View Full Version : Malware
lucemonkey
2007-06-13, 17:53
I have read your before you post sticky and have followed your procedures prior to posting any logs but have been unable to remove a red file. The red file is - Virtumonde. After seeking to fix the problem with S&D I get the following message.
WARNING: Some problems couldn't be fixed. The reason could be that the associated files are still in use (in memory).
This could be fixed after a restart. May Spybot's S&D run on you next system restart. Yes or No.
I have clicked yes and the file is still present and I get the same warning message each time. So before I post a log I wanted to ask what you would like me to do as Virtumonde is not my only problem.
pskelley
2007-06-13, 21:42
Welcome to Safer Networking, if you still need help and are not receiving it elsewhere, it appears you have missed some important instructions our administrator has posted at the top of the forum, especially this: "BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please read and follow all instructions and post all required logs or reports, anything less will slow your process.
Use "Post Reply" to post the information in the instructions and stay in the same topic.
I'm sorry, you say you "followed your procedures" and those are the proceedures which are also pinned at the top of the forum where you posted?
Thanks
lucemonkey
2007-06-14, 08:57
Here are my Hijack This and on-line virus scan logs.
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181004992187
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/secure/OCARPT.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/netscape/TrueInstallNetscape.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
I will have to make several posts of the virus scan.
Thanks Dave
lucemonkey
2007-06-14, 08:59
Anti-virus scan log Part 1
2007-06-04 14:22:23.812 FINEST Overall info OS version = WinXP
2007-06-04 14:22:23.812 FINEST Overall info AX build = 6.51.0.1020
2007-06-04 14:22:23.828 INFO Overall info previous version detected
2007-06-04 14:22:23.828 INFO Overall info current version is not full, will make shared update
2007-06-04 14:22:41.031 FINEST Report Dump checking for unsent reports
2007-06-04 14:26:28.718 FINEST Overall info OS version = WinXP
2007-06-04 14:26:28.718 FINEST Overall info AX build = 6.51.0.1020
2007-06-04 14:26:28.718 INFO Overall info previous version detected
2007-06-04 14:26:44.421 FINEST Report Dump checking for unsent reports
2007-06-04 14:27:08.437 FINEST scanEngineMalware updateItem remote version = 5.3000.1103, code = 0
2007-06-04 14:27:14.078 FINEST scanEngineGrayware updateItem remote version = 5.0.1060, code = 0
2007-06-04 14:27:18.828 FINEST scanEngineStorage:MAIN updateItem remote version = 8.3100.1002, code = 0
2007-06-04 14:27:22.812 FINEST scanEngineStorage:SYSTEM updateItem remote version = 5.3000.1103, code = 0
2007-06-04 14:27:22.843 FINEST engineInfo scan::SCAN_STORAGE
2007-06-04 14:27:23.390 FINEST patternVSAPI updateItem remote version = 4.507.0
2007-06-04 14:28:55.921 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.497.0
2007-06-04 14:29:05.812 INFO ProcessSystemCallback Version 6.51-1020
2007-06-04 14:29:05.812 FINEST ProcessSystemCallback File scanner start initialization
2007-06-04 14:29:06.093 WARNING ProcessSystemCallback Read ini: Failed to read threat values, set to default values.
2007-06-04 14:29:06.093 FINEST ProcessSystemCallback File Scanner version 831001002
2007-06-04 14:29:07.515 FINEST engineInfo scan::SCAN_STORAGE::init for tmaptn.###
2007-06-04 14:30:07.796 FINEST engineInfo Filename to check: C:\ , amount = 55693, size=19087387045
2007-06-04 14:30:07.796 FINEST ProcessSystemCallback Drive (C)
2007-06-04 14:30:07.812 FINEST ProcessSystemCallback Path (C) is processable
2007-06-04 14:30:07.828 FINEST engineInfo will check BootSector//Partition on C:
2007-06-04 14:32:04.062 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:32:04.062 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:36:58.453 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:37:58.203 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:37:58.218 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:38:06.937 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:38:06.937 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:38:07.156 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:38:07.171 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:38:07.218 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:38:07.218 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:38:07.265 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:38:07.296 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 14:44:23.125 SEVERE ProcessSystemCallback File scanner error=-94, ð
2007-06-04 15:06:02.765 WARNING ProcessCallback reportInfection: threatName=ADW_WINFIXER.BQ, threatType=2, patternType=1,canClean=0, canRemove=1 return=0
2007-06-04 15:06:05.093 FINEST ProcessSystemCallback File scanner reportInfection ADW_WINFIXER.BQ, type=2, canClean=0, canRemove=1
2007-06-04 15:12:27.656 SEVERE ProcessSystemCallback File scanner error=-94, ð
2007-06-04 15:12:34.484 WARNING ProcessCallback reportInfection: threatName=BKDR_SMALL.HXZ, threatType=2, patternType=0,canClean=0, canRemove=1 return=0
2007-06-04 15:12:35.171 FINEST ProcessSystemCallback File scanner reportInfection BKDR_SMALL.HXZ, type=2, canClean=0, canRemove=1
2007-06-04 15:12:54.265 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:12:54.265 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:12:54.312 SEVERE ProcessSystemCallback File scanner error=-94, ð
2007-06-04 15:12:54.328 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:12:54.359 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:12:54.375 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:12:54.375 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:12:54.375 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:12:54.437 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:12:54.468 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:17:37.625 SEVERE ProcessSystemCallback File scanner error=-94, ð
2007-06-04 15:17:37.671 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-04 15:18:03.140 FINEST scanEngineMalware updateItem remote version = 5.3000.1103, code = 4
2007-06-04 15:18:04.062 FINEST scanEngineGrayware updateItem remote version = 5.0.1060, code = 4
2007-06-04 15:18:04.125 FINEST engineInfo scan::SCAN_SYSTEM_GRAYWARE
2007-06-04 15:18:04.640 FINEST patternGrayware updateItem remote version = 0.507.0
2007-06-04 15:18:36.484 FINEST ProcessSystemCallback System scanner start initialization
2007-06-04 15:18:36.828 WARNING ProcessSystemCallback Read ini: Failed to read threat values, set to default values.
2007-06-04 15:18:36.828 FINEST ProcessSystemCallback System scanner initialized
2007-06-04 15:18:36.906 WARNING ProcessSystemCallback Failed to load TrueAPI library
2007-06-04 15:18:36.921 WARNING ProcessSystemCallback Failed to load TrueAPI library file.
2007-06-04 15:18:36.921 WARNING ProcessSystemCallback Failed to copy sys file from C:\Documents and Settings\Dave\.housecall6.6\\tmcomm.sys to C:\WINDOWS\system32\drivers\tmcomm.sys, Error code is 2
2007-06-04 15:18:36.921 WARNING ProcessSystemCallback Failed to intialize TrueAPI driver.
2007-06-04 15:18:38.500 INFO ProcessSystemCallback Spyware scanner initialized (threadid=3ec)
2007-06-04 15:18:44.734 FINEST ProcessSystemCallback Spyware scanner loaded pattern file
2007-06-04 15:18:44.750 FINEST ProcessSystemCallback Spyware scanner activate SPYWARE pattern
2007-06-04 15:18:44.750 FINEST ProcessSystemCallback Spyware scanner pattern version 50700
2007-06-04 15:18:44.765 FINEST engineInfo threats count = 0
2007-06-04 15:18:44.765 FINEST engineInfo pattern location = C:\Documents and Settings\Dave\.housecall6.6\Pattern\TMADCE.ptn
2007-06-04 15:18:44.796 FINEST ProcessSystemCallback Spyware scanner processSystem patternType=3 isclean=0 inactive=0
2007-06-04 15:18:44.921 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Programs in Memory'
2007-06-04 15:18:48.984 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Internet Cookies'
2007-06-04 15:18:49.140 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Windows Registry'
2007-06-04 15:18:50.078 FINEST ProcessSystemCallback Found threat infection: Adware_BrilliantDigitalEntertainment (ID 1353) on 'HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MediaLoads\'
2007-06-04 15:18:50.078 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:18:50.828 FINEST ProcessSystemCallback Found threat infection: Adware_BrilliantDigitalEntertainment
2007-06-04 15:19:05.515 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Internet URL Shortcuts'
2007-06-04 15:19:15.046 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Files and Directories'
2007-06-04 15:25:37.031 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Program Startup Areas'
2007-06-04 15:25:38.015 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Hosts File'
2007-06-04 15:25:38.984 FINEST ProcessSystemCallback Found threat infection: Adware_MemWatcher (ID 121652) on 'C:\WINDOWS\System32\drivers\etc\hosts\127.0.0.1'
2007-06-04 15:25:39.000 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:39.859 FINEST ProcessSystemCallback Found threat infection: Adware_MemWatcher
2007-06-04 15:25:40.562 FINEST ProcessSystemCallback Found threat infection: Adware_MemWatcher (ID 121536) on 'C:\WINDOWS\System32\drivers\etc\hosts\127.0.0.1'
2007-06-04 15:25:40.578 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:40.593 FINEST ProcessSystemCallback Found threat infection: Adware_MemWatcher
2007-06-04 15:25:41.937 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Web Browser Security Settings'
2007-06-04 15:25:44.046 FINEST ProcessSystemCallback Spyware scanner processed threat scan
2007-06-04 15:25:44.828 FINEST engineInfo scan::SCAN_SOFTWARE_VULNERABILITY
2007-06-04 15:25:45.375 FINEST patternVul updateItem remote version = 0.69.0
2007-06-04 15:25:47.031 FINEST ProcessSystemCallback System scanner version 530001103
2007-06-04 15:25:47.109 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-04 15:25:47.109 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-04 15:25:47.109 FINEST ProcessSystemCallback System scanner Pattern type=4, Version=6900
2007-06-04 15:25:47.156 FINEST engineInfo threats count = 0
2007-06-04 15:25:47.171 FINEST engineInfo pattern location = C:\Documents and Settings\Dave\.housecall6.6\Pattern\TMVAmain.ptn
2007-06-04 15:25:47.171 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-04 15:25:47.171 FINEST ProcessSystemCallback getProcessableThreats
2007-06-04 15:25:47.171 FINEST ProcessSystemCallback System scanner processable threats=0
2007-06-04 15:25:47.187 FINEST ProcessSystemCallback System scanner set process mode. Clean=0, threat count=0
2007-06-04 15:25:50.562 FINEST ProcessSystemCallback Sytem Scanner start threat process transfer
2007-06-04 15:25:54.828 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:55.328 FINEST ProcessSystemCallback Found threat infection: MS04-025
2007-06-04 15:25:55.343 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-025
2007-06-04 15:25:55.359 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:55.718 FINEST ProcessSystemCallback Found threat infection: MS04-031
2007-06-04 15:25:55.718 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-031
