1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Please help analyze my HJT log. can not remove worm/spyware

Discussion in 'Malware and Virus Removal Archive' started by dlove, 2006/04/05.

  1. 2006/04/05
    dlove

    dlove Inactive Thread Starter

    Joined:
    2006/04/05
    Messages:
    2
    Likes Received:
    0
    I have windows xp sp2 on a dell laptop 8200 inspiron.

    Well limewire pro and some other downloads have really infected my computer. I have NAV 2005 updated and ran several times, as well as Ewido, ad-aware, ccleaner, etc. I have done lots of research and have modified and deleted several registry keys. It is a little better but it is still lingering.

    Can someone pretty please analyze my HJT log?
     
    dlove,
    #1
  2. 2006/04/06
    jdc071391

    jdc071391 Inactive

    Joined:
    2006/03/31
    Messages:
    86
    Likes Received:
    0
    One peice of advice:
    If you are you using the command 'regedit' be extremely cautious as anything you change or delete in here isn't easily reversed. So make extra sure you know what you are doing beforehand.

    JC
     
    jdc071391,
    #2


  3. to hide this advert.

  4. 2006/04/06
    dlove

    dlove Inactive Thread Starter

    Joined:
    2006/04/05
    Messages:
    2
    Likes Received:
    0
    I mostly used registry optimizer programs

    I mostly used registry optimizer programs

    I did remove a few myself.
    I am not sure what all the host winmx is....I did install a crack to get it to work again.
    Here is my HJT:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:37:48 PM, on 4/5/2006
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\system32\cisvc.exe
    C:\Program Files\ewido anti-malware\ewidoctrl.exe
    C:\Program Files\ewido anti-malware\ewidoguard.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\Program Files\Norton AntiVirus\SAVScan.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\Program Files\AIM\aim.exe
    C:\Program Files\Digital Asphyxia\Y!TunnelPro V1.3 Build 272\YTunnelPro.exe
    C:\Program Files\CheckIt\86\CheckIt86.exe
    C:\Program Files\D-Link AirPlus\WLANMON.exe
    C:\Program Files\Yahoo!\Messenger\ypager.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
    C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://finance.yahoo.com/q?s=TKO&quicken=2
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cus.../*http://www.yahoo.com/ext/search/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dellnet.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O1 - Hosts: 205.238.40.1 winmx.com
    O1 - Hosts: 205.238.40.1 www.winmx.com
    O1 - Hosts: 205.238.40.1 err.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
    O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
    O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
    O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
    O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
    O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
    O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
    O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
    O2 - BHO: (no name) - {4DE82F79-B5B4-8D05-E43A-CE19137A81CA} - (no file)
    O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
    O2 - BHO: CheckIt 86 Extension Class - {82DF1118-9B92-45d8-B78F-1737A69A06E1} - C:\Program Files\CheckIt\86\CheckIt86.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [winlog] winlog.exe
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\RunServices: [winlog] winlog.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [Y!TunnelPro] C:\Program Files\Digital Asphyxia\Y!TunnelPro V1.3 Build 272\YTunnelPro.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
    O4 - Global Startup: CheckIt 86.lnk = C:\Program Files\CheckIt\86\CheckIt86.exe
    O4 - Global Startup: D-Link AirPlus DWL-650+ Utility.lnk = ?
    O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: Add To CheckIt &86 Trust List - C:\PROGRA~1\CheckIt\86\AddToTrustList.js
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O16 - DPF: {01010E00-5E80-11D8-9E86-0007E96C65AE} (SupportSoft SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
    O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
    O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
    O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
    O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
    O16 - DPF: {3CA15C82-6297-11D6-B8FA-00C04F5E375A} (BridgeChannel v3) - http://channel.bridge.com/bc/java/bc3_bridge_i.cab
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1122188968164
    O16 - DPF: {A0777FF1-23AC-11D5-BA9B-00C04F753F09} (BridgeChannel) - http://channel.bridge.com/bc24/java/bc_bridge_i.cab
    O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
    O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
    O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
    O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/aio/en/check/qdiagh.cab?319
    O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.com/download.companion.yahoo.com/dl/toolbar/yiebio5_1_6_0.cab
    O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
    O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


    Please advise me as to what to remove. thanks so much!
     
    dlove,
    #3
  5. 2006/04/06
    jdc071391

    jdc071391 Inactive

    Joined:
    2006/03/31
    Messages:
    86
    Likes Received:
    0
    I dont know anything about HJT listings so ill leave that tosomeone else.

    id use a program like pc cillin though if it were me to get rid of whatever **** was there

    JC
     
    jdc071391,
    #4
  6. 2006/04/10
    markp62

    markp62 Geek Member Alumni

    Joined:
    2002/05/01
    Messages:
    4,012
    Likes Received:
    16
    While your log is long, I see some things that could be fixed.

    If you no longer use WinMX, remove all entries beginning with O1 - Hosts. Then remove these.

    O2 - BHO: ZIBho Class - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - (no file)
    O2 - BHO: (no name) - {4DE82F79-B5B4-8D05-E43A-CE19137A81CA} - (no file)
    O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
    O4 - HKLM\..\Run: [winlog] winlog.exe
    O4 - HKLM\..\RunServices: [winlog] winlog.exe

    Reboot into Safe Mode.
    Delete all files and folders located in these folders.
    C:\Windows\Prefetch
    C:\Windows\Temp
    C:\Documents and Settings\username\Local Settings\Temp

    Look in the C:\Windows or C:\Windows\System32 folder, and delete the file "winlog.exe ". You can then reboot into Normal mode.

    This trojan sometimes disables System Restore, and the Windows Firewall, I would check them.
     
    markp62,
    #5

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...