09:58:22 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 04.08.2004 09:58:22 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 70656 C:\WINDOWS\SYSTEM32\dllcache\access.cpl
Microsoft Corporation 04.08.2004 09:58:22 555008 C:\WINDOWS\SYSTEM32\dllcache\appwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 110592 C:\WINDOWS\SYSTEM32\dllcache\bthprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 138240 C:\WINDOWS\SYSTEM32\dllcache\desk.cpl
Microsoft Corporation 04.08.2004 09:58:22 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 04.08.2004 09:58:22 157184 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 04.08.2004 09:58:22 359424 C:\WINDOWS\SYSTEM32\dllcache\inetcpl.cpl
Microsoft Corporation 04.08.2004 09:58:22 133120 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 04.08.2004 09:58:22 381440 C:\WINDOWS\SYSTEM32\dllcache\irprops.cpl
Microsoft Corporation 04.08.2004 09:58:22 69632 C:\WINDOWS\SYSTEM32\dllcache\joy.cpl
Microsoft Corporation 18.08.2001 14:00:00 189440 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 04.08.2004 09:58:22 625152 C:\WINDOWS\SYSTEM32\dllcache\mmsys.cpl
Microsoft Corporation 18.08.2001 14:00:00 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 04.08.2004 09:58:22 25600 C:\WINDOWS\SYSTEM32\dllcache\netsetup.cpl
Microsoft Corporation 04.08.2004 09:58:22 260096 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 18.08.2001 14:00:00 38400 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 04.08.2004 09:58:22 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 04.08.2004 09:58:22 117248 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 04.08.2004 09:58:22 159744 C:\WINDOWS\SYSTEM32\dllcache\sapi.cpl
Microsoft Corporation 04.08.2004 09:58:22 303104 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 18.08.2001 14:00:00 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 04.08.2004 09:58:22 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 04.08.2004 09:58:22 148480 C:\WINDOWS\SYSTEM32\dllcache\wscui.cpl
Microsoft Corporation 26.05.2005 04:16:22 174872 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl

»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»

Checking files in %ALLUSERSPROFILE%\Startup folder...
21.04.2006 22:42:40 HS 84 C:\Dokumente und Einstellungen\All Users\Startmenü\Programme\Autostart\desktop.ini

Checking files in %ALLUSERSPROFILE%\Application Data folder...
21.04.2006 23:36:46 HS 62 C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\desktop.ini

Checking files in %USERPROFILE%\Startup folder...
21.04.2006 22:42:40 HS 84 C:\Dokumente und Einstellungen\zulu\Startmenü\Programme\Autostart\desktop.ini

Checking files in %USERPROFILE%\Application Data folder...
21.04.2006 23:36:46 HS 62 C:\Dokumente und Einstellungen\zulu\Anwendungsdaten\desktop.ini

»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programme\Alwil Software\Avast4\ashShell.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Programme\PowerISO\PWRISOSH.DLL
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll"
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\avast
{472083B0-C522-11CF-8763-00608CC02F24} = C:\Programme\Alwil Software\Avast4\ashShell.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Programme\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\SpySweeper
{7C9D5882-CB4A-4090-96C8-430BFE8B795B} = 
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\PowerISO
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = C:\Programme\PowerISO\PWRISOSH.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\TuneUp Shredder
{00DF1F20-0849-A4D1-0239-00D0AF3E9CB0} = "C:\Programme\TuneUp Utilities 2006\sdshelex.dll"
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Programme\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tipps und Tricks = %SystemRoot%\System32\shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse	: %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Adresse	: %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links	: %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = : 
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
avast!	C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
NvCplDaemon	"RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
NvMediaCenter	"RunDLL32.exe" NvMCTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\CTFMON.EXE
key	SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item	ctfmon
hkey	HKCU
command	C:\WINDOWS\system32\ctfmon.exe
inimapping	0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini	0
win.ini	0
bootini	0
services	0
startup	2

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID
{17492023-C23A-453E-A040-C7C580BBF700}	1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\GEMEIN~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername	0
legalnoticecaption	
legalnoticetext	
shutdownwithoutlogon	1
undockwithoutlogon	1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun	145