2007-06-04 15:25:55.765 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:56.203 FINEST ProcessSystemCallback Found threat infection: MS04-032
2007-06-04 15:25:56.203 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-032
2007-06-04 15:25:56.218 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:56.625 FINEST ProcessSystemCallback Found threat infection: MS04-034
2007-06-04 15:25:56.640 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-034
2007-06-04 15:25:56.671 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:57.062 FINEST ProcessSystemCallback Found threat infection: MS04-037
2007-06-04 15:25:57.078 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-037
2007-06-04 15:25:57.109 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:57.578 FINEST ProcessSystemCallback Found threat infection: MS04-038
2007-06-04 15:25:57.609 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-038
2007-06-04 15:25:57.640 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:58.031 FINEST ProcessSystemCallback Found threat infection: MS04-040
2007-06-04 15:25:58.046 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-040
2007-06-04 15:25:58.078 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:58.421 FINEST ProcessSystemCallback Found threat infection: MS04-041
2007-06-04 15:25:58.468 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-041
2007-06-04 15:25:58.515 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:58.921 FINEST ProcessSystemCallback Found threat infection: MS04-043
2007-06-04 15:25:58.937 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-043
2007-06-04 15:25:58.953 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:59.437 FINEST ProcessSystemCallback Found threat infection: MS04-044
2007-06-04 15:25:59.515 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-044
2007-06-04 15:25:59.531 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:25:59.984 FINEST ProcessSystemCallback Found threat infection: MS05-001
2007-06-04 15:26:00.000 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-001
2007-06-04 15:26:00.031 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:00.375 FINEST ProcessSystemCallback Found threat infection: MS05-002
2007-06-04 15:26:00.390 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-002
2007-06-04 15:26:00.437 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:00.812 FINEST ProcessSystemCallback Found threat infection: MS05-003
2007-06-04 15:26:00.828 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-003
2007-06-04 15:26:00.859 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:01.328 FINEST ProcessSystemCallback Found threat infection: MS05-007
2007-06-04 15:26:01.328 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-007
2007-06-04 15:26:01.343 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:01.765 FINEST ProcessSystemCallback Found threat infection: MS05-008
lucemonkey
2007-06-14, 09:05
Part 2
2007-06-04 15:26:01.765 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-008
2007-06-04 15:26:01.781 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:02.109 FINEST ProcessSystemCallback Found threat infection: MS05-009
2007-06-04 15:26:02.109 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-009
2007-06-04 15:26:02.125 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:02.406 FINEST ProcessSystemCallback Found threat infection: MS05-011
2007-06-04 15:26:02.421 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-011
2007-06-04 15:26:02.437 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:02.765 FINEST ProcessSystemCallback Found threat infection: MS05-012
2007-06-04 15:26:02.765 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-012
2007-06-04 15:26:02.781 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:03.093 FINEST ProcessSystemCallback Found threat infection: MS05-013
2007-06-04 15:26:03.109 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-013
2007-06-04 15:26:03.125 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:03.421 FINEST ProcessSystemCallback Found threat infection: MS05-014
2007-06-04 15:26:03.421 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-014
2007-06-04 15:26:03.453 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:03.734 FINEST ProcessSystemCallback Found threat infection: MS05-015
2007-06-04 15:26:03.734 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-015
2007-06-04 15:26:03.765 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:04.093 FINEST ProcessSystemCallback Found threat infection: MS05-016
2007-06-04 15:26:04.109 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-016
2007-06-04 15:26:04.109 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:04.484 FINEST ProcessSystemCallback Found threat infection: MS05-018
2007-06-04 15:26:04.484 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-018
2007-06-04 15:26:04.515 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:04.828 FINEST ProcessSystemCallback Found threat infection: MS05-019
2007-06-04 15:26:04.828 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-019
2007-06-04 15:26:04.843 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:05.156 FINEST ProcessSystemCallback Found threat infection: MS05-020
2007-06-04 15:26:05.171 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-020
2007-06-04 15:26:05.187 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:05.484 FINEST ProcessSystemCallback Found threat infection: MS05-025
2007-06-04 15:26:05.484 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-025
2007-06-04 15:26:05.500 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:05.859 FINEST ProcessSystemCallback Found threat infection: MS05-026
2007-06-04 15:26:05.859 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-026
2007-06-04 15:26:05.875 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:06.171 FINEST ProcessSystemCallback Found threat infection: MS05-027
2007-06-04 15:26:06.187 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-027
2007-06-04 15:26:06.203 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:06.468 FINEST ProcessSystemCallback Found threat infection: MS05-028
2007-06-04 15:26:06.484 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-028
2007-06-04 15:26:06.500 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:06.796 FINEST ProcessSystemCallback Found threat infection: MS05-030
2007-06-04 15:26:06.796 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-030
2007-06-04 15:26:06.859 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:07.156 FINEST ProcessSystemCallback Found threat infection: MS05-032
2007-06-04 15:26:07.156 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-032
2007-06-04 15:26:07.187 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:07.515 FINEST ProcessSystemCallback Found threat infection: MS05-033
2007-06-04 15:26:07.531 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-033
2007-06-04 15:26:07.546 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:07.843 FINEST ProcessSystemCallback Found threat infection: MS05-036
2007-06-04 15:26:07.859 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-036
2007-06-04 15:26:07.890 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:08.234 FINEST ProcessSystemCallback Found threat infection: MS05-037
2007-06-04 15:26:08.234 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-037
2007-06-04 15:26:08.265 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:08.609 FINEST ProcessSystemCallback Found threat infection: MS05-038
2007-06-04 15:26:08.625 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-038
2007-06-04 15:26:08.640 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:08.937 FINEST ProcessSystemCallback Found threat infection: MS05-039
2007-06-04 15:26:08.953 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-039
2007-06-04 15:26:08.984 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:09.468 FINEST ProcessSystemCallback Found threat infection: MS05-040
2007-06-04 15:26:09.515 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-040
2007-06-04 15:26:09.546 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:09.875 FINEST ProcessSystemCallback Found threat infection: MS05-041
2007-06-04 15:26:09.890 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-041
2007-06-04 15:26:09.906 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:10.265 FINEST ProcessSystemCallback Found threat infection: MS05-042
2007-06-04 15:26:10.281 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-042
2007-06-04 15:26:10.296 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:10.609 FINEST ProcessSystemCallback Found threat infection: MS05-043
2007-06-04 15:26:10.625 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-043
2007-06-04 15:26:10.640 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:10.968 FINEST ProcessSystemCallback Found threat infection: MS05-044
2007-06-04 15:26:10.968 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-044
2007-06-04 15:26:10.984 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:11.312 FINEST ProcessSystemCallback Found threat infection: MS05-045
2007-06-04 15:26:11.312 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-045
2007-06-04 15:26:11.328 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:11.625 FINEST ProcessSystemCallback Found threat infection: MS05-047
2007-06-04 15:26:11.640 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-047
2007-06-04 15:26:11.656 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:12.015 FINEST ProcessSystemCallback Found threat infection: MS05-048
2007-06-04 15:26:12.015 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-048
2007-06-04 15:26:12.031 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:12.390 FINEST ProcessSystemCallback Found threat infection: MS05-049
2007-06-04 15:26:12.406 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-049
2007-06-04 15:26:12.421 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:12.734 FINEST ProcessSystemCallback Found threat infection: MS05-050
2007-06-04 15:26:12.734 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-050
2007-06-04 15:26:12.765 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:13.078 FINEST ProcessSystemCallback Found threat infection: MS05-051
2007-06-04 15:26:13.093 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-051
2007-06-04 15:26:13.109 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:13.437 FINEST ProcessSystemCallback Found threat infection: MS05-052
2007-06-04 15:26:13.453 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-052
2007-06-04 15:26:13.468 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:13.765 FINEST ProcessSystemCallback Found threat infection: MS05-053
2007-06-04 15:26:13.781 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-053
2007-06-04 15:26:13.796 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:14.093 FINEST ProcessSystemCallback Found threat infection: MS05-054
2007-06-04 15:26:14.109 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-054
2007-06-04 15:26:14.125 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:14.437 FINEST ProcessSystemCallback Found threat infection: MS06-001
2007-06-04 15:26:14.437 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-001
2007-06-04 15:26:14.468 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:14.812 FINEST ProcessSystemCallback Found threat infection: MS06-002
