|
|
|
Need W32.Myzor.FK@yf Help
|
|
|
sambro
Newbie
|
24. June 2006 @ 05:29 |
Link to this message
|
G'day
I seem to have a problem with this W32.Myzor.FK@yf virus thingo too, can you help me, please
here are the Smitfraudfix results
SmitFraudFix v2.65
Scan done at 23:28:04.64, Sat 24/06/2006
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\guxxa.dll FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»»
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\SpywareQuake.com\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
and here are the HjT scan results
Logfile of HijackThis v1.99.1
Scan saved at 11:24:13 PM, on 24/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dcomcfg.exe
C:\WINDOWS\system32\atmclk.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\drwtsn32.exe
C:\WINDOWS\system32\drwtsn32.exe
C:\HJT\HijackThis_v1.99.1.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C25EBBF5-6966-6CD5-7CA3-FC9692C95F88} - C:\DOCUME~1\Sam\APPLIC~1\GRIMSU~1\Surf Barb.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [dentpingthatobj] C:\Documents and Settings\All Users\Application Data\Wave Rule Dent Ping\Cash Hold.exe
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{7577FBA0-FC2E-4512-A088-7846BFF0B0A0}: NameServer = 203.32.82.6 203.32.82.5
O17 - HKLM\System\CCS\Services\Tcpip\..\{F32D33BA-7E2D-49A2-A963-92B379F23FF6}: NameServer = 172.16.5.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
Got this far, if you can help me from here that would be much appreciated
Cheers
Sambro
|
|
Advertisement
|
|
|
|
Senior Member
|
25. June 2006 @ 00:42 |
Link to this message
|
@sambro
Hi.
You don't have a firewall on your computer. Download and install one firewall.
These are good (free) firewalls:
ZoneAlarm --> http://www.zonelabs.com
Kerio--> http://www.sunbelt-software.com/Kerio.cfm
Outpost-> http://www.agnitum.com
Disable Windows firewall after the installation if it was enabled.
Ok, you got some infections on your computer....
Cleaning instructions:
Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
O2 - BHO: (no name) - {C25EBBF5-6966-6CD5-7CA3-FC9692C95F88} - C:\DOCUME~1\Sam\APPLIC~1\GRIMSU~1\Surf Barb.exe
O4 - HKLM\..\Run: [dentpingthatobj] C:\Documents and Settings\All Users\Application Data\Wave Rule Dent Ping\Cash Hold.exe
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Delete these folders (if found):
C:\DOCUME~1\Sam\APPLIC~1\GRIMSU~1
C:\Documents and Settings\All Users\Application Data\Wave Rule Dent Ping
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Scan and clean your computer with Ewido and save the report.
Clean the Recycle bin.
Download Findlop by Metallica and save it to your desktop -> http://metallica.geekstogo.com/findlop.zip
Extract the zip file and doubleclick the file findlop.bat, answer yes to any questions.
Post the following logs to here:
->a fresh HijackThis log
-> Ewido's log
-> C:\findlop.txt
-> C:\Rapport.txt
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
sambro
Newbie
|
25. June 2006 @ 04:28 |
Link to this message
|
Thanks, here are the files you requested
Logfile of HijackThis v1.99.1
Scan saved at 9:20:32 PM, on 25/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
c:\progra~1\intern~1\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [knob owns] C:\DOCUME~1\Sam\APPLIC~1\SHIMCO~1\32 ace once.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F32D33BA-7E2D-49A2-A963-92B379F23FF6}: NameServer = 172.16.5.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
The Ewido report (its a biggy)
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 10:27:24 PM 25/06/2006
+ Scan result:
[1732] c:\docume~1\sam\applic~1\shimco~1\boreel~1.exe -> Downloader.Swizzor.cb : Error during cleaning.
C:\Documents and Settings\Jill\Local Settings\Temporary Internet Files\Content.IE5\QPCBKN4P\fammigodere[1].exe -> Heuristic.Win32.Dialer : Ignored.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GPIVKTEZ\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Ignored.
C:\Documents and Settings\Gemma\Cookies\gemma@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gemma\Cookies\gemma@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Gemma\Cookies\gemma@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@as-eu.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\Gemma\Cookies\gemma@lop[1].txt -> TrackingCookie.Lop : Cleaned.
C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@mediaplex[2].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Gemma\Cookies\gemma@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@ads0.revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@ads1.revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Gemma\Cookies\gemma@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Gemma\Local Settings\Temp\Cookies\gemma@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Gemma\Cookies\gemma@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Sam\Local Settings\Temp\Cookies\sam@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SLUZCDAF\WinFixer2006FreeInstall[1].exe -> Trojan.Fakealert : Ignored.
C:\Program Files\WinFixer2006FreeInstall.exe -> Trojan.Fakealert : Ignored.
C:\Program Files\Media-codec -> Trojan.Small : Cleaned with backup (quarantined).
C:\Program Files\Media-Codec\uninst.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sean Paul - Chronicles (2003).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Secure FTP Factoy 5.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Secure iNet Factoy 5.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SecuritySupervisor 1.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Seeed - Music Monks.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Selteco Flash Designer 5.0.20.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sepultura - Dante XXI (2006) - promo.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Serenity DivX (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Serenity Forest Screensaver.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Serpengo 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Serv-U 5.1 Corporate.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Shadow Warrior - 3d Realms.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\ShadowGames Shooter.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Shaggy Clothes Drop (Advance).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\ShockScript Game Script with 250 games.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Shrek 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SiSoftware Sandra Professional Unicode SR2a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sim City 4 Deluxe.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Skype 2.0.0.73.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Slide Show to Go 8.3.1.63.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Slideshow Pro 9.8.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Slipknot - Mate Kill Feed Repeat.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Smart HTTP Debugger 1.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Smart Protector Internet Eraser 4.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Smart Undelete 2.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Smart Wedding 4.0.0.1057.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SmartBroker Pro 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SmartCode VNC Manager Enterprise 3.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SoftCAT Plus 2.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Software PNG Icons For Webmasters.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sonic Backup my PC Deluxe 6.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sony Sound Forge 7.0b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sorority girl fucks the tutor.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sothink DHTMLMenu 6.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sound Forge 8.0b.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Soundtrack Transporter 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Soundtrack Underworld 2 Evolution.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\South Park Rally.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SpamMonster 1.70.09.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SpecForce.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SpeedItUp Extreme 3.50.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Spiral Graphics Genetica Pro 2.0 Te.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Splinter Cell Chaos Theory.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Spy Cleaner Pro 8.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SpyRemo2.49.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SpyRemover 2.46.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SpyStopper Pro 4.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Spyware Doctor 3.2.2.453.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Spyware Doctor 3.5.0.478.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Star Defender II.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Star Wars Episode III - Revenge of the S.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Star Wars Knights of the Old Republic II.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Star Wars Knights of the Old Republic.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Stardock Windows Blind 5 Enhanced.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Startup Manager Platinum 2.04.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Steganos SAFE ProFESSIONAL 2006 8.0.9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Steinberg Cubase SX 3.1.1.944.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Steinberg MyMP3Pro 5.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Steinberg Nuendo 3.2.0.1128.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Steve Hackett - Metamorpheus (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Still Life.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Strike Ball 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Stronghold 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Stunt GP.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\StyleVision 2005 Enterprise.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sum 41 - Does This Look Infected (2002).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Super Cars Wallpapers 1920 x 1440.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Super Norton System Works 2006 AIO.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Super RM to MP3 Converter 2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Super Utilities Pro 6.21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Super Utilities Professional 6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Super Video Splitter 2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SuperRam 5.8.8.2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\SuperVideoCap 4.38.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Surreal Media Templates.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Suse Linux Professional 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Sway - This Is My Demo (Promo 2006) - Hip Hop.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Syberia 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Symantec AntiVirus Corp.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Symantec AntiVirus Corporate for Win64.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Symantec Ghost Solution Suite ver. 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Symantec Norton AntiSpam 2004.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Symantec Norton Ghost 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\System Mechanic 6.0i Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\System Mechanic Professional 6.0 p.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\System Mechanic Professional 6.0F.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\System Of A Down - Hypnotize.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Systerac XP Tools 3.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Systerac XP Tools 3.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\T-NES - Serious business.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\THE BEATLES - Jamming With Heather.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Talking Time Keeper 15.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Tally 7.2 - Single User and Multi User.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Tamara.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Task List Basic 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\TechSmith SnagIt 8.0.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Template Monster 9225.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Terminator 3 War of the Machines.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Tetris Arena 1.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Bat! 3.0.1.33 Professional.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Beach.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Beatles- Acoustic Masterpieces.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The CORRS - Home (Oct 2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Chroncls Of Narnia The Lion, the.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Chronicles of Narnia.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Chronicles of Riddick.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Chumscrubber (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Da Vinci Code trailer 2006 (Drama, Mystery, Thriller).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Dark Hours (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Descent.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Exorcism of Emily Rose UNRATED.