Browser Hijack

[prady]

Hi,
I think my broeser has been hijacked. every time i click IE i get a secure32.html page and there are lots of popups which come up inbetween. I tied using adware but not to much effect. I went thru the forums and installed hijackthis. I am ttaching the log file so tat anyone of u can help me in removing the unwanted files or processes, as i am not aware which processes or files are needed

Thanks
Prady
The log file is as follows:-

Logfile of HijackThis v1.99.1
Scan saved at 10:20:44 AM, on 5/9/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\dcmhelp.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\dsrss.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\smsmanger.exe
C:\WINNT\smss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\taskmgn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {90600F33-744E-4834-8BF2-4603F285F390} - C:\WINNT\System32\yayvv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard15.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad15.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname15.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\winnt\system32\taskmgn.exe
O4 - HKLM\..\Run: [WINDOWS] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rjatyd.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\paytime.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/242f4ec42d7a10f0e906/netzip/RdxIE601.cab
O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\ir48l5hu1.dll (file missing)
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Dcom Helper (DcmHlp) - Unknown owner - C:\WINNT\dcmhelp.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: direct sound rss (dsrss) - Unknown owner - C:\WINNT\dsrss.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: smsmanger - Unknown owner - C:\WINNT\smsmanger.exe
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINNT\smss.exe
O23 - Service: User Initialization (usrinit32) - Unknown owner - C:\WINNT\userinit.exe

 

[Rawe]

Hello and welcome..

Looks like a nice collection there. We need a few steps to clean it up.

Please follow these instructions HERE. Post back with the logs requested.

 

[prady]

Hi Rawe,
I downloaded VundoFix.exe and Double-click VundoFix.exe to run it.
I also Put a check next to Run VundoFix as a task.
I received a message saying vundofix will close and re-open in a minute or less. Clicked OK
But after this VundoFix didnt reopen. I did a scan without putting a check on therun as task option. It gave 0 infected files.
Regards
Prady

 

[prady]

The logfile of hijackThis :-

Logfile of HijackThis v1.99.1
Scan saved at 12:57:20 PM, on 5/9/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\WINNT\dcmhelp.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\dsrss.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\smsmanger.exe
C:\WINNT\smss.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\System32\taskmgr.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\winnt\system32\taskmgn.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\rundll32.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
D:\spyware\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {90600F33-744E-4834-8BF2-4603F285F390} - C:\WINNT\System32\yayvv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [keyboard] c:\windows\keyboard15.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad15.exe
O4 - HKLM\..\Run: [newname] c:\windows\newname15.exe
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\paytime.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\winnt\system32\taskmgn.exe
O4 - HKLM\..\Run: [WINDOWS] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rjatyd.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\paytime.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/242f4ec42d7a10f0e906/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\ir48l5hu1.dll (file missing)
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Dcom Helper (DcmHlp) - Unknown owner - C:\WINNT\dcmhelp.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: direct sound rss (dsrss) - Unknown owner - C:\WINNT\dsrss.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: smsmanger - Unknown owner - C:\WINNT\smsmanger.exe
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINNT\smss.exe
O23 - Service: User Initialization (usrinit32) - Unknown owner - C:\WINNT\userinit.exe

 

[Rawe]

Please download SmitfraudFix by S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

 

[prady]

Ran SmitFraudFix and the here is the logfile

SmitFraudFix v2.41

Scan done at 13:13:52.48, Tue 05/09/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

C:\WINNT\icont.exe FOUND !
C:\WINNT\uninstDsk.exe FOUND !
C:\WINNT\warnhp.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

C:\WINNT\system32\bin29a.log FOUND !
C:\WINNT\system32\oleext.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\paytime.exe FOUND !
C:\Program Files\secure32.html FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

 

[Rawe]

Please print these instructions out, or save them to a notepad file, as you can't read them during the fix.

Please download the trial version of Ewido Anti-malware here:
http://www.ewido.net/en/download/

Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

==

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. Do NOT reboot yet.

Warning : running option #2 on a non infected computer will remove your Desktop background.

==

Please run a scan with Ewido:

• Click on scanner
• Click on Complete System Scan and the scan will begin.
• You will be prompted to clean the first infection.
• Select "Perform action on all infections", then proceed.
• Once the scan has completed, there will be a button located on the bottom of the screen named Save report
• Click Save report.
• Save the report .txt file to your desktop or a location where you can find it easily. (Maybe Desktop)
• Close Ewido Anti-Malware.