2007-06-04 15:26:14.812 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-002
2007-06-04 15:26:14.843 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:15.156 FINEST ProcessSystemCallback Found threat infection: MS06-005
2007-06-04 15:26:15.156 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-005
2007-06-04 15:26:15.171 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:15.546 FINEST ProcessSystemCallback Found threat infection: MS06-006
2007-06-04 15:26:15.546 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-006
2007-06-04 15:26:15.562 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:15.875 FINEST ProcessSystemCallback Found threat infection: MS06-007
2007-06-04 15:26:15.875 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-007
2007-06-04 15:26:15.890 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:16.218 FINEST ProcessSystemCallback Found threat infection: MS06-008
2007-06-04 15:26:16.218 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-008
2007-06-04 15:26:16.234 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:16.562 FINEST ProcessSystemCallback Found threat infection: MS06-011
2007-06-04 15:26:16.562 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-011
2007-06-04 15:26:16.578 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:16.890 FINEST ProcessSystemCallback Found threat infection: MS06-013
2007-06-04 15:26:16.890 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-013
2007-06-04 15:26:16.906 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:17.234 FINEST ProcessSystemCallback Found threat infection: MS06-014
2007-06-04 15:26:17.250 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-014
2007-06-04 15:26:17.265 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:17.609 FINEST ProcessSystemCallback Found threat infection: MS06-015
2007-06-04 15:26:17.609 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-015
2007-06-04 15:26:17.640 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:17.953 FINEST ProcessSystemCallback Found threat infection: MS06-016
2007-06-04 15:26:17.968 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-016
2007-06-04 15:26:17.984 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:18.312 FINEST ProcessSystemCallback Found threat infection: MS06-018
2007-06-04 15:26:18.328 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-018
2007-06-04 15:26:18.343 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:18.687 FINEST ProcessSystemCallback Found threat infection: MS06-021
2007-06-04 15:26:18.703 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-021
2007-06-04 15:26:18.718 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:19.187 FINEST ProcessSystemCallback Found threat infection: MS06-022
2007-06-04 15:26:19.187 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-022
2007-06-04 15:26:19.218 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:19.656 FINEST ProcessSystemCallback Found threat infection: MS06-023
2007-06-04 15:26:19.671 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-023
2007-06-04 15:26:19.703 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:20.046 FINEST ProcessSystemCallback Found threat infection: MS06-025
2007-06-04 15:26:20.046 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-025
2007-06-04 15:26:20.078 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:20.453 FINEST ProcessSystemCallback Found threat infection: MS06-030
2007-06-04 15:26:20.453 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-030
2007-06-04 15:26:20.468 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:20.812 FINEST ProcessSystemCallback Found threat infection: MS06-032
2007-06-04 15:26:20.812 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-032
2007-06-04 15:26:20.828 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:21.218 FINEST ProcessSystemCallback Found threat infection: MS06-035
2007-06-04 15:26:21.218 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-035
2007-06-04 15:26:21.250 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:21.578 FINEST ProcessSystemCallback Found threat infection: MS06-036
2007-06-04 15:26:21.593 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-036
2007-06-04 15:26:21.609 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:21.937 FINEST ProcessSystemCallback Found threat infection: MS06-040
2007-06-04 15:26:21.937 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-040
2007-06-04 15:26:21.953 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:22.328 FINEST ProcessSystemCallback Found threat infection: MS06-041
2007-06-04 15:26:22.343 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-041
2007-06-04 15:26:22.359 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:22.718 FINEST ProcessSystemCallback Found threat infection: MS06-042
2007-06-04 15:26:22.718 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-042
2007-06-04 15:26:22.734 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:23.078 FINEST ProcessSystemCallback Found threat infection: MS06-045
2007-06-04 15:26:23.078 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-045
2007-06-04 15:26:23.093 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:23.468 FINEST ProcessSystemCallback Found threat infection: MS06-046
2007-06-04 15:26:23.468 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-046
2007-06-04 15:26:23.484 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:23.812 FINEST ProcessSystemCallback Found threat infection: MS06-050
2007-06-04 15:26:23.828 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-050
2007-06-04 15:26:23.843 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:24.171 FINEST ProcessSystemCallback Found threat infection: MS06-051
2007-06-04 15:26:24.187 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-051
2007-06-04 15:26:24.203 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:24.546 FINEST ProcessSystemCallback Found threat infection: MS06-052
2007-06-04 15:26:24.546 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-052
2007-06-04 15:26:24.562 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:24.921 FINEST ProcessSystemCallback Found threat infection: MS06-053
2007-06-04 15:26:24.937 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-053
2007-06-04 15:26:24.953 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:25.312 FINEST ProcessSystemCallback Found threat infection: MS06-055
2007-06-04 15:26:25.312 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-055
2007-06-04 15:26:25.343 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:25.656 FINEST ProcessSystemCallback Found threat infection: MS06-057
2007-06-04 15:26:25.671 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-057
2007-06-04 15:26:25.687 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:26.046 FINEST ProcessSystemCallback Found threat infection: MS06-061
2007-06-04 15:26:26.046 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-061
2007-06-04 15:26:26.062 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:26.421 FINEST ProcessSystemCallback Found threat infection: MS06-063
2007-06-04 15:26:26.437 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-063
2007-06-04 15:26:26.453 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:26.796 FINEST ProcessSystemCallback Found threat infection: MS06-064
2007-06-04 15:26:26.796 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-064
2007-06-04 15:26:26.843 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:27.234 FINEST ProcessSystemCallback Found threat infection: MS06-065
2007-06-04 15:26:27.250 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-065
2007-06-04 15:26:27.265 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:27.593 FINEST ProcessSystemCallback Found threat infection: MS06-071
2007-06-04 15:26:27.593 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-071
2007-06-04 15:26:27.625 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:26:27.937 FINEST ProcessSystemCallback Found threat infection: MS07-005
2007-06-04 15:26:27.937 FINEST ProcessSystemCallback System Scanner found threat infection: MS07-005
2007-06-04 15:26:27.953 FINEST ProcessSystemCallback System Scanner stop threat process transfer. Number of threats=215
lucemonkey
2007-06-14, 09:06
Part 3
2007-06-04 15:26:29.312 FINEST Report Dump making report C:\Documents and Settings\Dave\.housecall6.6\log\2007-06-04-15-26-29.temp
2007-06-04 15:26:29.484 FINEST Report Dump currect datetime = 2007-06-04 23\:26\:29 GMT
2007-06-04 15:26:29.515 FINEST Report Dump totally have 4 scanning
2007-06-04 15:28:39.703 FINEST engineInfo clean::SYSTEM_MALWARE
2007-06-04 15:28:40.218 FINEST patternTSC updateItem remote version = 0.866.0
2007-06-04 15:28:50.093 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-04 15:28:50.109 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-04 15:28:50.125 FINEST ProcessSystemCallback System scanner Pattern type=2, Version=86600
2007-06-04 15:28:50.125 FINEST ProcessSystemCallback System scanner deactivate VA pattern
2007-06-04 15:28:50.140 FINEST ProcessSystemCallback System scanner activate SYSTEM MALWARE pattern
2007-06-04 15:28:50.140 FINEST ProcessSystemCallback Spyware scanner deactivate SPYWARE pattern
2007-06-04 15:28:50.187 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-04 15:28:50.203 FINEST ProcessSystemCallback getProcessableThreats
2007-06-04 15:28:50.218 FINEST ProcessSystemCallback System scanner processable threats=0
2007-06-04 15:28:50.218 FINEST ProcessSystemCallback System scanner set process mode. Clean=1, threat count=0
2007-06-04 15:28:54.390 FINEST ProcessSystemCallback Sytem Scanner start threat process transfer
2007-06-04 15:29:42.093 FINEST ProcessSystemCallback System Scanner stop threat process transfer. Number of threats=3093
2007-06-04 15:29:42.437 FINEST engineInfo clean::MAIN
2007-06-04 15:29:42.484 FINEST ProcessSystemCallback File Scanner version 831001002
2007-06-04 15:29:52.203 SEVERE ProcessSystemCallback File scanner error=-99,
2007-06-04 15:29:52.281 FINEST engineInfo scan::SCAN_STORAGE::init for tmaptn.###
2007-06-04 15:29:53.984 FINEST engineInfo Filename to clean: C:\WINDOWS\Downloaded Program Files\UDC6_0001_D21M0303NetInstaller.exe , amount = 0, size=0.000000
2007-06-04 15:29:54.000 FINEST ProcessSystemCallback Drive (C)
2007-06-04 15:29:54.000 FINEST ProcessSystemCallback Path (C) is processable
2007-06-04 15:29:54.000 FINEST engineInfo will clean BootSector//Partition on C:
2007-06-04 15:29:56.937 WARNING ProcessCallback reportInfection: threatName=ADW_WINFIXER.BQ, threatType=2, patternType=1,canClean=0, canRemove=1 return=0
2007-06-04 15:29:56.953 FINEST ProcessSystemCallback System scanner start backup for threat= ADW_WINFIXER.BQ
2007-06-04 15:29:56.953 FINEST ProcessSystemCallback System scanner backup threat not yet implemented
2007-06-04 15:29:56.953 FINEST ProcessSystemCallback System scanner backup threat= ADW_WINFIXER.BQ
2007-06-04 15:29:56.953 FINEST ProcessSystemCallback Spyware scanner start backup
2007-06-04 15:29:58.687 FINEST ProcessSystemCallback File scanner reportInfection ADW_WINFIXER.BQ, type=2, canClean=0, canRemove=1
2007-06-04 15:29:58.703 WARNING ProcessCallback reportActionResult: action = 1, result = 1
2007-06-04 15:29:58.765 WARNING ProcessCallback reportActionResult: action = 3, result = 0
2007-06-04 15:29:58.906 FINEST engineInfo Filename to clean: C:\WINDOWS\SYSTEM32\advvpi32.dll , amount = 0, size=0.000000