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Exorcism of Emily Rose.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Fog - 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Gladiators Of Rome.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Incredibles , Rise Of The Underminer.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Island.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Man.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Matrix Path Of Neo.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Palette Melody Composing Tool 4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Panorama Factory 4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Punisher.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The RZA Hits (1999).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Shins - Oh, Inverted World (2001).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Simpson Hit and Run.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Simpsons Seri 17 Episode 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Sims 1 (8 In One).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Sims 2 Christmas Party Pack.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Sims 2 Holiday Party Pack.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Sims 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Snow Walker.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Transporter 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The Weather Man (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The.Last.Drop.2005-TDL.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\The.New.World.SCR-maVen.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Theme Hospital (Game).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Thief - Deadly Shadows.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Throttle 6.1.16.2006.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Thumbsucker.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Tilt.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Titanic.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Tomb Raider I and II s.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Total Video Converter 2.52.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Toto - Falling In Between (2006) - Rock.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Trailer Park Tycoon.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Traktor Racer - RITUEL.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Transporter 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Trash It 1.80.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Treasure Vault 3D Screensaver.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Trendy Flash Site Builder.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Trials Mountain Heights.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Trojan Remover 6.44.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Troy.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\TuneUp Utilities 2006 5.0.2331.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\TuneUp Utilities 2006.5.0.2331.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\TurboFTP 4.60.443.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\TweakNT - Removes Windows Timebomb.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\TweakNow PowerPack 2006 Pro 1.10 Retial.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\TweakNow Powerpack 2006 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Two Weeks Notice.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\UEStudio 05.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Ulead DVD MovieFactory 4.0 TBYB.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Ulead.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Ultra DVD Creator 1.4.6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Ultra MP3 To CD Burner 1.3.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Ultra MPEG To DVD Burner 1.3.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Ultra MPEG to DVD Burner 1.4.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Ultra Video Converter 1.4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Ultra Video Converter 1.4.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\UltraISO 7.5.1.965 ME.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Underworld.Evolution.TS-maVen.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Universal Rapidshare Downloader 1.3.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Universal Share Downloader 1.3.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Unreal Tournament 2004.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Unreal Tournament.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\UserGate 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Usher - Confessions Special.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\V-Rally.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\V.A. - RAPStar vol. 1 (2006).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA - Big Mike - The Big Boy Game Vol.9 (2005) - Hip Hop.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA - Chill House Volume 12 (2005) - Lo-Fi.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA - Club Hits Vol.13 (2005) - Club - CD1 CD2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA - Eminem and Friends - Game Over Sessions (2005) - Hip Ho.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA - Eros (2006) - Jazz.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA - Estoy Por Ti (2005) - Pop.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA - Giga Hits Zima (2006) - Dance.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA - Madhouse 12 (2CD - 2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VA-Big Mike And Big Stress-Something F.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VB.Net to C.Sharp Converter 1.45.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VBA Password Bypasser 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VMware Workstation 5.5 Build 18007 RC.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VSO Blindwrite 5.2.21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VSO Blindwrite Suite 5.2.23.156.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Valiant.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Van Wilder.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Vcom 2006.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Vicentas SourceShield 1.0.151.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Video AVI To GIF Converter 2.0.13.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Video Converter Plus 3.01.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Video Edit Magic 4.12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VideoInspector 1.8.0.94.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\ViewCompanion Pro 4.01.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VirtGuard 1.03.04.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Virtual CD 7.1.0.2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VirtualDrive Pro 10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VisKeeper 2.2.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Vista Start Menu v 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Vista Tranformation Pack 2 XP.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Vital Desktop Video 1.3.8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VividLyrics 2.4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\VueScan Pro 8.3.18.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WWW File Share Pro 4.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Walking with Dinosaurs.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Wallpapers Collection TOP100 Nature.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Wallpapers for FireFox Fans.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\War of the Worlds.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Warcraft AIO (4 in 1).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Warcraft II 2 Battle.net.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Warhammer 40,000 Dawn of War.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Warhammer 40.000 - Dawn of War.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Web Page Maker 2.1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Webroot Desktop firewall 1.3.0.52.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Webroot Spy Sweeper 4.0.4.458.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Webshots Premium Wallpapers September.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Wedding Crashers.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Where the Truth Lies (2005).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\White Bear (ero-Game).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Win Big Pro 1.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinASO Registry Optimizer 2.53.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinAVI DVD Copy 4.5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinAVI Video Converter 7.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinDVD Platinum 7.0 B27.115.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinDVD Platinum 7.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinDVD Recorder 5 Platinum.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinFast Capture 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinGuard Pro 2006 6.0.3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinMPG Video Convert 5.7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinPatrol Plus 9.8.1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinProxy 6.0 R1C.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinRAR 3.51 full no serial needed all themes.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinRAR 3.51.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinRAR Crystal Special.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinTasks Pro 5.04.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinXMedia DVD MPEG AVI Audio Converter 3.1.36.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinXP Manager 4.94.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinZip 10.0.6667.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WinZip 10.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Winamp 5.1.1 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Winamp 5.112.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Winamp 5.12 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Winamp Pro 5.13.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WindowBlinds Enhanced 5.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Windows Installers.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Windows Office Mega Pack (2 DVD).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Windows Vista Codename Longhorn.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Windows Vista Transformation Pack 2.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Windows Vista.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Windows XP Live Edition 2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Windows XP Pro SP2 2005 Gold Reloaded.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WindowsXPE.AlexMovsesian iSO Size 87 MB.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Wolf Creek 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Wolfgang.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Womble MPEG Video Wizard 12 2005.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\WoodWorks 0.1.1.4331.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Working Safedisc Bypasser.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\World Soccer Winning Eleven 8 International.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Worms 4 Mayhem.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Wowgirls SE2.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\X-Cleaner Deluxe.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\X-Files -The.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\X2 X-Men United DvD.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\XP Repair Pro 2006 ver. 3.0.20.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\XP Tools Pro 4.70.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\XPCSpy Pro 2.51.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\XPCSpy Pro 2.58.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\XPert Scale Print 2.1.3 for QuarkXPres.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\XPlite Professional 1.7.0300.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Xceed Ultimate Suite 2006 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\XnView v. 1.82 1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\XoftSpy 4.21-142.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Yess - Tales - From the Topographic Oceans.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Yess - Yessongs (live).zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Z.A.R.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Zan Image Printer 4.0.9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Zathura. Kosmiczna przygoda.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Zone Alarm Internet Security Suite 61.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\ZoneAlarm Antivirus + Anti-spyware.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Zoom Player Professional 4.10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\Zuma Deluxe Plus.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\eBay Auction Sniper 3.1.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\eDonkey2000 1.4 Pro.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Documents and Settings\Sam\Complete\podXP 1.0.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Program Files\winupdates\a.tmp -> Worm.VB.an : Cleaned with backup (quarantined).