==

Now, reboot back into Normal mode;

A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Also, post your Ewido Report.txt file and copy & paste it's content to this thread along with a fresh HijackThis log. :bigthumb:

 

[prady]

completed the scans as per the instructions.
Here are the set of logs

Smitfraud:

SmitFraudFix v2.41

Scan done at 10:43:07.06, Wed 05/10/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195]

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\secure32.html Deleted
C:\WINNT\icont.exe Deleted
C:\WINNT\warnhp.html Deleted
C:\WINNT\system32\bin29a.log Deleted
C:\Program Files\secure32.html Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» End



===========================================

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 11:05:18 AM, 5/10/2006
+ Report-Checksum: DF47487B

+ Scan result:

C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@sexlist[2].txt -> TrackingCookie.Sexlist : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CO2VUZOK\contentprotect[1].exe -> Downloader.Adload.aj : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CO2VUZOK\dri5[1].mp3 -> Dropper.Delf.dh : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CO2VUZOK\drsmartload45a[1].exe -> Downloader.Adload.aw : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CO2VUZOK\drsmartload46a[1].exe -> Downloader.Adload.aw : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CO2VUZOK\keyboard5[1].exe -> Downloader.VB.zl : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CO2VUZOK\mousepad5[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K42ZTR9N\keyboard15[1].exe -> Downloader.Adload.ay : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K42ZTR9N\newname10[1].exe -> Downloader.Adload.ae : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K42ZTR9N\newname15[1].exe -> Downloader.Adload.ay : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\K42ZTR9N\toeqfliflx[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q3SOULGV\drsmartload[2].exe -> Downloader.VB.aad : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q3SOULGV\drt[1].mp3 -> Dropper.Delf.dh : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q3SOULGV\mousepad10[1].exe -> Hijacker.VB.ly : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q3SOULGV\mousepad15[1].exe -> Hijacker.VB.mo : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\Q3SOULGV\newname5[1].exe -> Downloader.Adload.ae : Cleaned with backup
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\ZFPJ6OD1\keyboard10[1].exe -> Downloader.Adload.am : Cleaned with backup
C:\WINNT\dcmhelp.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINNT\dsrss.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINNT\smsmanger.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINNT\smss.exe -> Backdoor.IRCBot.rh : Cleaned with backup
C:\WINNT\system32\cbrtcli.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\cmm.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\d277a.exe -> Downloader.Adload.ad : Cleaned with backup
C:\WINNT\system32\drsmartload277a.exe -> Downloader.Adload.ap : Cleaned with backup
C:\WINNT\system32\dssetup.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\edfimg_60215.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINNT\system32\edfimg_62133.exe -> Backdoor.SdBot.xd : Cleaned with backup
C:\WINNT\system32\edfimg_88170.exe -> Backdoor.IRCBot.rh : Cleaned with backup
C:\WINNT\system32\fp4203hoe.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\irr8l59u1.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\mvvbvm50.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\o048lahu1d48.dll -> Adware.Look2Me : Cleaned with backup
C:\WINNT\system32\q8ps0i77e8.dll -> Adware.Look2Me : Cleaned with backup


::Report End

=============================================



Logfile of HijackThis v1.99.1
Scan saved at 11:10:15 AM, on 5/10/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {7B75ECD7-78FB-40A1-B230-E342E162CB2F} - C:\WINNT\System32\yayvv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\winnt\system32\taskmgn.exe
O4 - HKLM\..\Run: [WINDOWS] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rjatyd.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\paytime.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/242f4ec42d7a10f0e906/netzip/RdxIE601.cab
O20 - Winlogon Notify: Internet Settings - C:\WINNT\system32\ir48l5hu1.dll (file missing)
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Dcom Helper (DcmHlp) - Unknown owner - C:\WINNT\dcmhelp.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: direct sound rss (dsrss) - Unknown owner - C:\WINNT\dsrss.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: smsmanger - Unknown owner - C:\WINNT\smsmanger.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINNT\smss.exe (file missing)
O23 - Service: User Initialization (usrinit32) - Unknown owner - C:\WINNT\userinit.exe (file missing)

I understand there are still things to be done... Thanks for the help provided
regards
Prady

 

[Rawe]

Yes.. There are things to do.

Go ahead and delete SmitFraudFix.

There will still probably be something to clean up even after this step.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please copy the following text in the quotebox below to a blank Notepad file. Make sure the filetype is set to "All Files" and save it as Removeservice.bat. to your desktop.