2007-06-04 15:29:58.906 FINEST ProcessSystemCallback Drive (C)
2007-06-04 15:29:58.906 FINEST ProcessSystemCallback Path (C) is processable
2007-06-04 15:29:58.984 WARNING ProcessCallback reportInfection: threatName=BKDR_SMALL.HXZ, threatType=2, patternType=0,canClean=0, canRemove=1 return=0
2007-06-04 15:29:59.078 FINEST ProcessSystemCallback File scanner reportInfection BKDR_SMALL.HXZ, type=2, canClean=0, canRemove=1
2007-06-04 15:29:59.109 WARNING ProcessCallback reportActionResult: action = 1, result = 1
2007-06-04 15:29:59.109 WARNING ProcessCallback reportActionResult: action = 3, result = -3
2007-06-04 15:30:18.046 FINEST engineInfo Filename to clean: HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\MediaLoads\ , amount = 0, size=0.000000
2007-06-04 15:30:18.171 FINEST ProcessSystemCallback Drive (H)
2007-06-04 15:30:18.359 FINEST ProcessSystemCallback Path (H) is not processable
2007-06-04 15:30:18.625 FINEST engineInfo Filename to clean: C:\WINDOWS\System32\drivers\etc\hosts\127.0.0.1 , amount = 0, size=0.000000
2007-06-04 15:30:18.734 FINEST ProcessSystemCallback Drive (C)
2007-06-04 15:30:18.953 FINEST ProcessSystemCallback Path (C) is processable
2007-06-04 15:30:19.062 SEVERE ProcessSystemCallback File scanner error=-27,
2007-06-04 15:30:19.109 FINEST engineInfo Filename to clean: C:\WINDOWS\System32\drivers\etc\hosts\127.0.0.1 , amount = 0, size=0.000000
2007-06-04 15:30:19.187 FINEST ProcessSystemCallback Drive (C)
2007-06-04 15:30:19.218 FINEST ProcessSystemCallback Path (C) is processable
2007-06-04 15:30:19.250 SEVERE ProcessSystemCallback File scanner error=-27,
2007-06-04 15:30:20.906 FINEST engineInfo clean::SYSTEM_GRAYWARE
2007-06-04 15:30:21.296 FINEST ProcessSystemCallback Spyware scanner loaded pattern file
2007-06-04 15:30:21.296 FINEST ProcessSystemCallback Spyware scanner activate SPYWARE pattern
2007-06-04 15:30:21.343 FINEST ProcessSystemCallback Spyware scanner loaded pattern version 50700
2007-06-04 15:30:21.359 FINEST ProcessSystemCallback System scanner deactivate VA pattern
2007-06-04 15:30:21.375 FINEST ProcessSystemCallback System scanner deactivate SYSTEM MALWARE pattern
2007-06-04 15:30:21.375 FINEST ProcessSystemCallback Spyware scanner activate SPYWARE pattern
2007-06-04 15:30:21.468 FINEST ProcessSystemCallback Spyware scanner processSystem patternType=3 isclean=1 inactive=0
2007-06-04 15:30:21.484 FINEST ProcessSystemCallback getProcessableThreats
2007-06-04 15:30:21.515 FINEST Marking for DCE 1 of 4, marking ADW_WINFIXER.BQ, action=8
2007-06-04 15:30:21.562 FINEST Marking for DCE 2 of 4, marking ADWARE_BRILLIANTDIGITALENTERTAINMENT, action=8
2007-06-04 15:30:21.609 FINEST ProcessSystemCallback System scanner start backup for threat= ADWARE_BRILLIANTDIGITALENTERTAINMENT
2007-06-04 15:30:21.609 FINEST ProcessSystemCallback Spyware scanner start backup
2007-06-04 15:30:24.171 FINEST Marking for DCE 3 of 4, marking ADWARE_MEMWATCHER, action=8
2007-06-04 15:30:24.171 FINEST ProcessSystemCallback System scanner start backup for threat= ADWARE_MEMWATCHER
2007-06-04 15:30:24.203 FINEST ProcessSystemCallback Spyware scanner start backup
2007-06-04 15:30:27.359 FINEST Marking for DCE 4 of 4, marking ADWARE_MEMWATCHER, action=8
2007-06-04 15:30:27.359 FINEST ProcessSystemCallback Spyware scanner processable threats 4
2007-06-04 15:30:31.968 FINEST ProcessSystemCallback Spyware scanner mark processable threat for clean
2007-06-04 15:30:34.312 FINEST ProcessSystemCallback Spyware scanner mark processable threat for clean
2007-06-04 15:30:37.187 FINEST ProcessSystemCallback Spyware scanner mark processable threat for clean
2007-06-04 15:30:39.078 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:30:39.218 FINEST ProcessSystemCallback Found threat infection: Adware_BrilliantDigitalEntertainment
2007-06-04 15:30:39.234 WARNING ProcessSystemCallback reportActionResult: action = 2, result = 0
2007-06-04 15:30:40.578 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:30:40.625 FINEST ProcessSystemCallback Found threat infection: Adware_MemWatcher
2007-06-04 15:30:40.640 WARNING ProcessSystemCallback reportActionResult: action = 2, result = 0
2007-06-04 15:30:42.093 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-04 15:30:42.125 FINEST ProcessSystemCallback Found threat infection: Adware_MemWatcher
2007-06-04 15:30:42.140 WARNING ProcessSystemCallback reportActionResult: action = 2, result = 0
2007-06-04 15:30:43.000 INFO ProcessSystemCallback Spyware scanner process threat clean.
2007-06-04 15:30:43.031 FINEST ProcessSystemCallback Spyware scanner processed threat scan
2007-06-04 15:30:44.468 FINE SOAP The current ticket session is expired, a new report will be generated
2007-06-04 15:30:44.531 FINE Report Dump Using the report key -1 for the current ticket-session
2007-06-04 15:30:44.546 FINEST Report Dump making report C:\Documents and Settings\Dave\.housecall6.6\log\2007-06-04-15-30-44.infections
2007-06-04 15:30:44.656 FINEST Report Dump currect datetime = 2007-06-04 23\:30\:44 GMT
2007-06-04 15:30:44.671 FINEST Report Dump totally have 8 scanning
2007-06-04 15:30:44.718 FINEST Report Dump processing report 2007-06-04-15-30-44.infections
2007-06-04 15:31:53.093 FINEST engineInfo clean::SYSTEM_MALWARE
2007-06-04 15:31:53.937 FINEST patternTSC updateItem remote version = 0.866.0
2007-06-04 15:31:54.734 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-04 15:31:54.734 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-04 15:31:54.765 FINEST ProcessSystemCallback System scanner Pattern type=2, Version=86600
2007-06-04 15:31:54.781 FINEST ProcessSystemCallback System scanner deactivate VA pattern
2007-06-04 15:31:54.781 FINEST ProcessSystemCallback System scanner activate SYSTEM MALWARE pattern
2007-06-04 15:31:54.781 FINEST ProcessSystemCallback Spyware scanner deactivate SPYWARE pattern
2007-06-04 15:31:54.843 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-04 15:31:54.843 FINEST ProcessSystemCallback getProcessableThreats
2007-06-04 15:31:54.843 FINEST ProcessSystemCallback System scanner processable threats=0
2007-06-04 15:31:54.859 FINEST ProcessSystemCallback System scanner set process mode. Clean=1, threat count=0
2007-06-04 15:32:25.078 SEVERE ProcessSystemCallback System scanner failed message transfer: (err=121)
2007-06-04 15:32:55.375 SEVERE ProcessSystemCallback System scanner failed message transfer: (err=121)
2007-06-05 14:54:32.234 FINEST Overall info OS version = WinXP
2007-06-05 14:54:32.265 FINEST Overall info AX build = 6.51.0.1020
2007-06-05 14:54:32.281 INFO Overall info previous version detected
2007-06-05 14:54:38.796 FINEST Report Dump checking for unsent reports
2007-06-05 14:55:03.203 FINEST scanEngineMalware updateItem remote version = 5.3000.1103, code = 4
2007-06-05 14:55:04.515 FINEST scanEngineGrayware updateItem remote version = 5.0.1060, code = 4
2007-06-05 14:55:05.781 FINEST scanEngineStorage:MAIN updateItem remote version = 8.3100.1002, code = 4
2007-06-05 14:55:07.906 FINEST scanEngineStorage:SYSTEM updateItem remote version = 5.3000.1103, code = 4
2007-06-05 14:55:07.968 FINEST engineInfo scan::SCAN_STORAGE
2007-06-05 14:55:08.468 FINEST patternVSAPI updateItem remote version = 4.513.0
2007-06-05 14:55:23.296 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.497.0
2007-06-05 14:55:23.843 INFO ProcessSystemCallback Version 6.51-1020
2007-06-05 14:55:23.859 FINEST ProcessSystemCallback File scanner start initialization
2007-06-05 14:55:24.562 FINEST ProcessSystemCallback File Scanner version 831001002
2007-06-05 14:55:26.125 FINEST engineInfo scan::SCAN_STORAGE::init for tmaptn.###
2007-06-05 14:56:42.078 FINEST engineInfo Filename to check: C:\ , amount = 56037, size=16369906160
2007-06-05 14:56:42.109 FINEST ProcessSystemCallback Drive (C)
2007-06-05 14:56:42.218 FINEST ProcessSystemCallback Path (C) is processable
2007-06-05 14:56:42.250 FINEST engineInfo will check BootSector//Partition on C:
2007-06-05 14:59:54.937 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 14:59:54.953 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 14:59:55.843 WARNING ProcessCallback reportInfection: threatName=TROJ_VB.DGA, threatType=2, patternType=0,canClean=0, canRemove=1 return=0
2007-06-05 14:59:58.390 FINEST ProcessSystemCallback File scanner reportInfection TROJ_VB.DGA, type=2, canClean=0, canRemove=1
2007-06-05 15:00:58.921 WARNING ProcessCallback reportInfection: threatName=TROJ_VB.DGA, threatType=2, patternType=0,canClean=0, canRemove=1 return=0
2007-06-05 15:00:59.125 FINEST ProcessSystemCallback File scanner reportInfection TROJ_VB.DGA, type=2, canClean=0, canRemove=1
2007-06-05 15:07:31.515 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:38.312 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:38.312 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:47.890 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:47.968 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:48.250 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:48.250 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:48.406 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:48.406 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:48.484 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:08:48.484 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:15:13.593 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:34:00.125 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:34:00.359 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:34:00.421 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:34:00.468 SEVERE ProcessSystemCallback File scanner error=-94,
lucemonkey
2007-06-14, 09:08
Part 4
2007-06-05 15:45:01.265 WARNING ProcessCallback reportInfection: threatName=BKDR_SMALL.HXZ, threatType=2, patternType=0,canClean=0, canRemove=1 return=0
2007-06-05 15:45:03.781 FINEST ProcessSystemCallback File scanner reportInfection BKDR_SMALL.HXZ, type=2, canClean=0, canRemove=1
2007-06-05 15:45:24.203 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.203 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.234 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.250 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.296 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.296 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.296 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.296 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.390 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:45:24.390 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:49:56.156 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:49:56.218 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-05 15:50:22.359 FINEST scanEngineMalware updateItem remote version = 5.3000.1103, code = 4
2007-06-05 15:50:23.453 FINEST scanEngineGrayware updateItem remote version = 5.0.1060, code = 4
2007-06-05 15:50:23.500 FINEST engineInfo scan::SCAN_SYSTEM_GRAYWARE
2007-06-05 15:50:23.968 FINEST patternGrayware updateItem remote version = 0.509.0
2007-06-05 15:51:04.937 FINEST ProcessSystemCallback System scanner start initialization
2007-06-05 15:51:05.390 FINEST ProcessSystemCallback System scanner initialized
2007-06-05 15:51:05.437 WARNING ProcessSystemCallback Failed to load TrueAPI library
2007-06-05 15:51:05.437 WARNING ProcessSystemCallback Failed to load TrueAPI library file.