C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc10.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc100.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc101.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc102.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc103.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc104.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc105.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc106.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc107.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc108.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc109.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc11.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc110.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc111.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc112.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc113.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc114.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc115.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc116.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc117.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc118.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc119.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc12.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc13.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc14.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc15.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc16.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc17.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc18.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc19.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc20.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc21.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc22.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc23.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc24.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc25.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc26.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc27.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc28.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc29.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc3.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc30.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc31.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc32.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc33.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc34.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc35.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc36.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc37.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc38.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc39.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc4.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc40.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc41.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc42.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc43.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc44.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc45.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc46.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc47.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc48.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc49.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc5.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc50.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc51.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc52.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc53.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc54.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc55.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc56.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc57.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc58.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc59.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc6.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc60.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc61.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc62.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc63.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc64.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc65.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc66.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc67.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc68.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc69.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc7.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc70.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc71.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc72.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc73.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc74.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc75.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc76.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc77.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc78.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc79.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc8.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc80.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc81.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc82.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc83.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc84.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc85.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc86.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc87.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc88.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc89.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc9.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc90.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc91.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc92.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc93.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc94.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc95.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc96.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc97.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc98.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1482476501-1844237615-682003330-1004\Dc99.zip/Setup.exe -> Worm.VB.an : Cleaned with backup (quarantined).
::Report end
The Findlop files
[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'A85C9FBD91AB1695.job'
[TRACE] Printing all job properties
ApplicationName: 'c:\docume~1\sam\applic~1\shimco~1\boreelseinternet.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Sam'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 00/00/0000 0:00:00
NextRun: 06/25/2006 23:00:00
StartError: SCHED_S_TASK_HAS_NOT_RUN
ExitCode: 0
Status: SCHED_S_TASK_HAS_NOT_RUN
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0
1 Trigger
Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 02/11/1995
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0
and finally The Rapport File
SmitFraudFix v2.65
Scan done at 21:06:19.84, Sun 25/06/2006
Run from C:\1\Copy only SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\guxxa.dll Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\simpole.tlb Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\Program Files\SpywareQuake.com\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Am i clean yet, cheers mate
|
|
lemosc
Newbie
|
25. June 2006 @ 06:40 |
Link to this message
|
Please review my logs, I have a nasty bug/trojan/spyware problem that I seem to not know how to fix. Please help!!!
Logfile of HijackThis v1.99.1
Scan saved at 9:05:32 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\7d0ce104.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Admin\Desktop\HijackThis_v1.99.1.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Nothing - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\system32\msmsgs.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [7d0ce104.exe] C:\WINDOWS\system32\7d0ce104.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
Here is my Rapport log:
SmitFraudFix v2.65
Scan done at 9:30:45.78, Sun 06/25/2006
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{6af69c4d-420a-4c95-b34f-e4635f84f53b}"="forevouched"
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\q*_disk.dll Deleted
C:\WINDOWS\system32\atmclk.exe Deleted
C:\WINDOWS\system32\dcomcfg.exe Deleted
C:\WINDOWS\system32\hp???.tmp Deleted
C:\WINDOWS\system32\ld????.tmp Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\perfcii.ini Deleted
C:\WINDOWS\system32\regperf.exe Deleted
C:\WINDOWS\system32\stdole3.tlb Deleted
C:\WINDOWS\system32\1024\ Deleted
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url Deleted
C:\Program Files\Security Toolbar\ Deleted
C:\Program Files\SpywareQuake.com\ Deleted
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
Thanks Carlos
|
|
USCGCWO69
Newbie
|
25. June 2006 @ 07:20 |
Link to this message
|
Found my computer infected with this little jewel, here is the logfile:
Logfile of HijackThis v1.99.1
Scan saved at 10:08:28 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\CTsvcCDA.EXE
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\WINDOWS\system32\atmclk.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\system32\spoc42.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Magical Gatherings\Magical Gatherings.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\spoc42.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\devldr32.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Netropa\Traymon.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Darin Qualkenbush\Desktop\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qsdgm.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cnjjwdv.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll (file missing)
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\SYSTEM32\ossproxy.exe -boot
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [aapsmv] C:\WINDOWS\system32\bjlcmx.exe reg_run
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [wwwun] C:\WINDOWS\system32\bjlcmx.exe reg_run
O4 - HKCU\..\Run: [spoc42] C:\WINDOWS\system32\spoc42.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Ukb] C:\Documents and Settings\Darin Qualkenbush\My Documents\??sks\m?hta.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [dpnnin] C:\WINDOWS\system32\dpnnin.exe
O4 - HKCU\..\Run: [Aida] "C:\Program Files\rdso\eetu.exe" -vt yazb
O4 - HKCU\..\Run: [Magical Gatherings] "C:\Program Files\Magical Gatherings\Magical Gatherings.exe" -r
O4 - HKCU\..\RunOnce: [spoc42] C:\WINDOWS\system32\spoc42.exe
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: sqxds.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet6_38.dll' missing
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple...
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O20 - AppInit_DLLs: iniwin32.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFyaW4gUXVhbGtlbmJ1c2g\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tsmavvc.exe (file missing)
|
|
pinkowski
Suspended due to non-functional email address
|
25. June 2006 @ 07:31 |
Link to this message
|
|
|
Senior Member
|
25. June 2006 @ 08:09 |
Link to this message
|
@sambro
Not clean yet....