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System
DisableRegistryTools	0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit	= C:\WINDOWS\system32\userinit.exe,
Shell = Explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
=

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs

»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1	- Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 05.08.2006 16:15:58


----------



## Cheeseball81 (Mar 3, 2004)

Go to the forum here: http://www.thespykiller.co.uk/forum/index.php?board=1.0 
Upload this (these) file(s):

*C:\WINDOWS\IFinst27.exe
C:\WINDOWS\system32\wmimgr32.dll*

Here are the directions for uploading the file:

Just click "New Topic", fill in the needed details and post a link to your thread here. Click the "Browse" button. Navigate to the file on your computer. When the file is listed in the window click "Post" to upload the file.


----------



## slugger (Aug 3, 2006)

Hello

Ok, I´ve uploaded the files...the problem is still the same though, and now pandascan is finding other files that cant be desinfected.

Panda Log:

Virus:W32/Sality.Q Not disinfected C:\!KillBox\wmimgr32.dl_[C:\!KillBox\wmimgr32.dl_] 
Virus:W32/Sality.Q Not disinfected C:\RECYCLER\S-1-5-21-1482476501-117609710-725345543-1003\Dc11.dl_[C:\RECYCLER\S-1-5-21-1482476501-117609710-725345543-1003\Dc11.dl_] 
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

hijack log:

Logfile of HijackThis v1.99.1
Scan saved at 13:37:55, on 08.08.2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
C:\Programme\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\Programme\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Dokumente und Einstellungen\zulu\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Programme\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RunDLL32.exe" NvMCTray.dll,NvTaskbarInit
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Programme\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Programme\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programme\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Programme\TuneUp Utilities 2006\WinStylerThemeSvc.exe

I have deleted the files and deactivated the system recovery...since then I´m not getting the alerts about the wmimgr file anymore...was this a good idea?


----------



## Cheeseball81 (Mar 3, 2004)

Anything in the folder C:\!KillBox is nothing to worry about.
Also empty the Recycle Bin.

Things are running better now?


----------



## slugger (Aug 3, 2006)

yea things are better now..yet not the same as before these alerts started.

where is the recycle bin located? Is it the same as the ´normal´ Bin?


----------



## Cheeseball81 (Mar 3, 2004)

Yes


----------



## slugger (Aug 3, 2006)

Ok I´ve done that. 

btw avast is telling me that it cant scan some (zip)files because they are decompression bombs...are these always malicious? should I delete them?


----------



## Cheeseball81 (Mar 3, 2004)

Which files are they? They are usually bad


----------



## slugger (Aug 3, 2006)

downloaded (emule) flight sim stuff ....WinRar files


----------



## Cheeseball81 (Mar 3, 2004)

Downloaded from eMule, yeah I would delete them


----------



## slugger (Aug 3, 2006)

OK 

pandascan is still finding this file:

Incident Status Location  

Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe 


can I delete this file?


----------



## Cheeseball81 (Mar 3, 2004)

It's part of SmitfraudFix. It's harmless.


----------



## slugger (Aug 3, 2006)

ok I hope the problem is solved now....

again thank you very, very much for your help

btw if u should ever have any questions about medical issues, please feel free to contact me. (I´ m a doc)

[email protected]


----------



## Cheeseball81 (Mar 3, 2004)

You're welcome


----------



## slugger (Aug 3, 2006)

sorry it´s me again  

Just a lil´ question. I assume the file C:\WINDOWS\system32\ActiveScan\pskavs.dll (infected by Win32:CTX) is part of pandscan and harmless. 

Is this correct?


----------



## Cheeseball81 (Mar 3, 2004)

Yes


----------



## slugger (Aug 3, 2006)

cool. thank you:up:


----------



## Cheeseball81 (Mar 3, 2004)

Welcome :up:


----------



## Flrman1 (Jul 26, 2002)

Since this problem has been solved, I'm closing this thread. If you need it reopened please PM me or one of the other mods.

Anyone else with a similar problem please start a "New Thread".


----------