@echo off
sc stop "direct sound rss"
sc stop "Dcom Helper"
sc stop "Network Monitor"
sc stop smsmanger
sc stop "User Initialization"
sc stop "Windows NT Session Manager"
sc delete DcmHlp
sc delete dsrss
sc delete "Network Monitor"
sc delete smsmanger
sc delete usrinit32
sc delete SMSS

Double-click on Removeservice.bat. A window will pop up and close. This is normal.

==

Please download Look2Me-Destroyer to your desktop.

• Double-click Look2Me-Destroyer.exe to run it.
• Put a check next to Run this program as a task.
• You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
• When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
• Once it's done scanning, click the Remove L2M button.
• You will receive a Done Scanning message, click OK.
• When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
• Your computer will then shutdown.
• Turn your computer back on.
• Please post the contents of C:\Look2Me-Destroyer.txt and a fresh HiJackThis log.

If Look2Me-Destroyer does not reopen automatically, reboot and try again.

 

[prady]

Fresh hijackThis log after running Look2Me-Destroyer.exe

Logfile of HijackThis v1.99.1
Scan saved at 9:45:48 AM, on 5/12/2006
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
D:\spyware\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {7D5EBF31-AD00-405B-A68A-281A5B62C16C} - C:\WINNT\System32\yayvv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\winnt\system32\taskmgn.exe
O4 - HKLM\..\Run: [WINDOWS] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rjatyd.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\paytime.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/242f4ec42d7a10f0e906/netzip/RdxIE601.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C3AB16DA-E008-4B79-831F-1DEC2D70BB5F}: NameServer = 61.1.128.65 61.1.128.5
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Dcom Helper (DcmHlp) - Unknown owner - C:\WINNT\dcmhelp.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: direct sound rss (dsrss) - Unknown owner - C:\WINNT\dsrss.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: smsmanger - Unknown owner - C:\WINNT\smsmanger.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINNT\smss.exe (file missing)
O23 - Service: User Initialization (usrinit32) - Unknown owner - C:\WINNT\userinit.exe (file missing)

========================================
Look2Me-Destroyer Log
=======================================

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 5/12/2006 9:38:06 AM

Infected! C:\WINNT\system32\ir48l5hu1.dll

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Internet Settings

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C4126B49-7860-4FB9-A2B8-1C2D1BA06D7E}"
HKCR\Clsid\{C4126B49-7860-4FB9-A2B8-1C2D1BA06D7E}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3FC1605E-C45E-471A-BB51-3098C29448FD}"
HKCR\Clsid\{3FC1605E-C45E-471A-BB51-3098C29448FD}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{3C916491-6043-4EB5-82D3-4EF68968E47C}"
HKCR\Clsid\{3C916491-6043-4EB5-82D3-4EF68968E47C}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BD1599E9-76A9-4243-A660-739F44CD9EAB}"
HKCR\Clsid\{BD1599E9-76A9-4243-A660-739F44CD9EAB}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{00A60DB6-E6CB-4266-9C47-DA53CBDCED12}"
HKCR\Clsid\{00A60DB6-E6CB-4266-9C47-DA53CBDCED12}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{6467DD7F-4B2E-4FD4-9AE3-B09C57CF6864}"
HKCR\Clsid\{6467DD7F-4B2E-4FD4-9AE3-B09C57CF6864}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

 

[prady]

Go ahead and delete SmitFraudFix

I didnt understand what u meant by deleting SmitFraudFix. Shd i delete the software itself?

 

[Rawe]

Yes.. Delete the folder if you want.

Lets take another approach at this. We'll deal with the services later.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.

Do NOT run it yet!

==

Please download MWav:

• Unzip it to its predetermined directory (C:\Kaspersky)
• Locate kavupd.exe in the new folder and double-click to Update.
• If your firewall gives any messages about this program accessing to internet, allow it.
• If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
• When you see Updates Downloaded Successfully, hit Enter to continue.
• Restart onto Safe Mode and locate the Kaspersky folder.
• Locate mwavscan.com and double-click on it to launch the MWAV Scanner.

Now lets do the settings:

• Leave the Default Settings checked.
• Add a check to Drives
• This will light up All Drives
• Add a check to Scan all Files
• Click Scan Clean to begin.

This scan might take around 3+ hours to finish when set to scan everything.

• Please be sure it has finished before proceeding.
• Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
• Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
• Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).

Do NOT reboot yet!