Cleaning instructions:
Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
O4 - HKCU\..\Run: [knob owns] C:\DOCUME~1\Sam\APPLIC~1\SHIMCO~1\32 ace once.exe
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Delete these folders (if found):
C:\Documents and Settings\Sam\APPLIC~1\SHIMCO~1
C:\Documents and Settings\Sam\Complete
Run ATF Cleaner -> Check select all -> Press Empty selected
Clean the Recycle bin and make your hidden files visible again.
Restart your computer normally.
Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)
c:\windows\tasks\A85C9FBD91AB1695.job
Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)
Run Findlop again.
Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> C:\findlop.txt
-----------------------------------------------------------------------------------------------------------------
@lemosc
Ok, you got some infections on your computer....
Cleaning instructions:
Move HijackThis into its own folder C:\HJT
Disable Windows AntiSpyware because it may hinder the cleaning process, instructions -> http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_R...
Update your Ewido.
Download Killbox to your desktop -> http://www.downloads.subratam.org/KillBox.zip
Unzip it to your desktop.
Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
O4 - HKLM\..\Run: [7d0ce104.exe] C:\WINDOWS\system32\7d0ce104.exe
O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
Open Notepad
-> copy the following lines into a new document:
@echo off
sc stop r_server
sc delete r_server
Save the document to your desktop as Removal.bat and filetype: All Files
Go to your desktop and run the file Removal.bat and answer yes to any questions.
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)
C:\WINDOWS\system32\7d0ce104.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
C:\WINDOWS\system32\r_server.exe
Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox -> http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe)
Run ATF Cleaner -> Check select all -> Press Empty selected
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Scan and clean your computer with Ewido and save the report.
Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> C:\Rapport.txt
-----------------------------------------------------------------------------------------------------------------
@USCGCWO69
Ok, you got a massive collection of infections on your computer....
Cleaning instructions:
Move HijackThis into its own folder C:\HJT
Download and install Ewido anti-malware -> http://www.ewido.net/en/download
Update it, but do NOT run a scan yet. We'll use it later.
Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.
Donwload LSPFix -> http://www.cexx.org/lspfix.htm to your desktop.
Don't run this program yet. This program is used only if you lost your internet connection during the cleaning.
Go to Control Panel -> Add/Remove programs -> Remove PuritySCAN By OIN, OuterInfo, OIN, New.Net, NewDotNet, WebHancer or similars if found
If PuritySCAN By OIN, OuterInfo, OIN were not listed, download this unintaller and run it -> http://www.outerinfo.com/OiUninstaller.exe
Instructions for the uninstaller if needed -> http://www.outerinfo.com/howto.html
--->IF New.Net or NewDotNet ain't listed in add/or remove programs, do this<---
1.Un-plug your internet cable.
2.Disable your antispyware and antivirus
3.Download NNuninstall to your desktop http://www.new.net/support/NNuninstall.exe
4.Run NNuninstall.exe file.
->It asks if you want to remove New.Net
->Click Yes.
->When it is done click OK.
->Restart your computer
5.Restart your antivirus
6.Plug your internet cable back.
7.Empty the recycle bin.
(IF you lost your internet connection during the new.net removal, doubleclik LSPFix.exe. Check "I know what I'm doing" option.You see two panels; If something is listed in "Remove" panel on the right side, leave it there and press "Finish>>". Then restart your computer and the connection should work. If nothing is listed in "Remove" panel, DO NOTHING, close LSPFix. Go to some different machine to get help. (This is just a precaution. Usually the internet connection stays ok ;) )
-->Then continue from here<---
Download E2TakeOut.exe and unzip it to your desktop ->
-> Doubleclick E2TakeOut.exe
-> Click Begin Removal
-> Wait for the scan to end
-> Restart your computer
-> A logfile should open, copy its contents to your next reply
Download SmitfraudFix.zip to your desktop -> http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Unzip it (folder named SmitFraudFix) to your desktop:
Open the folder SmitfraudFix and doubleclick smitfraudfix.cmd
Choose option #1 - Search by typing 1 and pressing "Enter"; a textfile opens and lists the infected files (if those exist)
Post the contents of this textfile to here.
(Some antiviruses recognises process.exe as a malware. It is not malware, it is a program that stops processes)
Post the following logs to here:
-> a fresh HijackThis log
-> SmitFraudFix log
-> E2TakeOut log
Then we'll continue. Note: You're NOT CLEAN yet!!
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 25. June 2006 @ 08:11
|
|
USCGCWO69
Newbie
|
25. June 2006 @ 09:02 |
Link to this message
|
Thank you for your help thusfar! Completed all requested actions; here are the logfiles:
E2TakeOut v1.00 [http://www.malwarebytes.org]
Removed orphaned leftovers
AppInit key reset
SmitFraudFix v2.65
Scan done at 11:58:29.45, Sun 06/25/2006
Run from C:\Documents and Settings\Darin Qualkenbush\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\drsmartload2.dat FOUND !
C:\WINDOWS\newname.dat FOUND !
C:\WINDOWS\teller2.chk FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\users32.exe FOUND !
C:\WINDOWS\system32\zlbw.dll FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Darin Qualkenbush\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DARINQ~1\FAVORI~1
C:\DOCUME~1\DARINQ~1\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\WINDOWS\\system32\\ad.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{af3fd9a8-1287-4159-9212-9a5b4494af70}"="ecosystems"
[HKEY_CLASSES_ROOT\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
@="C:\WINDOWS\system32\guxxa.dll"
[HKEY_CURRENT_USER\Software\Classes\CLSID\{af3fd9a8-1287-4159-9212-9a5b4494af70}\InProcServer32]
@="C:\WINDOWS\system32\guxxa.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 11:59:57 AM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
C:\WINDOWS\system32\dcomcfg.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\BellSouth Internet Tools\blsloader.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\McAfee.com\VSO\mcvsshld.exe
C:\Program Files\Support.com\BellSouth\hcenter.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
C:\Program Files\McAfee.com\VSO\oasclnt.exe
C:\PROGRA~1\mcafee.com\mps\mscifapp.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
C:\WINDOWS\MMKeybd.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Magical Gatherings\Magical Gatherings.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Netropa\Traymon.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Netropa\OSD.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Microsoft Works\MSWorks.exe
C:\Documents and Settings\Darin Qualkenbush\Desktop\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qsdgm.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cnjjwdv.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BlspcHlpr Class - {15C9938F-CB96-496D-800A-B827F2E34EA1} - C:\Program Files\BellSouth Internet Tools\blspc.dll
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: Nothing - {686a161d-5bd1-4999-8832-6393f41e564c} - C:\WINDOWS\system32\hp100.tmp
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [blspcloader] "C:\Program Files\BellSouth Internet Tools\blsloader.exe"
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MPFEXE] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [tgcmd] "C:\Program Files\Support.com\BellSouth\hcenter.exe" /starthidden /tgcmdwrapper
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\SYSTEM32\ossproxy.exe -boot
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [mmtask] "C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe"
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X84-X85.exe
O4 - HKLM\..\Run: [Lexmark X84-X85 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X84-X85.exe
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\MMKeybd.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [aapsmv] C:\WINDOWS\system32\bjlcmx.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [wwwun] C:\WINDOWS\system32\bjlcmx.exe reg_run
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [ESPN BottomLine] C:\Program Files\ESPN\BottomLine\bline.exe
O4 - HKCU\..\Run: [dpnnin] C:\WINDOWS\system32\dpnnin.exe
O4 - HKCU\..\Run: [Magical Gatherings] "C:\Program Files\Magical Gatherings\Magical Gatherings.exe" -r
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: sqxds.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\PROGRA~1\mcafee\SPAMKI~1\mcapfbho.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mp4: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple...