2007-06-05 15:51:05.453 WARNING ProcessSystemCallback Failed to copy sys file from C:\Documents and Settings\Dave\.housecall6.6\\tmcomm.sys to C:\WINDOWS\system32\drivers\tmcomm.sys, Error code is 2
2007-06-05 15:51:05.453 WARNING ProcessSystemCallback Failed to intialize TrueAPI driver.
2007-06-05 15:51:06.312 INFO ProcessSystemCallback Spyware scanner initialized (threadid=198)
2007-06-05 15:51:13.500 FINEST ProcessSystemCallback Spyware scanner loaded pattern file
2007-06-05 15:51:13.515 FINEST ProcessSystemCallback Spyware scanner activate SPYWARE pattern
2007-06-05 15:51:13.515 FINEST ProcessSystemCallback Spyware scanner pattern version 50900
2007-06-05 15:51:13.531 FINEST engineInfo threats count = 0
2007-06-05 15:51:13.531 FINEST engineInfo pattern location = C:\Documents and Settings\Dave\.housecall6.6\Pattern\TMADCE.ptn
2007-06-05 15:51:13.562 FINEST ProcessSystemCallback Spyware scanner processSystem patternType=3 isclean=0 inactive=0
2007-06-05 15:51:13.656 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Programs in Memory'
2007-06-05 15:51:16.312 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Internet Cookies'
2007-06-05 15:51:16.406 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Windows Registry'
2007-06-05 15:51:31.687 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Internet URL Shortcuts'
2007-06-05 15:51:39.031 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Files and Directories'
2007-06-05 16:00:11.046 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Program Startup Areas'
2007-06-05 16:00:12.156 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Hosts File'
2007-06-05 16:00:12.593 FINEST ProcessSystemCallback Spyware scanner processed threat scan
2007-06-05 16:00:13.281 FINEST engineInfo scan::SCAN_SOFTWARE_VULNERABILITY
2007-06-05 16:00:13.796 FINEST patternVul updateItem remote version = 0.69.0
2007-06-05 16:00:14.187 FINEST ProcessSystemCallback System scanner version 530001103
2007-06-05 16:00:14.234 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-05 16:00:14.250 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-05 16:00:14.281 FINEST ProcessSystemCallback System scanner Pattern type=4, Version=6900
2007-06-05 16:00:14.312 FINEST engineInfo threats count = 0
2007-06-05 16:00:14.312 FINEST engineInfo pattern location = C:\Documents and Settings\Dave\.housecall6.6\Pattern\TMVAmain.ptn
2007-06-05 16:00:14.328 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-05 16:00:14.328 FINEST ProcessSystemCallback getProcessableThreats
2007-06-05 16:00:14.328 FINEST ProcessSystemCallback System scanner processable threats=0
2007-06-05 16:00:14.343 FINEST ProcessSystemCallback System scanner set process mode. Clean=0, threat count=0
2007-06-05 16:00:18.468 FINEST ProcessSystemCallback Sytem Scanner start threat process transfer
2007-06-05 16:00:24.250 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-05 16:00:24.921 FINEST ProcessSystemCallback Found threat infection: MS04-031
2007-06-05 16:00:24.937 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-031
2007-06-05 16:00:24.953 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-05 16:00:25.406 FINEST ProcessSystemCallback Found threat infection: MS04-032
2007-06-05 16:00:25.437 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-032
2007-06-05 16:00:25.453 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-05 16:00:25.843 FINEST ProcessSystemCallback Found threat infection: MS04-034
2007-06-05 16:00:25.859 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-034
2007-06-05 16:00:25.890 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-05 16:00:26.390 FINEST ProcessSystemCallback Found threat infection: MS04-037
2007-06-05 16:00:26.421 FINEST ProcessSystemCallback System Scanner found threat infection: MS04-037
2007-06-05 16:00:30.921 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-05 16:00:31.453 FINEST ProcessSystemCallback Found threat infection: MS06-061
2007-06-05 16:00:31.468 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-061
2007-06-05 16:00:31.515 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-05 16:00:31.906 FINEST ProcessSystemCallback Found threat infection: MS06-071
2007-06-05 16:00:31.937 FINEST ProcessSystemCallback System Scanner found threat infection: MS06-071
2007-06-05 16:00:31.953 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-05 16:00:32.625 FINEST ProcessSystemCallback Found threat infection: MS07-005
2007-06-05 16:00:32.640 FINEST ProcessSystemCallback System Scanner found threat infection: MS07-005
2007-06-05 16:00:32.687 FINEST ProcessSystemCallback System Scanner stop threat process transfer. Number of threats=215
2007-06-05 16:00:34.296 FINE Report Dump Using the report key -1 for the current ticket-session
2007-06-05 16:00:34.312 FINEST Report Dump making report C:\Documents and Settings\Dave\.housecall6.6\log\2007-06-05-16-00-34.temp
2007-06-05 16:00:34.468 FINEST Report Dump currect datetime = 2007-06-06 00\:00\:34 GMT
2007-06-05 16:00:34.468 FINEST Report Dump totally have 4 scanning
2007-06-05 16:04:14.359 FINEST engineInfo clean::SYSTEM_MALWARE
2007-06-05 16:04:14.921 FINEST patternTSC updateItem remote version = 0.866.0
2007-06-05 16:04:15.421 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-05 16:04:15.421 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-05 16:04:15.453 FINEST ProcessSystemCallback System scanner Pattern type=2, Version=86600
2007-06-05 16:04:15.453 FINEST ProcessSystemCallback System scanner deactivate VA pattern
2007-06-05 16:04:15.453 FINEST ProcessSystemCallback System scanner activate SYSTEM MALWARE pattern
2007-06-05 16:04:15.453 FINEST ProcessSystemCallback Spyware scanner deactivate SPYWARE pattern
2007-06-05 16:04:15.500 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\tsc.ptn
2007-06-05 16:04:15.500 FINEST ProcessSystemCallback getProcessableThreats
2007-06-05 16:04:15.500 FINEST ProcessSystemCallback System scanner processable threats=0
2007-06-05 16:04:15.500 FINEST ProcessSystemCallback System scanner set process mode. Clean=1, threat count=0
2007-06-05 16:04:17.015 FINEST ProcessSystemCallback Sytem Scanner start threat process transfer
2007-06-05 16:04:59.046 FINEST ProcessSystemCallback System Scanner stop threat process transfer. Number of threats=3093
2007-06-05 16:04:59.312 FINEST engineInfo clean::MAIN
2007-06-05 16:04:59.328 FINEST ProcessSystemCallback File Scanner version 831001002
2007-06-05 16:05:05.031 SEVERE ProcessSystemCallback File scanner error=-99,
2007-06-05 16:05:05.078 FINEST engineInfo scan::SCAN_STORAGE::init for tmaptn.###
2007-06-05 16:05:07.703 FINEST engineInfo Filename to clean: C:\Documents and Settings\Dave\Local Settings\Temp\1.exe , amount = 0, size=0.000000
2007-06-05 16:05:07.703 FINEST ProcessSystemCallback Drive (C)
2007-06-05 16:05:07.703 FINEST ProcessSystemCallback Path (C) is processable
2007-06-05 16:05:07.718 FINEST engineInfo will clean BootSector//Partition on C:
2007-06-05 16:05:09.640 WARNING ProcessCallback reportInfection: threatName=TROJ_VB.DGA, threatType=2, patternType=0,canClean=0, canRemove=1 return=0
2007-06-05 16:05:09.703 FINEST ProcessSystemCallback File scanner reportInfection TROJ_VB.DGA, type=2, canClean=0, canRemove=1
2007-06-05 16:05:09.703 WARNING ProcessCallback reportActionResult: action = 1, result = 1
2007-06-05 16:05:09.734 WARNING ProcessCallback reportActionResult: action = 3, result = 0
2007-06-05 16:05:10.062 FINEST engineInfo Filename to clean: C:\Documents and Settings\Dave\Local Settings\Temp\MSIF977.tmp , amount = 0, size=0.000000
2007-06-05 16:05:10.062 FINEST ProcessSystemCallback Drive (C)
2007-06-05 16:05:10.078 FINEST ProcessSystemCallback Path (C) is processable
2007-06-05 16:05:10.140 WARNING ProcessCallback reportInfection: threatName=TROJ_VB.DGA, threatType=2, patternType=0,canClean=0, canRemove=1 return=0
2007-06-05 16:05:10.156 FINEST ProcessSystemCallback File scanner reportInfection TROJ_VB.DGA, type=2, canClean=0, canRemove=1
2007-06-05 16:05:10.156 WARNING ProcessCallback reportActionResult: action = 1, result = 1
2007-06-05 16:05:10.171 WARNING ProcessCallback reportActionResult: action = 3, result = 0
2007-06-05 16:05:11.046 FINEST engineInfo Filename to clean: C:\WINDOWS\SYSTEM32\advvpi32.dll , amount = 0, size=0.000000
2007-06-05 16:05:11.062 FINEST ProcessSystemCallback Drive (C)
2007-06-05 16:05:11.062 FINEST ProcessSystemCallback Path (C) is processable
2007-06-05 16:05:11.828 FINE SOAP The current ticket session is expired, a new report will be generated
2007-06-05 16:05:11.828 FINE Report Dump Using the report key -1 for the current ticket-session
2007-06-05 16:05:11.828 FINEST Report Dump making report C:\Documents and Settings\Dave\.housecall6.6\log\2007-06-05-16-05-11.infections
2007-06-05 16:05:11.953 FINEST Report Dump currect datetime = 2007-06-06 00\:05\:12 GMT
2007-06-05 16:05:11.953 FINEST Report Dump totally have 7 scanning
2007-06-05 16:05:11.984 FINEST Report Dump processing report 2007-06-05-16-05-11.infections
2007-06-10 17:50:25.203 FINEST Overall info OS version = WinXP
2007-06-10 17:50:25.218 FINEST Overall info AX build = 6.51.0.1020
2007-06-10 17:50:25.250 INFO Overall info previous version detected
2007-06-10 17:50:35.078 FINEST Report Dump checking for unsent reports
2007-06-10 17:51:00.062 FINEST scanEngineMalware updateItem remote version = 5.3000.1103, code = 4
2007-06-10 17:51:01.453 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:01.453 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:02.593 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:02.609 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:03.468 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:08.265 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:08.296 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:08.843 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:08.843 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:09.343 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:14.125 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:14.140 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:14.687 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:14.687 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:15.156 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:18.390 FINEST scanEngineStorage:MAIN updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:18.390 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:19.015 FINEST scanEngineStorage:MAIN updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:19.015 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:19.765 FINEST scanEngineStorage:MAIN updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:22.343 FINEST scanEngineStorage:SYSTEM updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:22.343 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:22.968 FINEST scanEngineStorage:SYSTEM updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:22.968 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:23.843 FINEST scanEngineStorage:SYSTEM updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:27.156 FINEST scanEngineStorage:SYSTEM updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:27.171 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:27.859 FINEST scanEngineStorage:SYSTEM updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:51:27.859 FINEST engineUpdate Trying next AU server