==

Run a scan with HijackThis and check the following objects for removal if present:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
O2 - BHO: (no name) - {7D5EBF31-AD00-405B-A68A-281A5B62C16C} - C:\WINNT\System32\yayvv.dll
O4 - HKLM\..\Run: [NT Logging Service] syslog32.exe
O4 - HKLM\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\winnt\system32\taskmgn.exe
O4 - HKLM\..\Run: [WINDOWS] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rjatyd.exe
O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\paytime.exe
O4 - HKLM\..\RunServices: [eventwvr] C:\WINNT\System32\eventwvr.exe
O4 - HKCU\..\Run: [eventwvr] C:\WINNT\System32\eventwvr.exe
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll

Close ALL other open windows except for HijackThis and hit FIX CHECKED. Close HijackThis.

==

Run Killbox:

• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\windows\system32\blank.htm
  C:\WINNT\System32\eventwvr.exe
  c:\winnt\system32\taskmgn.exe
  C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\rjatyd.exe
  C:\Program Files\paytime.exe
  C:\WINNT\System32\eventwvr.exe
  C:\WINNT\System32\yayvv.dll
  
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

==

Post back with the MWav results and a fresh HijackThis log. :bigthumb:

 

[prady]

I will do the things that you have asked me to do... Looks like its gonna take some time to complete it.. One more thing which i observed was that NAV auto protect is not enabled by default after running all the cleaning operations and restart.. Is there anything to be done to get it enabled after booting the system.
Thanks

 

[Rawe]

Well, for Norton, just open the program, click on the Options tab, check "Start Auto-Protect when Windows starts up (recommended)".

 

[prady]

Completed the scans .....

Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

Yes i got this prompt..

Here are the logs
Logfile of HijackThis v1.99.1

Logfile of HijackThis v1.99.1
Scan saved at 6:06:27 PM, on 5/12/2006
Platform: Windows 2000  (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
D:\spyware\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {B92DA0EA-1B2B-4C25-BDA8-52FDEB4D5B01} - C:\WINNT\System32\yayvv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/242f4ec42d7a10f0e906/netzip/RdxIE601.cab
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: Dcom Helper (DcmHlp) - Unknown owner - C:\WINNT\dcmhelp.exe (file missing)
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: direct sound rss (dsrss) - Unknown owner - C:\WINNT\dsrss.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: smsmanger - Unknown owner - C:\WINNT\smsmanger.exe (file missing)
O23 - Service: Windows NT Session Manager (SMSS) - Unknown owner - C:\WINNT\smss.exe (file missing)
O23 - Service: User Initialization (usrinit32) - Unknown owner - C:\WINNT\userinit.exe (file missing)

 

[prady]

Mwav Results

File C:\WINNT\System32\yayvv.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.
File C:\WINNT\System32\a infected by "Trojan-Downloader.BAT.Ftp.j" Virus. Action Taken: File Deleted.
File C:\WINNT\System32\hgddb.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.
File C:\WINNT\System32\i infected by "Trojan-Downloader.BAT.Ftp.ab" Virus. Action Taken: File Deleted.
File C:\WINNT\System32\o infected by "Trojan-Downloader.BAT.Ftp.ay" Virus. Action Taken: File Deleted.
File C:\WINNT\System32\pmkkl.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.
File C:\WINNT\System32\wvwuv.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.
File C:\WINNT\System32\yayvv.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\APTemp\AP0.exe infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03000000.VBN infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\036C0000.VBN infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800000.VBN infected by "Trojan-Downloader.Win32.Harnig.bg" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800001.VBN infected by "Trojan-Downloader.Win32.Harnig.bg" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800002.VBN infected by "Trojan.Win32.StartPage.adi" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800003.VBN infected by "Trojan.Win32.StartPage.adi" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800004.VBN infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800005.VBN infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800006.VBN infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800007.VBN infected by "Trojan-Proxy.Win32.Small.bo" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800008.VBN infected by "Trojan-Clicker.Win32.Small.kr" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800009.VBN infected by "Trojan-Clicker.Win32.Small.kr" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380000A.VBN infected by "Trojan.Win32.StartPage.adi" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380000B.VBN infected by "Trojan.Win32.StartPage.adi" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380000C.VBN tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380000D.VBN tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380000E.VBN infected by "Trojan-PSW.Win32.Sinowal.k" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380000F.VBN infected by "Trojan-PSW.Win32.Sinowal.k" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800010.VBN infected by "Backdoor.Win32.Small.he" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800011.VBN infected by "Backdoor.Win32.Small.he" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800012.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800013.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800014.VBN infected by "Trojan-PSW.Win32.Sinowal.d" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800015.VBN infected by "Trojan-PSW.Win32.Sinowal.d" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800016.VBN infected by "Trojan-PSW.Win32.Sinowal.k" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800017.VBN infected by "Trojan-PSW.Win32.Sinowal.k" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800018.VBN infected by "Trojan-PSW.Win32.Sinowal.k" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800019.VBN infected by "Trojan-PSW.Win32.Sinowal.k" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380001A.VBN infected by "Trojan-PSW.Win32.Sinowal.k" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380001B.VBN infected by "Trojan-PSW.Win32.Sinowal.k" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380001C.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380001D.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380001E.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380001F.VBN infected by "Backdoor.Win32.IRCBot.rh" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800020.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800021.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800022.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800023.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800024.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800025.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800026.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800027.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800028.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800029.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380002A.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380002B.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380002C.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380002D.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380002E.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380002F.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800030.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800031.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800032.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800033.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800034.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800035.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800036.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800037.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800038.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton

 

[prady]

AntiVirus Corporate Edition\7.5\Quarantine\03800039.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380003A.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380003B.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380003C.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380003D.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380003E.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380003F.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800040.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800041.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800042.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800043.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800044.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800045.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800046.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800047.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800048.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800049.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380004A.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380004B.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380004C.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380004D.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380004E.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380004F.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800050.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800051.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800052.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800053.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800054.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800055.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800056.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800057.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800058.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800059.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380005A.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380005B.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380005C.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380005D.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380005E.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380005F.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800060.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800061.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800062.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800063.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800064.VBN infected by "Backdoor.Win32.IRCBot.rh" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800065.VBN infected by "Backdoor.Win32.IRCBot.rh" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800066.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800067.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800068.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800069.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380006A.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380006B.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380006C.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380006D.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380006E.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380006F.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800070.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800071.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800072.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800073.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800074.VBN infected by "Backdoor.Win32.IRCBot.rh" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800075.VBN infected by "Backdoor.Win32.IRCBot.rh" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800076.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800077.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800078.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800079.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380007A.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380007B.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380007C.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380007D.VBN infected by "Backdoor.Win32.SdBot.xd" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800080.VBN infected by "Trojan-Downloader.Win32.Harnig.bg" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800081.VBN infected by "Trojan-Downloader.Win32.Harnig.bg" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800082.VBN infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800083.VBN infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800084.VBN infected by "Trojan-Downloader.BAT.Ftp.bw" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800085.VBN infected by "Trojan-Downloader.BAT.Ftp.bw" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800086.VBN tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800087.VBN tagged as not-a-virus:AdWare.Win32.BHO.ah. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800088.VBN infected by "Trojan-Downloader.Win32.Harnig.bd" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03800089.VBN infected by "Trojan-Downloader.Win32.Harnig.bd" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380008A.VBN infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0380008B.VBN infected by "Trojan.Win32.Small.ev" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03A80000.VBN infected by "Exploit.JS.CVE-2006-1359.c" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80000.VBN infected by "Exploit.JS.CVE-2006-1359.c" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80001.VBN infected by "Exploit.JS.CVE-2006-1359.c" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80002.VBN infected by "Exploit.JS.CVE-2006-1359.c" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80003.VBN infected by "Exploit.JS.CVE-2006-1359.c" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80004.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80005.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80006.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80007.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80008.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80009.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B8000A.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B8000B.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B8000C.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton

 

[prady]