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab32846.cab
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\RGFyaW4gUXVhbGtlbmJ1c2g\command.exe (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\tsmavvc.exe (file missing)
|
|
lemosc
Newbie
|
25. June 2006 @ 09:55 |
Link to this message
|
Thank you, that was lots of work but we may have done the job. here are the logs as requested:
Logfile of HijackThis v1.99.1
Scan saved at 1:09:05 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
SmitFraudFix v2.65
Scan done at 13:03:18.25, Sun 06/25/2006
Run from C:\Documents and Settings\Admin\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
The Ewido report was blank. "no infected objects found"
I look forward to your reply!
Carlos
|
|
nzhuhu
Suspended due to non-functional email address
|
25. June 2006 @ 10:09 |
Link to this message
|
|
Please help me !!! My home page is ok now but my Internet Download Manager always asking me download file from no where !!!
SmitFraudFix v2.65
Scan done at 6:04:57.15, Mon 26/06/2006
Run from C:\Documents and Settings\Henry Nguyen\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Henry Nguyen\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\HENRYN~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{259BA022-2005-45E9-A965-10EDB9C00605}"="Windows Updater"
[HKEY_CLASSES_ROOT\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32]
@="C:\WINDOWS\g1719968.dll"
[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{259BA022-2005-45E9-A965-10EDB9C00605}\InProcServer32]
@="C:\WINDOWS\g1719968.dll"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Thank you so much you guys !!!
Fuck It Virus !!!
|
|
nzhuhu
Suspended due to non-functional email address
|
25. June 2006 @ 10:14 |
Link to this message
|
|
Also I got some kind of Virus Alert ( advise me down load Anti Virus or something ) whenever I dont my search on Internet Explorer !!!
Fuck It Virus !!!
|
Senior Member
|
25. June 2006 @ 11:01 |
Link to this message
|
@USCGCWO69
Ok lets clean the rest of the infections...
Cleaning instructions:
Move HijackThis into its own folder C:\HJT
Go to Control Panel -> Add/Remove programs -> Remove WebRebates4 if found
Download ATF Cleaner by Atribune to your desktop -> http://www.atribune.org/ccount/click.php?id=1
Do NOT run yet.
Download FixAbwiz.exe to your desktop -> http://securityresponse.symantec.com/avcenter/FixAbwiz.exe
Do NOT use this yet!
Download BFU.zip -> http://www.merijn.org/files/bfu.zip
Unzip it to folder C:\BFU
Download this removal script, rightclick, "save target as" -> http://metallica.geekstogo.com/alcanshorty.bfu
And save it to the same folder than where BFU was installed earlier (c:\BFU).
Do NOT use this yet!
Download this removal script, rightclick, "save target as" -> http://downloads.subratam.org/Lon/qooFix.bat
And save it to the same folder than where BFU was installed earlier (c:\BFU).
Please close ALL other open windows & explorer folder's, then double-click on QooFix.bat
Choose option #1 (Qoolfix autofix) and follow the prompts.
Please be patient, it will take about five minutes.
Run HijackThis. Press Do a system scan only, then close all other windows, checkmark the following entries and press Fix checked
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\qsdgm.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,cnjjwdv.exe
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000010} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: (no name) - {6001CDF7-6F45-471b-A203-0225615E35A7} - C:\WINDOWS\DH.dll (file missing)
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Yvakt Class - {BA3DDC15-3EF1-4DC7-B9B6-ED0403F9422A} - C:\WINDOWS\system32\OUGHYA~1.DLL (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: (no name) - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - (no file)
O4 - HKLM\..\Run: [CQ4d6] "C:\WINDOWS\system32\slk8x2peu.exe"
O4 - HKLM\..\Run: [webHancer Survey Companion] "C:\Program Files\webHancer\Programs\whSurvey.exe"
O4 - HKLM\..\Run: [OSS] C:\WINDOWS\SYSTEM32\ossproxy.exe -boot
O4 - HKLM\..\Run: [aapsmv] C:\WINDOWS\system32\bjlcmx.exe reg_run
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [wwwun] C:\WINDOWS\system32\bjlcmx.exe reg_run
O4 - HKCU\..\Run: [irssyncd] C:\WINDOWS\system32\irssyncd.exe
O4 - HKCU\..\Run: [dpnnin] C:\WINDOWS\system32\dpnnin.exe
O4 - Global Startup: sqxds.exe
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {7149E79C-DC19-4C5E-A53C-A54DDF75EEE9} (IObjSafety.DemoCtl) - http://cabs.media-motor.net/cabs/alien.cab
O18 - Filter: text/html - {D332110E-3EDB-417B-B8E2-297B61C074C6} - C:\WINDOWS\system32\OUGHYA~1.DLL
Open Notepad
-> copy the following lines into a new document:
@echo off
sc stop Windows Overlay Components
sc delete Windows Overlay Components
Save the document to your desktop as Removal.bat and filetype: All Files
Go to your desktop and run the file Removal.bat and answer yes to any questions.
Make your hidden files visible -> http://www.bleepingcomputer.com/tutorials/tutorial62.html
Restart your computer to the safemode -> http://www.pchell.com/support/safemode.shtml
Press Start -> My Computer -> Go to folder C:\BFU
-> Run BFU by doubleclicking BFU.exe
-> Type or copy/paste this to the "Scriptline to execute" -field: C:\BFU\alcanshorty.bfu
-> Click Execute and let it do its work (You should see a progressbar if you did this right)
-> Wait for the "Complete script execution" box and click OK.
-> Click Exit in order to quit BFU.
Run FixAbwiz.exe and when the cleaning is done, it will open a log, save this log.
Delete these folders (if found):
C:\Program Files\webHancer
C:\Program Files\WebRebates4
C:\Program Files\PurityScan
C:\WINDOWS\RGFyaW4gUXVhbGtlbmJ1c2g
Delete these files (if found):
C:\WINDOWS\system32\slk8x2peu.exe
C:\WINDOWS\SYSTEM32\ossproxy.exe
C:\WINDOWS\system32\irssyncd.exe
C:\WINDOWS\system32\dpnnin.exe
C:\WINDOWS\tsmavvc.exe
Use the Windows "search" function
-> Start
-> Search
-> All files and folders
-> More advanced options
Checkmark these options:
- "Search system folders"
- "Search hidden files and folders"
- "Search subfolders"
->Search for this and delete if found: sqxds.exe
Run ATF Cleaner -> Check select all -> Press Empty selected
Scan and clean your computer with Ewido and save the report.
