PDA

View Full Version : Request for help (continued..)


Swoom
2007-01-19, 11:51
Hello, Hope you can help..In December I lost the use of my browser - My Google home page disappeared only seconds after opening and was replaced by Klik search with 777-search.info in the Toolbar.
My printer connection seemed to disappear at the same time and wouldnt re-install.
I ran my spybot several times and it appeared to be fixing the same problem each time, and I ran my AVG Free Virus checker and SpywareBlaster too.
I fiddled about a bit and somehow managed to get back use of Google and can surf again, but I'm sure I'm still infected and I now get a few spam emails that never happened previously.
Also on opening the PC I get a WINLOGIN message '...application failed to start sfc_os.dll was not found' and I'm not sure if this is part of the problem or result of something daft I've done whilst trying to fix things.
I have had to do two separate online scans as the scan on my user account hasnt included any of my son's files even though we both have administrator accounts, however I couldnt run one on my daughter's account as we seem to have lost internet access on hers!
I was unable to open Spybot on the Administrator user account in Safe Mode so ran it instead on my son McKenzies account which was the only other option available to me in Safe Mode,
Hope this is enough information and here's the HJT log and the online scan logs follow separately because of lack of space:
a)
Logfile of HijackThis v1.99.1
Scan saved at 09:31:47, on 19/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Nhksrv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ltmsg.exe
C:\WINDOWS\DELLMMKB.EXE
C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\vsnpstd.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\ANTISPYWARE\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = 777-search.info
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.orange.com/english/default.asp
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr6/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;local.,;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: 777-search - {BA5D8DF9-1851-4660-B3AE-89E6E030AC34} - C:\WINDOWS\cooltoolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [TIxDSL] C:\PROGRA~1\FREESE~1\BIN\WIN2K\tidslmon.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [ScreenPrint32] C:\Program Files\ScreenPrint32 v3\ScreenPrint32.exe -startup
O4 - HKLM\..\Run: [snpstd] C:\WINDOWS\vsnpstd.exe
O4 - HKLM\..\Run: [Microsoft Windows DLL Services Configuration] winDSL.exe
O4 - HKLM\..\Run: [REGRUN] C:\DOCUME~1\ESMESU~1\LOCALS~1\Temp\RarSFX0\4.exe
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] winDSL.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Windows DLL Services Configuration] winDSL.exe
O4 - HKCU\..\Run: [RealPlayer] "C:\Program Files\Real\RealPlayer\realplay.exe" /RunUPGToolCommandReBoot
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://esmemoshinginpink.spaces.live.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166951432406
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1168813275750
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {CDCBE0F1-D13A-4F86-A963-3A272D3ABA7E} - http://advnt01.com/dialer/internazionale_ver15.CAB
O16 - DPF: {CE8267C2-D41A-4A50-A69D-F32B5C289F14} (FileOpenInstaller) - https://www.pcrsubscriptions.co.uk/FileOpen.CAB
O16 - DPF: {D19781C5-2051-44F8-8445-DDC82933C191} - http://advnt03.com/dialer/internazionale_ver11.CAB
O16 - DPF: {DECEAAA2-370A-49BB-9362-68C3A58DDC62} - http://static.zangocash.com/cab/Zango/ie/bridge-c18.cab?2de704c7de34659d1426bdbf7305713b71f63c21a9362cd448d0394fa7e25770eb7c2f805dd491215862bf84e3cc4da159cef9c612b7dca9fb551573457330:22b32e0c79951ba72dbf4c44a0363a5c
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
Swoom
2007-01-19, 13:22
Hi - hope I'm doing this right - here's the reports from the online scans (2) I've run one for my son's user account and one on my own as the results seems to be different! If you get the feeling I dont know what I'm doing you'd probably be right!
b) McKenzies online scan
BitDefender Online Scanner -Scan Report<v5.0(Trial)
BitDefender Online Scanner
Scan report generated at: Tue, Jan 16, 2007 - 17:46:13
Scan path: A:\;C:\;D:\;E:\;
Statistics
Time 02:25:49
Files 396268
Folders 6166
Boot Sectors 3
Archives 4807
Packed Files 39744
Results
Identified Viruses 7
Infected Files 11
Suspect&nbsp;Files 0<
Warnings 0
Disinfected<0<
Deleted Files 11
Engines Info