2007-06-10 17:51:28.296 FINEST scanEngineStorage:SYSTEM updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:52:04.343 FINEST scanEngineStorage:SYSTEM updateItem remote version = 5.3000.1103, code = -28
lucemonkey
2007-06-14, 09:09
Part5
2007-06-10 17:52:04.390 FINEST engineUpdate Trying next AU server
2007-06-10 17:52:08.468 FINEST scanEngineStorage:SYSTEM updateItem remote version = 5.3000.1103, code = -28
2007-06-10 17:52:08.484 FINEST engineUpdate Trying next AU server
2007-06-10 17:52:14.093 FINEST scanEngineStorage:SYSTEM updateItem remote version = 5.3000.1103, code = -28
2007-06-10 17:52:19.312 FINEST Overall info OS version = WinXP
2007-06-10 17:52:19.312 FINEST Overall info AX build = 6.51.0.1020
2007-06-10 17:53:03.031 FINEST Overall info OS version = WinXP
2007-06-10 17:53:03.031 FINEST Overall info AX build = 6.51.0.1020
2007-06-10 17:53:05.968 FINEST Overall info OS version = WinXP
2007-06-10 17:53:05.968 FINEST Overall info AX build = 6.51.0.1020
2007-06-10 17:58:20.875 FINEST Overall info OS version = WinXP
2007-06-10 17:58:20.890 FINEST Overall info AX build = 6.51.0.1020
2007-06-10 17:58:20.890 INFO Overall info previous version detected
2007-06-10 17:58:27.109 FINEST Report Dump checking for unsent reports
2007-06-10 17:58:41.500 FINEST scanEngineMalware updateItem remote version = 5.3000.1103, code = 4
2007-06-10 17:58:48.328 FINEST scanEngineGrayware updateItem remote version = 5.0.1060, code = 0
2007-06-10 17:58:53.953 FINEST scanEngineStorage:MAIN updateItem remote version = 8.3100.1002, code = 0
2007-06-10 17:58:55.828 FINEST scanEngineStorage:SYSTEM updateItem remote version = 5.3000.1103, code = 0
2007-06-10 17:58:55.937 FINEST engineInfo scan::SCAN_STORAGE
2007-06-10 17:58:56.656 FINEST patternVSAPI updateItem remote version = 4.525.0
2007-06-10 17:59:03.015 FINEST patternVSAPI updateItem remote version = 0.0.-28
2007-06-10 17:59:03.609 FINEST patternVSAPI updateItem remote version = 0.0.-28
2007-06-10 17:59:04.171 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:04.453 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:04.718 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:04.953 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:05.171 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:09.578 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:09.828 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:10.062 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:10.359 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:10.687 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:12.609 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:12.875 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:13.250 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:13.640 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:13.906 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:15.593 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:15.906 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:16.156 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:16.421 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:16.718 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:18.218 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:18.531 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:18.765 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:18.984 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:19.312 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:20.843 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:21.078 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:21.312 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:21.609 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:22.015 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:24.062 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:24.312 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:24.578 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:24.843 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:25.125 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.0.-28
2007-06-10 17:59:27.156 SEVERE engineInfo problem with updating pattern file
2007-06-10 17:59:28.125 FINEST scanEngineMalware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:28.125 FINEST engineUpdate Trying next AU server
2007-06-10 17:59:28.843 FINEST scanEngineMalware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:28.843 FINEST engineUpdate Trying next AU server
2007-06-10 17:59:29.453 FINEST scanEngineMalware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:31.203 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:31.203 FINEST engineUpdate Trying next AU server
2007-06-10 17:59:31.875 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:31.890 FINEST engineUpdate Trying next AU server
2007-06-10 17:59:32.515 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:33.843 FINEST engineInfo scan::SCAN_SYSTEM_GRAYWARE
2007-06-10 17:59:34.156 FINEST patternGrayware updateItem remote version = 0.0.-28
2007-06-10 17:59:34.453 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:34.671 FINEST patternGrayware updateItem remote version = 0.0.-28
2007-06-10 17:59:34.968 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:35.234 FINEST patternGrayware updateItem remote version = 0.0.-28
2007-06-10 17:59:37.359 SEVERE engineInfo problem with updating pattern file
2007-06-10 17:59:38.312 FINEST scanEngineMalware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:38.312 FINEST engineUpdate Trying next AU server
2007-06-10 17:59:38.875 FINEST scanEngineMalware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:38.890 FINEST engineUpdate Trying next AU server
2007-06-10 17:59:39.375 FINEST scanEngineMalware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:40.984 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:40.984 FINEST engineUpdate Trying next AU server
2007-06-10 17:59:41.562 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:41.562 FINEST engineUpdate Trying next AU server
2007-06-10 17:59:42.343 FINEST scanEngineGrayware updateItem remote version = 0.0.-28, code = -28
2007-06-10 17:59:45.265 FINEST scanEngineSoftwareVul updateItem remote version = , code = 4
2007-06-10 17:59:45.328 FINEST engineInfo scan::SCAN_SOFTWARE_VULNERABILITY
2007-06-10 17:59:45.812 FINEST patternVul updateItem remote version = 0.0.-28
2007-06-10 17:59:46.046 FINEST patternUpdate Trying next AU server
2007-06-10 17:59:46.281 FINEST patternVul updateItem remote version = 0.0.-28
2007-06-10 17:59:46.890 FINEST patternUpdate Trying next AU server
2007-06-10 18:02:56.296 FINEST Overall info OS version = WinXP
2007-06-10 18:02:56.312 FINEST Overall info AX build = 6.51.0.1020
2007-06-10 18:02:56.312 INFO Overall info previous version detected
2007-06-10 18:03:01.625 FINEST Report Dump checking for unsent reports
2007-06-10 18:03:21.968 FINEST scanEngineMalware updateItem remote version = 5.3000.1103, code = 0
2007-06-10 18:03:27.093 FINEST scanEngineGrayware updateItem remote version = 5.0.1060, code = 0
2007-06-10 18:03:28.281 FINEST scanEngineStorage:MAIN updateItem remote version = 8.3100.1002, code = 4
2007-06-10 18:03:29.250 FINEST scanEngineStorage:SYSTEM updateItem remote version = 5.3000.1103, code = 4
2007-06-10 18:03:29.546 FINEST engineInfo scan::SCAN_STORAGE
2007-06-10 18:03:30.156 FINEST patternVSAPI updateItem remote version = 4.525.0
2007-06-10 18:04:56.453 FINEST patternVSAPI updateItem(GRAYWARE) remote version = 0.499.0
2007-06-10 18:05:04.828 INFO ProcessSystemCallback Version 6.51-1020
2007-06-10 18:05:04.828 FINEST ProcessSystemCallback File scanner start initialization
2007-06-10 18:05:05.203 FINEST ProcessSystemCallback File Scanner version 831001002
2007-06-10 18:05:06.921 FINEST engineInfo scan::SCAN_STORAGE::init for tmaptn.###
2007-06-10 18:06:09.703 FINEST engineInfo Filename to check: C:\ , amount = 65972, size=17542651728
2007-06-10 18:06:09.718 FINEST ProcessSystemCallback Drive (C)
2007-06-10 18:06:09.734 FINEST ProcessSystemCallback Path (C) is processable
2007-06-10 18:06:09.734 FINEST engineInfo will check BootSector//Partition on C:
2007-06-10 18:09:13.046 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:09:13.093 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:12:52.218 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:12:52.281 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:09.437 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:09.453 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:09.687 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:09.703 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:09.703 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:12.343 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:14.343 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:16.390 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:41.953 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:41.968 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:50.750 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:50.750 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:51.015 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:51.015 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:51.125 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:51.125 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:51.296 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:51.343 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:53.218 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:13:53.218 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:19:32.703 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 18:40:54.953 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:00:23.593 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.687 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.718 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.781 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.796 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.796 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.796 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.812 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.812 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.906 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:01:01.906 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:03:02.593 WARNING ProcessCallback reportInfection: threatName=TROJ_SMALL.FWJ, threatType=2, patternType=0,canClean=0, canRemove=1 return=0
2007-06-10 19:03:05.250 FINEST ProcessSystemCallback File scanner reportInfection TROJ_SMALL.FWJ, type=2, canClean=0, canRemove=1
2007-06-10 19:05:23.171 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:05:23.187 SEVERE ProcessSystemCallback File scanner error=-94,
2007-06-10 19:05:52.687 FINEST scanEngineMalware updateItem remote version = 5.3000.1103, code = 4
2007-06-10 19:05:53.687 FINEST scanEngineGrayware updateItem remote version = 5.0.1060, code = 4
2007-06-10 19:05:53.750 FINEST engineInfo scan::SCAN_SYSTEM_GRAYWARE
2007-06-10 19:05:54.265 FINEST patternGrayware updateItem remote version = 0.509.0
2007-06-10 19:06:36.140 FINEST ProcessSystemCallback System scanner start initialization
2007-06-10 19:06:37.093 FINEST ProcessSystemCallback System scanner initialized
2007-06-10 19:06:37.187 WARNING ProcessSystemCallback Failed to load TrueAPI library
2007-06-10 19:06:37.187 WARNING ProcessSystemCallback Failed to load TrueAPI library file.