Clean the Recycle bin.
When in safemode, open SmitfraudFix folder and doubleclick the file smitfraudfix.cmd
Choose option #2 - Clean by typing 2 and pressing "Enter" in order to remove the infected files.
You are asked: "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove your desktop wallpaper and the infected registry keys.
The tool checks if wininet.dll file is infected. You might be asked to replace the infected .dll (if found); answer "Yes" by typing Y and press "Enter".
The tool might have to restart your computer; if it won't do it, restart your computer back to normal mode.
A textfile will appear after the cleaning process, copy this file and paste it to here.
Tha log is saved to your local diskdrive, usually C:\rapport.txt.
Warning : Running option 2 in a clean computer will delete your desktop wallpaper.
Restart your computer normally.
Post the following logs to here:
-> a fresh HijackThis log
-> Ewido's log
-> Contents of C:\Rapport.txt
-> FixAbwiz log
------------------------------------------------------------------------------------------------------------------------
@lemosc
Ok we'll have to use a stronger tool....
Open Notepad
-> copy the following lines into a new document:
@echo off
sc stop r_server
sc delete r_server
Save the document to your desktop as Removal.bat and filetype: All Files
Go to your desktop and run the file Removal.bat and answer yes to any questions.
1. Download Avenger -> http://swandog46.geekstogo.com/avenger.zip and unzip it to desktop
2. Copy all text in quote box below to Notepad (starting from
Files to delete:)
Quote:
Files to delete:
C:\WINDOWS\system32\7d0ce104.exe
C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
C:\WINDOWS\system32\r_server.exe
Notice: This script is for this user. If you aren't that user, DON'T follow these instructions, because they might harm your system
3. Now, open The Avenger
->"Below Script file to execute" select "Input Script Manually".
->Now click magnifying glass which opens a new window "View/edit script".
-> Paste the text you earlier copied to Notepad here
-> Click Done.
-> Now click green light in order to start script.
-> Click "Yes" .
4.Avenger will do the following
-> Reboot your computer.
-> While booting, it will open a dos prompt, it's normal
-> After reboot it will create a logfile which should open . This log is in C:\avenger.txt
-> Avenger has created a backup here -> C:\avenger\backup.zip.
5. Copy/paste contents of avenger.txt along with a fresh HjT-log & Ewido log.
----------------------------------------------------------------------------------------------------------------
@nzhuhu
Please create a new thread to here -> http://forums.afterdawn.com/forum_view.cfm/166
Then post your HijackThis log to there.
INstructions for HjT posting -> http://forums.afterdawn.com/thread_view.cfm/263784
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 25. June 2006 @ 11:02
|
|
lemosc
Newbie
|
25. June 2006 @ 17:10 |
Link to this message
|
Well, I hope this does it; Again, thank you very much for all the help.
Carlos
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gbvqnmuw
*******************
Script file located at: \??\C:\Documents and Settings\bdngvthy.txt
Script file opened successfully.
Script file read successfully
Backups directory opened successfully at C:\Avenger
*******************
Beginning to process script file:
File C:\WINDOWS\system32\7d0ce104.exe not found!
Deletion of file C:\WINDOWS\system32\7d0ce104.exe failed!
Could not process line:
C:\WINDOWS\system32\7d0ce104.exe
Status: 0xc0000034
File C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe not found!
Deletion of file C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe failed!
Could not process line:
C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
Status: 0xc0000034
File C:\WINDOWS\system32\r_server.exe not found!
Deletion of file C:\WINDOWS\system32\r_server.exe failed!
Could not process line:
C:\WINDOWS\system32\r_server.exe
Status: 0xc0000034
Completed script processing.
*******************
Finished! Terminate.
---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------
+ Created on: 9:04:08 PM, 6/25/2006
+ Report-Checksum: A33A32F5
+ Scan result:
C:\Documents and Settings\Admin\Cookies\admin@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Admin\Cookies\admin@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup
::Report End
Logfile of HijackThis v1.99.1
Scan saved at 9:06:21 PM, on 6/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
E:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\HJT\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.aopa.org/members/wx/?
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
|
Senior Member
|
25. June 2006 @ 19:53 |
Link to this message
|
@lemosc
Ok good, one more thing, fix the following entry with HijackThis:
O4 - HKCU\..\Run: [7d0ce104.exe] C:\Documents and Settings\Admin\Local Settings\Application Data\7d0ce104.exe
Reboot.
Post a fresh HijackThis log to here once more.
If the new log is clean, the you're clean :)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
sambro
Newbie
|
25. June 2006 @ 20:51 |
Link to this message
|
Here we go, how is that
Logfile of HijackThis v1.99.1
Scan saved at 2:29:25 PM, on 26/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis_v1.99.1.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NAV CfgWiz] C:\PROGRA~1\NORTON~2\Cfgwiz.exe /R
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{F32D33BA-7E2D-49A2-A963-92B379F23FF6}: NameServer = 172.16.5.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Netropa NHK Server (nhksrv) - Unknown owner - C:\Program Files\Netropa\Multimedia Keyboard\nhksrv.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~2\SYMANT~1\Rtvscan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
And the EWIDO log
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------
+ Created at: 2:50:45 PM 26/06/2006
+ Scan result:
[1980] C:\DOCUME~1\Sam\APPLIC~1\GRIMSU~1\Surf Barb.exe -> Downloader.Swizzor.bo : Cleaned with backup (quarantined).
C:\Documents and Settings\Jill\Local Settings\Temporary Internet Files\Content.IE5\QPCBKN4P\fammigodere[1].exe -> Heuristic.Win32.Dialer : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\GPIVKTEZ\WinAntiVirusPro2006FreeInstall[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.j : Cleaned.
C:\Documents and Settings\Sam\Cookies\sam@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned.
C:\Documents and Settings\Sam\Cookies\sam@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SLUZCDAF\WinFixer2006FreeInstall[1].exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
C:\Program Files\WinFixer2006FreeInstall.exe -> Trojan.Fakealert : Cleaned with backup (quarantined).
::Report end
as well as the findlop text (this is all that came up)
[TRACE] Enumerating jobs and queues
Cheers
sambro
|
Senior Member
|
26. June 2006 @ 06:53 |
Link to this message
|
@sambo
OK almost there ;)
Make your hidden files visible and delete the following folder if found:
C:\Documents and Settings\Sam\Application Data\GRIMSU~1
Make your hidden files hidden again.
You should update your Java (old version has all kinds of vulnerabilities)
1. Click "Start"-> "Control panel" -> Double-click Java icon (coffee cup)
2. Move to "Update" tab and update Java by clicking "Update Now". After that do a restart.
3. If you can't make automatic update, get new version manually from here -> http://www.java.com/en/download/manual.jsp
4. After updating, uninstall the old Java (if found) from Add/Remove Programs, named as
J2SE Runtime Environment 5.0 Update 6
Now that you're clean, here are some tips how to stay clean.
-> Stand Up and Be Counted, Malware Complaints -> http://www.malwarecomplaints.info
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
-> Clear your system restore -> http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore...
This will clear the system restore folders from possible malware that was left behind during the cleaning process. Remember to create a new restore point after the cleaning.
-> Use CCleaner -> http://www.ccleaner.com
Download and install CCleaner. Clean your registry and temporary files with it regularly.
-> Use Ad-Aware -> http://www.bleepingcomputer.com/forums/?showtutorial=48
Download and install Ad-Aware. Update it and scan your computer regularly with it.
-> Use Ewido -> http://www.ewido.net/en
Download and install Ewido. Update it and scan your computer regularly with it.
-> Install SpywareBlaster -> http://www.javacoolsoftware.com/spywareblaster.html
SpywareBlaster will prevent spyware from being installed to your computer.
-> Install MVPS Hosts file -> http://mvps.org/winhelp2002/hosts.htm
This prevents your computer from connecting to harmful sites.
-> Change your browser to Firefox -> http://www.mozilla.org
Firefox is faster, safer and quicker browser than Internet Explorer.
-> Keep your systen up-to-date -> http://windowsupdate.microsoft.com
Visit Windows Update regularly.
-> Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
-> Read this article by TonyKlein -> http://castlecops.com/postlite7736-.html
So how did I get infected in the first place?
Stay clean ;)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
sambro
Newbie
|
27. June 2006 @ 01:06 |
Link to this message
|
|
Cheers Buddy, I owe you one
|
Senior Member
|
27. June 2006 @ 06:32 |
Link to this message
|
|
You're welcome :)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
lemosc
Newbie
|
27. June 2006 @ 13:12 |
Link to this message
|
I was not able to find the file you wanted me to fix in HjT; here is a new log, please review and let me know if you see anything that needs fixing. By the way, if you drink beer I owe you a few... thank you!
Logfile of HijackThis v1.99.1
Scan saved at 5:08:48 PM, on 6/27/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\NETGEAR\Wireless Smart Configuration\Utility\NetgearAG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Tracker Software\PDF-XChange 3\pdfSaver\pdfSaver3.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\Bin\HPOstr05.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Hewlett-Packard\HP OfficeJet T Series\bin\HPOVDX05.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} -
C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program
files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program
Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [AS00_Netgear] C:\Program Files\NETGEAR\Wireless Smart
Configuration\Utility\NetgearAG.exe -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [pdfSaver3] "C:\Program Files\Tracker Software\PDF-XChange
3\pdfSaver\pdfSaver3.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program
Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat
6.0\Distillr\acrotray.exe
O4 - Global Startup: HP OfficeJet T Series Startup.lnk = C:\Program Files\Hewlett-Packard\HP
OfficeJet T Series\Bin\HPOstr05.exe
O4 - Global Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program
Files\Microsoft Office\OFFICE11\ONENOTEM.EXE
O8 - Extra context menu item: &Google Search - res://c:\program
files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program
files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program
files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program
files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program
files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program
files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -
C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation
Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/...
60583292
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) -
http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation -
C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program
Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program
Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program
Files\iPod\bin\iPodService.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner -
C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec
AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec
AntiVirus\Rtvscan.exe
regards
Carlos
|
Senior Member
|
28. June 2006 @ 06:45 |
Link to this message
|
OK almost clean :)
Do this:
Start -> Run -> Copy/paste this to the field:services.msc
Then search this from the list: Remote Administrator Service (r_server)
Rightclick it and press Stop
Then press Properties-> Set Startuptype to Disabled
The close the window.
Then:
Start -> Run -> Copy/paste this to the field: sc delete "Remote Administrator Service"
Then restart your computer normally. Scan again with HjT and post a fresh log.
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
This message has been edited since posting. Last time this message was edited on 28. June 2006 @ 06:46
|
|
out_ter
Newbie
|
8. July 2006 @ 01:44 |
Link to this message
|
hey i need a bit of help getting rid of this virus as well. plz help. thanks in advance.
he's my HijackThis log file and rapport.
SmitFraudFix v2.68b
Scan done at 11:28:15.68, Fri 07/07/2006
Run from C:\Documents and Settings\Michael\My Documents\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\hp???.tmp FOUND !
C:\WINDOWS\system32\hp????.tmp FOUND !
C:\WINDOWS\system32\ld???.tmp FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !
C:\WINDOWS\system32\1024\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Michael\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Michael\FAVORI~1
C:\DOCUME~1\Michael\FAVORI~1\Antivirus Test Online.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
C:\Program Files\SpyQuake2.com\ FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"furnariidae"="{89e4aaba-3b21-49b3-b922-8ca35193c68e}"
»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of HijackThis v1.99.1
Scan saved at 11:11:41 AM, on 7/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
c:\PROGRA~1\mcafee.com\vso\OasClnt.exe
c:\program files\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\SCURIT~1\RVICES~1.EXE
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\McAfee.com\Personal Firewall\MpfTray.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe
c:\program files\mcafee.com\mps\mscifapp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael\Desktop\HijackThis_v1.99.1.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R3 - URLSearchHook: (no name) - {608E5C47-CEA8-9F76-A348-ED2B21BB83BA} - (no file)
O2 - BHO: McBrwHelper Class - {227B8AA8-DAF2-4892-BD1D-73F568BCB24E} - c:\program files\mcafee.com\mps\mcbrhlpr.dll
O2 - BHO: McAfee PopupKiller - {3EC8255F-E043-4cae-8B3B-B191550C2A22} - c:\program files\mcafee.com\mps\popupkiller.dll
O2 - BHO: McAfee Anti-Phishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {5f4c3d09-b3b9-4f88-aa82-31332fee1c08} - C:\WINDOWS\system32\hp100.tmp
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [VSOCheckTask] "C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] C:\Program Files\McAfee.com\VSO\mcvsshld.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [MPSExe] c:\PROGRA~1\mcafee.com\mps\mscifapp.exe /embedding
O4 - HKLM\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\PROGRA~1\McAfee\SPAMKI~1\MSKDetct.exe /startup
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [CleanUp] C:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunOnce: [mcbrhlpr.dll] rundll32.exe advpack.dll,RegisterOCX c:\PROGRA~1\mcafee.com\mps\mcbrhlpr.dll
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Lare] "C:\DOCUME~1\Michael\APPLIC~1\ASEMBL~1\rundll.exe" -vt yazr
O4 - HKCU\..\Run: [Cvxeiski] C:\WINDOWS\SCURIT~1\RVICES~1.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee Anti-Phishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://michaelmakesucrazy.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = qld.bigpond.net.au
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\wuauboot.dll
O20 - Winlogon Notify: gebbbax - gebbbax.dll (file missing)
O20 - Winlogon Notify: winjyg32 - C:\WINDOWS\SYSTEM32\winjyg32.dll
O21 - SSODL: furnariidae - {89e4aaba-3b21-49b3-b922-8ca35193c68e} - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee Personal firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
thanks:)
dont trust the internet
|
Senior Member
|
8. July 2006 @ 06:21 |
Link to this message
|
Hi out_ter.