Virus Definitions 370654
Engine build AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)
Scan plugins 14
Archive plugins 38
Unpack plugins 6
E-mail plugins 6
System&nbsp;plugins 1 &nbsp;
Scan Settings
First Action
Disinfect
Second Action
Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions >&nbsp;
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes
Scanned File &nbsp;Status
C:\Documents and Settings\Mckenzie\Desktop\Microsoft Multimedia.zip=>Microsoft Multimedia/IncrediFindUninstall.exe
Infected with: MemScan:Trojan.Downloader.Keenval.B
C:\Documents and Settings\Mckenzie\Desktop\Microsoft Multimedia.zip=>Microsoft Multimedia/IncrediFindUninstall.exe
Disinfection failed
C:\Documents and Settings\Mckenzie\Desktop\Microsoft Multimedia.zip=>Microsoft Multimedia/IncrediFindUninstall.exe
Deleted
C:\Documents and Settings\Mckenzie\Desktop\Microsoft Multimedia.zip
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV11E.tmp=>[Subject: Mail Transaction Failed][Date: Wed, 28 Jan 2004 16:32:21 +0000]=>(MIME part)=>bvgx.zip=>bvgx.pif
Infected with: Win32.Novarg.A@mm
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV11E.tmp=>[Subject: Mail Transaction Failed][Date: Wed, 28 Jan 2004 16:32:21 +0000]=>(MIME part)=>bvgx.zip=>bvgx.pif
Deleted
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV11E.tmp=>[Subject: Mail Transaction Failed][Date: Wed, 28 Jan 2004 16:32:21 +0000]=>(MIME part)=>bvgx.zip
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV11E.tmp=>[Subject: Mail Transaction Failed][Date: Wed, 28 Jan 2004 16:32:21 +0000]=>(MIME part)
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV11E.tmp
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV1D1.tmp=>[Subject: test][Date: Fri, 30 Jan 2004 20:11:30 +0000]=>(MIME part)=>document.zip=>document.pif
Infected with: Win32.Novarg.A@mm
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV1D1.tmp=>[Subject: test][Date: Fri, 30 Jan 2004 20:11:30 +0000]=>(MIME part)=>document.zip=>document.pif
Deleted
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV1D1.tmp=>[Subject: test][Date: Fri, 30 Jan 2004 20:11:30 +0000]=>(MIME part)=>document.zip
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV1D1.tmp=>[Subject: test][Date: Fri, 30 Jan 2004 20:11:30 +0000]=>(MIME part)
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV1D1.tmp</font></p>
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV90.tmp=>[Subject: Hi][Date: Fri, 30 Jan 2004 18:48:56 +0000]=>(MIME part)=>rrw.zip=>rrw.pif>
Infected with: Win32.Novarg.A@mm
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV90.tmp=>[Subject: Hi][Date: Fri, 30 Jan 2004 18:48:56 +0000]=>(MIME part)=>rrw.zip=>rrw.pif
Deleted
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV90.tmp=>[Subject: Hi][Date: Fri, 30 Jan 2004 18:48:56 +0000]=>(MIME part)=>rrw.zip
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV90.tmp=>[Subject: Hi][Date: Fri, 30 Jan 2004 18:48:56 +0000]=>(MIME part)
Updated
C:\Documents and Settings\Mckenzie\Local Settings\Temp\NAV90.tmp</font></p>
Updated
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.Keenval.M
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0001
Disinfection failed<
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0001
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.Keenval.K
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0001
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Downloader.Keenval.C
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0002
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0002
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0003=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Downloader.Keenval.C
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0003=>(NSIS o)=>zlib_nsis0002
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0003=>(NSIS o)=>zlib_nsis0002
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0003=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0004
Infected with: Trojan.Downloader.Keenval.C
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0004
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0004
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx r)=>DnldStub.exe
Infected with: Trojan.Downloader.Small.KL
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx r)=>DnldStub.exe
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx r)=>DnldStub.exe
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx r)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx 2r)
Infected with: Trojan.Whenu.A