2007-06-10 19:06:37.218 WARNING ProcessSystemCallback Failed to copy sys file from C:\Documents and Settings\Dave\.housecall6.6\\tmcomm.sys to C:\WINDOWS\system32\drivers\tmcomm.sys, Error code is 2
2007-06-10 19:06:37.218 WARNING ProcessSystemCallback Failed to intialize TrueAPI driver.
2007-06-10 19:06:38.218 INFO ProcessSystemCallback Spyware scanner initialized (threadid=8cc)
2007-06-10 19:06:45.578 FINEST ProcessSystemCallback Spyware scanner loaded pattern file
2007-06-10 19:06:45.578 FINEST ProcessSystemCallback Spyware scanner activate SPYWARE pattern
2007-06-10 19:06:45.593 FINEST ProcessSystemCallback Spyware scanner pattern version 50900
2007-06-10 19:06:45.609 FINEST engineInfo threats count = 0
2007-06-10 19:06:45.625 FINEST engineInfo pattern location = C:\Documents and Settings\Dave\.housecall6.6\Pattern\TMADCE.ptn
2007-06-10 19:06:45.671 FINEST ProcessSystemCallback Spyware scanner processSystem patternType=3 isclean=0 inactive=0
2007-06-10 19:06:45.953 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Programs in Memory'
2007-06-10 19:06:49.125 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Internet Cookies'
2007-06-10 19:06:49.187 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Windows Registry'
2007-06-10 19:07:14.578 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Internet URL Shortcuts'
2007-06-10 19:07:23.937 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Files and Directories'
2007-06-10 19:23:20.421 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Program Startup Areas'
2007-06-10 19:23:22.593 FINEST ProcessSystemCallback Found threat infection: (ID Started Scanning) on 'Hosts File'
2007-06-10 19:23:25.296 FINEST ProcessSystemCallback Spyware scanner processed threat scan
2007-06-10 19:23:26.781 FINEST engineInfo scan::SCAN_SOFTWARE_VULNERABILITY
2007-06-10 19:23:27.406 FINEST patternVul updateItem remote version = 0.69.0
2007-06-10 19:23:28.031 FINEST ProcessSystemCallback System scanner version 530001103
2007-06-10 19:23:28.093 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-10 19:23:28.093 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-10 19:23:28.109 FINEST ProcessSystemCallback System scanner Pattern type=4, Version=6900
2007-06-10 19:23:28.156 FINEST engineInfo threats count = 0
2007-06-10 19:23:28.156 FINEST engineInfo pattern location = C:\Documents and Settings\Dave\.housecall6.6\Pattern\TMVAmain.ptn
2007-06-10 19:23:28.171 FINEST ProcessSystemCallback System scanner loaded pattern file Pattern\TMVAmain.ptn
2007-06-10 19:23:28.187 FINEST ProcessSystemCallback getProcessableThreats
2007-06-10 19:23:28.187 FINEST ProcessSystemCallback System scanner processable threats=0
2007-06-10 19:23:28.187 FINEST ProcessSystemCallback System scanner set process mode. Clean=0, threat count=0
2007-06-10 19:23:34.937 FINEST ProcessSystemCallback Sytem Scanner start threat process transfer
2007-06-10 19:23:38.171 WARNING ProcessSystemCallback reportInfection threatName = 2007-06-10 19:23:42.921 FINEST ProcessSystemCallback Found threat infection: MS05-004
2007-06-10 19:23:42.921 FINEST ProcessSystemCallback System Scanner found threat infection: MS05-004
2007-06-10 19:23:48.031 FINEST ProcessSystemCallback System Scanner stop threat process transfer. Number of threats=215
2007-06-10 19:23:49.578 FINE Report Dump Using the report key -1 for the current ticket-session
2007-06-10 19:23:49.593 FINEST Report Dump making report C:\Documents and Settings\Dave\.housecall6.6\log\2007-06-10-19-23-49.temp
2007-06-10 19:23:49.765 FINEST Report Dump currect datetime = 2007-06-11 03\:23\:49 GMT
2007-06-10 19:23:49.765 FINEST Report Dump totally have 4 scanning
lucemonkey
2007-06-14, 09:21
I forgot to mention in my earlier posts that I have downloaded Windows XP service pack 2.:oops:
pskelley
2007-06-14, 15:53
I forgot to mention in my earlier posts that I have downloaded Windows XP service pack 2.Probably a BIG mistake, any instruction from Microsoft about installing SP2 requires that it be done on a clean, uninfected computer. I have no idea how this will effect you, you can ask Microsoft: http://support.microsoft.com/
Please read the instructions again...thanks.
I have no idea what you posted that is supposed to an antivirus scan results? I have never seen that before, please tell me what scan it was, but do not post those results again, waste of space.
You have not posted a HJT log, rather a piece of one from the bottom of a log, follow these directions exactly please:
Download Trend Micro Hijack This™
http://www.trendsecure.com/portal/en-US/threat_analytics/hijackthis.php?page=download
Download it to your Program Files folder.
Doubleclick the HijackThis_V2.exe to start it.
Click "Do a System Scan and save a logfile"
This will create a HijackThislog.
Copy and paste the contents of the log in your next reply
Make sure you choose Edit then Select All at the top of notepad. Post that log and nothing else.
Thanks
lucemonkey
2007-06-14, 18:25
Here is the Hijackthis log. The antivirus log was from trend house cleaner.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:20:50 AM, on 06/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\hijack\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/sbcydsl/*http://www.yahoo.com/search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\System32\nnnollj.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\fhitgpsg.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {C34B62DE-3E93-4A4D-9DA2-D8A6CD275719} - C:\WINDOWS\System32\jkkjh.dll
O2 - BHO: (no name) - {C7F4AD32-13EA-4542-AAB7-570D805A4614} - C:\WINDOWS\system32\ooxtdcgt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
O4 - HKLM\..\Run: [ImInstaller] C:\DOCUME~1\Dave\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -product IncrediMail
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"
O4 - HKLM\..\Run: [j7261837] rundll32 C:\WINDOWS\System32\j7261837.dll sook
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\gwjvdxyd.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [IM] C:\PROGRA~1\EARTHL~4\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181004992187
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/secure/OCARPT.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/netscape/TrueInstallNetscape.exe
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\System32\jkkjh.dll
O20 - Winlogon Notify: nnnollj - C:\WINDOWS\SYSTEM32\nnnollj.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 13024 bytes
pskelley
2007-06-14, 19:35
Thanks for the HJT log, this is a Vundo infection. You can remove it if you follow directions, those that do have few problems. First, here is some information about this junk:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
I will give you a lot of instructions at once, but I am in no way rushing you. I encourage you to take the time you need to follow the directions carefully.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
3) Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
(hold that report and HJT log until you finish)
4) Start > Control Panel > Add Remove programs and uninstall DriveCleaner Free if it is there.