Please create a new topic for your problem to here -> http://forums.afterdawn.com/forum_view.cfm/166
Then post your HijackThis log to there.
It is just that this thread is now too long and it is getting difficult to instruct you.
We'll help you when you create a new thread :)
I have moved from AD, I won''t be taking new HijackThis logs from here. Reason: The AD''s Unsupportive athmosphere.
|
|
mymaxxy
Junior Member
|
23. September 2006 @ 16:36 |
Link to this message
|
having trouble with my computer.i golog onto web page it is fine.if i go to another web page all get is page cannot be displayed and if do manage get up page red x.i used to be able have more than one web page open.
Logfile of HijackThis v1.99.1
Scan saved at 10:22:46 AM, on 9/24/06
Platform: Windows 98 SE (Win9x 4.10.2222A)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Running processes:
C:\WINDOWS\SYSTEM\KERNEL32.DLL
C:\WINDOWS\SYSTEM\MSGSRV32.EXE
C:\WINDOWS\SYSTEM\MPREXE.EXE
C:\WINDOWS\SYSTEM\mmtask.tsk
C:\WINDOWS\SYSTEM\MSTASK.EXE
C:\WINDOWS\EXPLORER.EXE
C:\WINDOWS\SYSTEM\RNAAPP.EXE
C:\WINDOWS\SYSTEM\TAPISRV.EXE
C:\WINDOWS\TASKMON.EXE
C:\WINDOWS\SYSTEM\STIMON.EXE
C:\PROGRAM FILES\ALCATEL\SPEEDTOUCH USB\DRAGDIAG.EXE
C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WORKS SHARED\WKUFIND.EXE
C:\WINDOWS\LOADQM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCGUIDE.EXE
C:\WINDOWS\SYSTEM\SYSTRAY.EXE
C:\WINDOWS\SYSTEM\QTTASK.EXE
C:\PROGRAM FILES\SONY CORPORATION\PICTURE PACKAGE\PICTURE PACKAGE APPLICATIONS\RESIDENCE.EXE
C:\PROGRAM FILES\SONY CORPORATION\PICTURE PACKAGE\PICTURE PACKAGE MENU\SONYTRAY.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOBNZ08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSOL08.EXE
C:\PROGRAM FILES\MICROSOFT OFFICE\OFFICE\FINDFAST.EXE
C:\WINDOWS\SYSTEM\WMIEXE.EXE
C:\WINDOWS\SYSTEM\DDHELP.EXE
C:\WINDOWS\SYSTEM\SPOOL32.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOEVM08.EXE
C:\PROGRAM FILES\HEWLETT-PACKARD\DIGITAL IMAGING\BIN\HPOSTS08.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCTLCOM.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\PCCIOMON.EXE
C:\PROGRAM FILES\TREND MICRO\INTERNET SECURITY 2005\TMPROXY.EXE
C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\TEMPORARY INTERNET FILES\CONTENT.IE5\8XERCPU7\HIJACKTHIS_V1.99.1[1].EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.westnet.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.westnet.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer - Westnet Internet Services
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\PROGRAM FILES\ADOBE\ACROBAT 5.0\READER\ACTIVEX\ACROIEHELPER.OCX
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - (no file)
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
O4 - HKLM\..\Run: [StillImageMonitor] C:\WINDOWS\SYSTEM\STIMON.EXE
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Alcatel\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\SYSTEM\QTTASK.EXE" -atboottime
O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\SYSTEM\mstask.exe
O4 - HKCU\..\Run: [ccleaner] "C:\PROGRAM FILES\CCLEANER\CCLEANER.exe" /AUTO
O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O4 - HKCU\..\RunServicesOnce: [CleanUp!] C:\PROGRAM FILES\CLEANUP!\CLEANUP.exe /WindowsRestart
O4 - Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O4 - Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Startup: officejet 6100.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hposol08.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredit...?p=ZNxdm414YYAU
O12 - Plugin for .spop: C:\PROGRA~1\INTERN~1\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.westnet.com.au
O16 - DPF: {4855C21B-E452-4661-A702-ED3493CE74DF} - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/20040...all/xscan53.cab
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/set...er/imloader.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {BD8667B7-38D8-4C77-B580-18C3E146372C} (Creative Toolbox Plug-in) - http://ak.imgag.com/imgag/cp/install/Crusher.cab
O16 - DPF: {4029B52D-5935-46B6-94F2-AB702CBE6646} (CAddressBook Object) - http://www.fillmycloset.co.uk/FAddressBook.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Mes...nt.cab31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Sol...wn.cab31267.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/...l_v1-0-3-48.cab
|
Senior Member
|
23. September 2006 @ 16:48 |
Link to this message
|
mymaxxy, your running HijackThis from a temporary folder. Please go to Add/Remove Programs and uninstall HijackThis. Then, download the zip file again to the desktop. Create a folder in C: named HjT. Extract the HijackThis.exe to the created folder. Run a new scan and save a new log. I don't see that you have Myzor so please make a new thread pertaining to your problems to avoid confusion.
|
|
Advertisement
|
|
|
|
Csam
Newbie
|
23. September 2006 @ 20:15 |
Link to this message
|
Hi,
Like a dummy, I've gotten myself infected with W32.Myzor.FK@yf.
Can you pleeeease help me?
I've read the previous posts and have gotten everything ready to clean house per the instructions.
Here are the results of the HijackThis scan:
Logfile of HijackThis v1.99.1
Scan saved at 11:58:44 PM, on 9/23/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\X Password Generator\pmsngr.exe
C:\Program Files\X Password Generator\isamonitor.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\X Password Generator\pmmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\X Password Generator\isamini.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\MySpace\IM\MySpaceIM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\HJT\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {202a961f-23ae-42b1-9505-ffe3c818d717} - C:\Program Files\X Password Generator\isaddon.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Protection Bar - {479fd0cf-5be9-4c63-8cda-b6d371c67bd5} - C:\Program Files\X Password Generator\iesplugin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Lexmark X73 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X73.exe
O4 - HKLM\..\Run: [Lexmark X73 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X73.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Active Web Reader] C:\Program Files\Deskshare\Active Web Reader\Active Web Reader.exe -background
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [taskdir] C:\WINDOWS\system32\taskdir.exe
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: Audible Download Manager.lnk = C:\Program Files\Audible\Bin\adhelper.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {24D1BDCE-D835-11D6-BF84-0050047EA0E7} (BlueStream_Flash Class) - http://www.rovion.com/Controls/Rovion.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.apple.com.edgesuite.net/...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdat...b?1129044318687
O16 - DPF: {8FCDF9D9-A28B-480F-8C3D-581F119A8AB8} (MediaGatewayX) - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab
O16 - DPF: {9E214F45-89C2-4DE3-94A9-530EB1D05F7E} - http://www.quest3d.com/Quest3D_WebInstall.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: eeler - {1559e6c1-7e5e-4461-9457-6a2dea85eb9f} - C:\WINDOWS\system32\titiau.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
I'd really appreciate your telling me what to do next.
Thanks in advance!!!
Csam
|
|