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx 2r)
Disinfection failed<
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx 2r)
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe
Update failed
c) Sue's Online Scan
BitDefender Online Scanner -Scan Report v5.0(Trial)
BitDefender Online Scanner
Scan report generated at: Thu, Jan 18, 2007 - 13:31:04
Scan path: A:\;C:\;D:\;E:\;
Statistics
Time 03:52:26
Files 352730
Folders 6167
Boot Sectors 3
Archives 4396
Packed Files 36880<
Results
Identified Viruses 5
Infected Files 7
Suspect&nbsp;Files 0
Warnings 0
Disinfected 0
Deleted Files 7
Engines Info
Virus Definitions 371007
Engine build AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)
Scan plugins 14
Archive plugins 38<
Unpack plugins 6
E-mail plugins6
System&nbsp;plugins 1
Scan Settings
First Action
Disinfect
Second Action<
Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions &nbsp;
Scan Emails Yes
Scan Archives Yes
Scan Packed< Yes
Scan Files Yes
Scan Boot Yes
Scanned File &nbsp;Status
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.Keenval.M
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0001
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0001
Infected with: Trojan.Downloader.Keenval.K</font></p>
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0001
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0001
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Downloader.Keenval.C
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0002
Disinfection failed<
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)=>zlib_nsis0002
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0002=>(NSIS o)
Update failed<
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0003=>(NSIS o)=>zlib_nsis0002
Infected with: Trojan.Downloader.Keenval.C
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0003=>(NSIS o)=>zlib_nsis0002
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0003=>(NSIS o)=>zlib_nsis0002
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0003=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0004
Infected with: Trojan.Downloader.Keenval.C
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0004
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)=>zlib_nsis0004
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\ICD1.tmp\flowgo_bird_setup_td035.exe=>(NSIS o)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx r)=>DnldStub.exe
Infected with: Trojan.Downloader.Small.KL
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx r)=>DnldStub.exe
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx r)=>DnldStub.exe
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx r)
Update failed
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx 2r)
Infected with: Trojan.Whenu.A
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx 2r)
Disinfection failed
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe=>(CAB Sfx 2r)
Deleted
C:\Documents and Settings\Princess\Local Settings\Temp\SaveInstWsB.exe
Update failed:red:
pskelley
2007-01-19, 22:22
Welcome to the forum, you have a fairly nasty backdoor trojan, you can read about it here:
http://www.bleepingcomputer.com/startups/winDSL.exe-10734.html
http://www.sophos.com/virusinfo/analyses/w32sdbotzg.html and here:
http://www.google.com/search?sourceid=navclient&ie=UTF-8&rls=GGLG,GGLG:2006-16,GGLG:en&q=winDSL%2eexe
While this one is not as bad as some, read and consider this information.

All of this may not apply to this worm, but there is no doubt it has access to all information on the computer.
One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
_________________________________________________________

Broadband Reports.com

One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this article too:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

If you want me to continue with the cleanup, let me know.

Thanks
Swoom
2007-01-22, 16:00
Thanks for your quick response and all the info and help. It's all a bit scary and there's a lot for me to get my head round and I'm plowing through it.

I'd like to have a go and see what I can do but it would be good to know that I may be OK to come back to you for further help cleaning up if I cant do it.

I really do appreciate your input. Thank you again and I'll come again soon to let you know how things are going if you dont mind!
tashi
2007-02-02, 09:31
This topic has been closed to prevent others with similar issues posting in it.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.


Good luck. :)