AntiVirus Corporate Edition\7.5\Quarantine\03B8000D.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B8000E.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B8000F.VBN infected by "Backdoor.Win32.Agent.tk" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80010.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03B80011.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03C00000.VBN infected by "Email-Worm.Win32.Plexus.d" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03E00000.VBN infected by "Net-Worm.Win32.Nanspy.i" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03F40000.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04000000.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04000001.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04080000.VBN infected by "Backdoor.Win32.Small.he" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04100000.VBN infected by "Trojan.Win32.StartPage.adi" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04140000.VBN infected by "Backdoor.Win32.Agobot.gen" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180000.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180001.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180002.VBN infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180003.VBN infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180004.VBN infected by "Backdoor.Win32.SdBot.aig" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180005.VBN infected by "Backdoor.Win32.SdBot.aig" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180006.VBN infected by "Backdoor.Win32.SdBot.aig" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180007.VBN infected by "Backdoor.Win32.SdBot.aig" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180008.VBN infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04180009.VBN infected by "Backdoor.Win32.SdBot.gen" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0418000A.VBN infected by "Net-Worm.Win32.Nanspy.i" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0418000B.VBN infected by "Net-Worm.Win32.Nanspy.i" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04280000.VBN infected by "Trojan-Clicker.Win32.Small.jf" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04300000.VBN infected by "Backdoor.Win32.Agobot.gen" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04480000.VBN infected by "Backdoor.Win32.Agobot.gen" Virus. Action Taken: File Renamed.
File C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\045C0000.VBN infected by "Virus.Win32.Nsag.b" Virus. Action Taken: File Disinfected.
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CO2VUZOK\gakogyc[2].htm infected by "Trojan.Win32.Harnig.a" Virus. Action Taken: File Deleted.
File C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\CO2VUZOK\qygseikhki[1].htm infected by "Trojan.Win32.Harnig.a" Virus. Action Taken: File Deleted.
File C:\WINNT\system32\hgddb.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.
File C:\WINNT\system32\pmkkl.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.
File C:\WINNT\system32\wvwuv.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.
File C:\WINNT\system32\yayvv.dll tagged as not-a-virus:AdWare.Win32.Virtumonde.gen. No Action Taken.

 

[Rawe]

First, delete everything inside your Norton A/V Quarantine.

==

Click Start -> Run and type in:

services.msc

Click "OK".

In the services window find service (one at-a-time); Dcom Helper
direct sound rss
Network Monitor
smsmanger
Windows NT Session Manager
User Initialization

Right-click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Startup Type" in the dropdown menu select "Disabled" (for each at-a-time). Click Apply then "Ok". Exit the Services utility.

==

Lets delete them:

• Open HiJackThis
• Click on the configure button on the bottom right
• Click on the tab "Misc Tools"
• Click on "Delete an NT service"
• Copy and paste this in: DcmHlp
• Click "No" on the prompt, then paste each of the following in and clicking No each time:
  dsrss
  Network Monitor
  smsmanger
  SMSS
  usrinit32
• When you get to the last one (above), hit OK on the prompt and reboot.

==

Please print these instructions out, or write them down, as you can't read them during the fix.

1. Please download The Avenger by Swandog46 to your Desktop.

• Click on Avenger.zip to open the file
• Extract Avenger.exe to your desktop.

2. Copy all the text in bold contained in the quotebox below to a blank notepad file:

Files to delete:
C:\WINNT\System32\hgddb.dll
C:\WINNT\System32\pmkkl.dll
C:\WINNT\System32\wvwuv.dll
C:\WINNT\System32\yayvv.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Script file to execute" choose "Input Script Manually".
• Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
• Paste the text copied to the notepad file into this window
• Click Done
• Now click on the Green Light to begin execution of the script
• Answer "Yes" twice when prompted.

The Avenger will automatically do the following:

• Restarts your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
• On reboot, it briefly opens a black command window on your desktop, this is normal.
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste all the contents of avenger.txt into your reply along with a fresh HJT log by using AddReply.

 

[prady]

Completed the tasks mentioned in the earlier post
and here are the logs

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gcxspnlt

*******************

Script file located at: \??\C:\WINNT\System32\akcvnahe.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\System32\hgddb.dll deleted successfully.
File C:\WINNT\System32\pmkkl.dll deleted successfully.
File C:\WINNT\System32\wvwuv.dll deleted successfully.
File C:\WINNT\System32\yayvv.dll deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.

Logfile of HijackThis v1.99.1
Scan saved at 1:36:14 AM, on 5/13/2006
Platform: Windows 2000  (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\CTSvcCDA.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\starter.exe
C:\Program Files\Creative\ShareDLL\CtNotify.exe
C:\WINNT\System32\carpserv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Creative\ShareDLL\MediaDet.Exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\NOTEPAD.EXE
D:\spyware\hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: (no name) - {34F41E65-9C7E-4156-BC57-156D4233970E} - C:\WINNT\System32\yayvv.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [EnsoniqMixer] C:\WINNT\system32\starter.exe
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll
O9 - Extra button: (no name) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - (no file)
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/242f4ec42d7a10f0e906/netzip/RdxIE601.cab
O20 - Winlogon Notify: yayvv - C:\WINNT\System32\yayvv.dll (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTSvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe