I was cleaning out my computer and found the archives for my MSN Messenger conversations and got curious, so I double clicked on one of the icons and I got an error message. I forgot what the message said, but it was right after Internet Explorer opened that a new program, WinAntivirus Pro ver. 3.8, appeared and started scanning my computer.

I've removed it from my programs list and I've deleted any files I've seen related to this, but it keeps popping up and bothering me.

I searched on Google.com and noticed all the people who'd had this problem and posted it got a response similar to "scan with HijackThis and post the log here".
That's pretty straightforward, but that also means I'd have to post on someone else's thread. That's not too bad, but none of these are recent, and they've been resolved, so the people helping wouldn't even think someone else was having the same issue.

So here I am, starting my own thread, asking for help. Please help me get rid of WinAntivirus Pro ver. 3.8.

Welcome,



* Please download Malwarebytes' Anti-Malware from HERE or HERE

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and zLaunch Malwarebytes Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Quick Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire report in your next reply along with a fresh HijackThis log.


Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


New hijackthis log please

Sorry for the delay, thanks for the help! Here's my MBAM log thing:

Malwarebytes' Anti-Malware 1.14
Database version: 811
3:03:29 PM 5/31/2008
mbam-log-5-31-2008 (15-03-29).txt

Scan type: Quick Scan
Objects scanned: 43466
Time elapsed: 42 minute(s), 26 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 4
Registry Keys Infected: 83
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 27
Files Infected: 120

Memory Processes Infected:
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe (Rogue.WinAntivirus) -> Unloaded process successfully.
C:\Documents and Settings\Stephanie\cftmon.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\Program Files\Zango\bin\10.3.65.0\ZangoSAAX.dll (Adware.180Solutions) -> Unloaded module successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\plugi ns\npclntax_ZangoSA.dll (Adware.180Solutions) -> Unloaded module successfully.
C:\WINDOWS\system32\__c00EC41C.dat (Trojan.Agent) -> Unloaded module successfully.
C:\WINDOWS\system32\baseweh32.dll (Trojan.Downloader) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{12b2c1c8-646a-43db-8557-e25edecbc411} (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.lfgax.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{eddbb5ee-bb64-4bfc-9dbe-e7c85941335b} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{14113b47-d59c-4f0f-9d10-ff1730265584} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9c42a57-421c-4572-8b12-249c59183d1c} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2d00aa2a-69ef-487a-8a40-b3e27f07c91e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{86c5840b-80c4-4c30-a655-37344a542009} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{2aa2fbf8-9c76-4e97-a226-25c5f4ab6358} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{71f731b3-008b-4052-9ea4-4145acce40c3} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a5b6fa30-d317-41ca-9cb1-c898d3c7f34e} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cc19a5f2-b4ad-41d5-a5c9-0680904c1483} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{62906e60-bce2-4e1b-9ed0-8b9042ee15e4} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9bfa98d-9935-4ea4-a05a-72c7f0778f02} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3788e535-897b-463d-b6d6-fee5b86ec144} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{3788e535-897b-463d-b6d6-fee5b86ec144} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d3f940ea-4e87-423b-9091-934e1e4fceae} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Ext\PreApproved\{d3f940ea-4e87-423b-9091-934e1e4fceae} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Uninstall\shoppingreport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\__c00ec41c (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\s chedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\s chedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\schedule (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\AdBand.DLL (Trojan.Adware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Zango (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.toolbarctl.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\toolbar.htmlmenuui.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\srv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.webmailsend.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostol.mailanim.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hostie.bho.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbr.hbmain.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\hbmain.commband.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\coresrv.coreservices.1 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinAntivirusPro (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\W MPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DomainServic e (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\DomainService (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\Software\zango (Adware.180Solutions) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks\{ff64059d-4d2a-4d6b-aa0f-2ee4a2fe3856} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.180Solutions) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\WinAntivirusPro (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\WinAntivirusPro (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\software\Microsoft\Windows\Curre ntVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\ntuser (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\Extens ions\Zango@Zango.com (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Internet Settings\5.0\User Agent\Post Platform\Zango 10.3.65.0 (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\autoload (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\Zango (Adware.180Solutions) -> Delete on reboot.
C:\Program Files\Zango\bin (Adware.180Solutions) -> Delete on reboot.
C:\Program Files\Zango\bin\10.3.65.0 (Adware.180Solutions) -> Delete on reboot.
C:\Program Files\Zango\bin\10.3.65.0\firefox (Adware.180Solutions) -> Delete on reboot.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions (Adware.180Solutions) -> Delete on reboot.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\compo nents (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\plugi ns (Adware.180Solutions) -> Delete on reboot.
C:\Program Files\WinAntivirusPro3.8 (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wsnpoem (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Bin\2.5.0 (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA (Adware.Zango) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\amsys (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\ISM2 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\WinPerformance (Rogue.WinPerformance) -> Quarantined and deleted successfully.
C:\Program Files\WinPerformance\registry_backup (Rogue.WinPerformance) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\__c00D22F1.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\xpupdate.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephanie\Local Settings\Temp\Install.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephanie\Local Settings\Temporary Internet Files\Content.IE5\KD2FGHUV\ib[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\arrow.ico (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\CntntCntr.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\copyright.txt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\CoreSrv.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostIE.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostOE.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\HostOL.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\link.ico (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\OEAddOn.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Srv.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Toolbar.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Wallpaper.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\Weather.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\WeSkin.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSA.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSAAX.dll (Adware.180Solutions) -> Delete on reboot.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSADF.exe (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\ZangoSAHook.dll (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\chrom e.manifest (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\insta ll.rdf (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\compo nents\npclntax.xpt (Adware.180Solutions) -> Quarantined and deleted successfully.
C:\Program Files\Zango\bin\10.3.65.0\firefox\extensions\plugi ns\npclntax_ZangoSA.dll (Adware.180Solutions) -> Delete on reboot.
C:\Program Files\WinAntivirusPro3.8\WinAntivirusPro.exe (Rogue.WinAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\ShoppingReport\Uninst.exe (Adware.Shopping.Report) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAau.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht (Adware.Zango) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat (Adware.Zango) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images\0BE01DD6.u rr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\amsys\awmsg.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\amsys\guid.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\amsys\unins000.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\amsys\winam.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\curlog.htm (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\keylog.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\readme.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\unsetup.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\ISM2\dictionary.gz (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\ISM2\targets.gz (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\WinPerformance\registry_backup\2007.11.27 17.16.02.rb (Rogue.WinPerformance) -> Quarantined and deleted successfully.
C:\WINDOWS\default.htm (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\config\systemprofile\cftmon.ex e (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephanie\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c00EC41C.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\basehmhvi32.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\~.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\spools.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\baseweh32.dll (Trojan.Downloader) -> Delete on reboot.
C:\WINDOWS\system32\stfv.bin (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\blank.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\box_1.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\box_2.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\box_3.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\button_buynow.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\button_freescan.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_footer.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_header_block.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_header_remove.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\cell_header_scan.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\detect.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\download_box.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\download_btn.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\download_now_btn.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\footer_back.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_1.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_2.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_3.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_4.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_red_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_red_free_scan.g if (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_red_free_scan_b g.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\header_red_protect_you r_pc.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\infected.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\main_back.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jp g (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_1_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_1_name_small.g if (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_2_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_2_name_small.g if (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_3_header.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_3_name_small.g if (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\product_features.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\pt.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\rating.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\s_detect.htm (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\screenshot.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\sep_hor.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\sep_vert.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\shadow.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\shadow_bg.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\spacer.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\spy_away_box.jpg (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\star.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\star_gray.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\star_gray_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\star_small.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\style.css (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\v.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\warning_icon.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\win_logo.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\x.gif (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\aconti.log (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\acontidialer.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sznf.ascii (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dpqaqlqx.bin (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Documents and Settings\Default User\Start Menu\Programs\WinAntivirusPro.lnk (Rogue.SpyRemover) -> Quarantined and deleted successfully.
C:\Documents and Settings\LocalService\cftmon.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Stephanie\Application Data\Install.dat (Trojan.Agent) -> Quarantined and deleted successfully.


And here's my new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:41 PM, on 5/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Stephanie\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Yahoo!
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = Yahoo! SearchBar Home Page
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Yahoo!
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Yahoo!
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {0A94B116-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O2 - BHO: Ask Search Assistant BHO - {0A94B111-4504-4e26-AB05-E61E474AA38B} - C:\Program Files\AskPBar\SrchAstt\1.bin\A9SRCHAS.DLL
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1136001636625
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary...o.cab32846.cab
O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/game...Plugin9USA.cab
O20 - Winlogon Notify: __c00EC41C - C:\WINDOWS\system32\__c00EC41C.dat (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - NetGroup - Politecnico di Torino - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 6897 bytes

Run hijackthis and click on "scan system only" button and put checks next to these:


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

O16 - DPF: {C4925E65-7A1E-11D2-8BB4-00A0C9CC72C3} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/.../Installer.exe

O20 - Winlogon Notify: __c00EC41C - C:\WINDOWS\system32\__c00EC41C.dat (file missing)


Please close ALL browser windows (including this one).

Everything closed out but hijackthis and click on "fix checked"


Reboot your PC and come back and tell me how things are now please.

Alright, it seems the virus is gone, but my desktop, which has been like this since I got the virus, has this white mask-like thing over it. I can tell it's a mask because the icons, which show through, have a reddish outline around them. My desktop background color was red before this happened. Here's a screenshot:

http://img58.imageshack.us/img58/6237/desktopay7.png

Do you know how to fix that?

Try this, courtesy of Jephree(moderator)

1. Right click on desktop

2. Select properties

3. Select Desktop tab

4. Scroll thru desktop background options and select "None"

5. Click "apply" then "ok"

6. Try changeing desktop background to what ever you want.


Good luck.

http://img372.imageshack.us/img372/6...kvfjydhdn8.png

The scroll box is darkened and I can't scroll or click anything in it.

Let's dig a bit and see if you have a desktop hijacker on your PC.


Please download http://siri.urz.free.fr/Fix/SmitfraudFix.zip (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Please do not run any other option until asked to do so, Thanks

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

A notepad document popped up, I'm assuming that's the report you want me to send, so here it is:

SmitFraudFix v2.323

Scan done at 20:32:43.18, Sun 06/01/2008
Run from C:\Documents and Settings\Stephanie\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\WINDOWS\system32\Tablet.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephanie


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stephanie\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\STEPHA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.ex e,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Dell Wireless 1370 WLAN Mini-PCI Card - Packet Scheduler Miniport
DNS Server Search Order: 68.87.76.178
DNS Server Search Order: 68.87.66.196
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{3D59C3C3-A62F-4F33-865E-473EF8BADB11}: DhcpNameServer=68.87.76.178 68.87.66.196 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{3D59C3C3-A62F-4F33-865E-473EF8BADB11}: DhcpNameServer=68.87.76.178 68.87.66.196 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{3D59C3C3-A62F-4F33-865E-473EF8BADB11}: DhcpNameServer=68.87.76.178 68.87.66.196 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.66.196 192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.66.196 192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.87.76.178 68.87.66.196 192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End