(You have items that are valid but damaged with files missing. I will remove these, if you use them download them again once we are finished)
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(some lines may be gone, removed by Vundofix, don't be concerned just don't miss any)
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\System32\nnnollj.dll
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\fhitgpsg.dll
O2 - BHO: (no name) - {77701e16-9bfe-4b63-a5b4-7bd156758a37} - (no file)
O2 - BHO: (no name) - {C34B62DE-3E93-4A4D-9DA2-D8A6CD275719} - C:\WINDOWS\System32\jkkjh.dll
O2 - BHO: (no name) - {C7F4AD32-13EA-4542-AAB7-570D805A4614} - C:\WINDOWS\system32\ooxtdcgt.dll
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\DriveCleaner Free\dcsm.exe"
O4 - HKLM\..\Run: [j7261837] rundll32 C:\WINDOWS\System32\j7261837.dll sook
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\gwjvdxyd.dll",realset
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\System32\jkkjh.dll
O20 - Winlogon Notify: nnnollj - C:\WINDOWS\SYSTEM32\nnnollj.dll
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\Common Files\DriveCleaner Free\ <<< delete that folder
C:\WINDOWS\System32\j7261837.dll <<< delete that file
C:\WINDOWS\system32\gwjvdxyd.dll <<< delete that file
(it is important we kill these, if they give you trouble, use this tool and instructions)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post the Vundofix report and a new HJT log.
Thanks
lucemonkey
2007-06-16, 04:02
I have run through the procedure you sent me. So far everything went well but I could not find the following files you said to locate and delete:
C:\WINDOWS\System32\j7261837.dll
C:\WINDOWS\System32\gwjvdxyd.dll
Here are my logs from the latest scans
VundoFix V6.5.0
Checking Java version...
Sun Java not detected
Scan started at 3:52:34 PM 06/15/2007
Listing files found while scanning....
C:\WINDOWS\System32\dhvrfwgn.dll
C:\windows\system32\haeuxkmu.ini
C:\WINDOWS\System32\hjkkj.bak1
C:\WINDOWS\System32\hjkkj.bak2
C:\WINDOWS\System32\hjkkj.ini
C:\WINDOWS\System32\jkkjh.dll
C:\windows\system32\nnnollj.dll
C:\windows\system32\ooxtdcgt.dll
C:\windows\system32\umkxueah.dll
Beginning removal...
Attempting to delete C:\windows\system32\haeuxkmu.ini
C:\windows\system32\haeuxkmu.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\hjkkj.bak1
C:\WINDOWS\System32\hjkkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\hjkkj.bak2
C:\WINDOWS\System32\hjkkj.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\hjkkj.ini
C:\WINDOWS\System32\hjkkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\System32\jkkjh.dll
C:\WINDOWS\System32\jkkjh.dll Has been deleted!
Attempting to delete C:\windows\system32\nnnollj.dll
C:\windows\system32\nnnollj.dll Could not be deleted.
Attempting to delete C:\windows\system32\ooxtdcgt.dll
C:\windows\system32\ooxtdcgt.dll Has been deleted!
Attempting to delete C:\windows\system32\umkxueah.dll
C:\windows\system32\umkxueah.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.0
Checking Java version...
Sun Java not detected
Scan started at 4:05:51 PM 06/15/2007
Listing files found while scanning....
VundoFix V6.5.0
Checking Java version...
Sun Java not detected
Scan started at 4:11:24 PM 06/15/2007
Listing files found while scanning....
C:\windows\system32\nnnollj.dll
C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\ssqpp.dll
Beginning removal...
Attempting to delete C:\windows\system32\nnnollj.dll
C:\windows\system32\nnnollj.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\ppqss.bak1
C:\WINDOWS\system32\ppqss.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ppqss.ini
C:\WINDOWS\system32\ppqss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqpp.dll
C:\WINDOWS\system32\ssqpp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.0
Checking Java version...
Sun Java not detected
Scan started at 4:19:17 PM 06/15/2007
Listing files found while scanning....
C:\windows\system32\nnnollj.dll
Beginning removal...
Attempting to delete C:\windows\system32\nnnollj.dll
C:\windows\system32\nnnollj.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:55:00 PM, on 06/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\hijack\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2B233300-F6CC-47CA-9A2F-72B2F9489175} - C:\WINDOWS\System32\jkkjh.dll (file missing)
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {7014FD60-D910-43E0-B737-2A065526112C} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {C7F4AD32-13EA-4542-AAB7-570D805A4614} - C:\WINDOWS\system32\lfdgmavm.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
O4 - HKLM\..\Run: [ImInstaller] C:\DOCUME~1\Dave\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -product IncrediMail
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\fiifnbep.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [IM] C:\PROGRA~1\EARTHL~4\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181004992187
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/secure/OCARPT.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/netscape/TrueInstallNetscape.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11908 bytes
Thanks for your help
pskelley
2007-06-16, 13:58
Thanks but if you do not find and delete that file it will morph, rename itself and continue to cause you problems. Be sure you follow the directions to show hidded files and folder, the hackers hide the junk from you. Here is another look at those instructions:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {2B233300-F6CC-47CA-9A2F-72B2F9489175} - C:\WINDOWS\System32\jkkjh.dll (file missing)
O2 - BHO: Popup-Blocker Class - {52706EF7-D7A2-49AD-A615-E903858CF284} - C:\Program Files\NetZero\qsacc\X1IEBHO.dll (file missing)
O2 - BHO: (no name) - {7014FD60-D910-43E0-B737-2A065526112C} - C:\WINDOWS\system32\ssqpp.dll (file missing)
O2 - BHO: (no name) - {C7F4AD32-13EA-4542-AAB7-570D805A4614} - C:\WINDOWS\system32\lfdgmavm.dll
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\fiifnbep.dll",realset
Close all programs but HJT and all browser windows, then click on "Fix Checked"
RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\
fiifnbep.dll <<< delete that file
(If this file gives you trouble, use this tool and instructions)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
(don't confuse this with your antivirus program, it is not the same thing)
Follow the directions in this link to run AVG Anti-Spyware, make sure you delete or quarantine anything it finds and save the scan report to post.
http://forums.security-central.us/showthread.php?t=3165
Post the AVG Avti-Spyware scan results and a new HJT log.
Thanks
lucemonkey
2007-06-18, 05:52
I was able to delete the file but had to use the delete at reboot tool. Here are the AVG & HiJack reports. In addition when I ran spybot last night I still had the smitfraud-c toolbar888.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:46:40 PM, on 06/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Netropa\OSD.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\hijack\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
O4 - HKLM\..\Run: [ImInstaller] C:\DOCUME~1\Dave\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -product IncrediMail
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\fiifnbep.dll",realset
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [IM] C:\PROGRA~1\EARTHL~4\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2619313026-4217759621-2681017343-1003\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181004992187
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/secure/OCARPT.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/netscape/TrueInstallNetscape.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11733 bytes
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 5:46:20 PM 06/17/2007
+ Scan result:
HKLM\SOFTWARE\Esaya\TrueAssistant -> Adware.RogueSuspect : Cleaned.
HKU\S-1-5-21-2619313026-4217759621-2681017343-1006\Software\Esaya\TrueAssistant -> Adware.RogueSuspect : Cleaned.
HKU\S-1-5-21-2619313026-4217759621-2681017343-1006\Software\Esaya\TrueAssistant\Info -> Adware.RogueSuspect : Cleaned.
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1981\A0147783.dll -> Adware.Virtumonde : Cleaned.
C:\VundoFix Backups\nnnollj.dll.bad -> Adware.Virtumonde : Cleaned.
C:\System Volume Information\_restore{8513C62E-889D-4878-A5C3-816F635D0F0E}\RP1981\A0147805.exe -> Not-A-Virus.Downloader.Win32.WinFixer.x : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\dave@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq7.tmp -> TrackingCookie.Addynamix : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq8.tmp -> TrackingCookie.Clickzs : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\dave@vip2.clickzs[1].txt -> TrackingCookie.Clickzs : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq5.tmp -> TrackingCookie.Information : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\dave@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\dave@overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq9.tmp -> TrackingCookie.Revsci : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\dave@h.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\dave@try.starware[1].txt -> TrackingCookie.Starware : Cleaned.
C:\Program Files\Yahoo!\YPSR\Quarantine\ppq6.tmp -> TrackingCookie.Webtrends : Cleaned.
::Report end
pskelley
2007-06-18, 16:16
Thanks for returning you infrmation, another expert removes it manually:
http://forums.spybot.info/showthread.php?p=95943#post95943
If you use that method, backup your registry to be safe:
http://ts.mcafeehelp.com/faq3.asp?docid=68037
I believe it is benign and a false positive:
http://forums.spybot.info/showthread.php?t=8668
You can ask the Spybot experts here:
http://forums.spybot.info/forumdisplay.php?f=4
You have not removed this item yet:
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\fiifnbep.dll",realset
1) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.
2) Remove the line with HJT first, then navigate to the file and delete it. If it will not delete then use the Delete on Reboot tool, it must be deleted.
C:\WINDOWS\system32\fiifnbep.dll <<< delete that file it is Vundo
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
3) You also need to:
C:\VundoFix Backups\ <<< delete Vundofix, backups
C:\Program Files\Yahoo!\YPSR\Quarantine\ <<< clean out the quarantine folder
We will clean System Restore before we finish.
Post a new log and let me know how the computer is running at that point.
Thanks
lucemonkey
2007-06-19, 01:40
I thought I had checked the 04-HKLM\..\Run:[GPLv3] rundll32.exe"C:\wWINDOWS\system32\fiifnbep.dll",realset. When I ran HJT I found it again and checked it off. I reran the scan and did not find it. I also checked for the C:\WINDOWS\System32\fiifnbep.dll file and could not find it today. I did use the delete and reboot to to remove it yesterday. The files lsited in #3 of your last post have been deleted.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 2:29:04 PM, on 06/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\DELLMMKB.EXE
C:\WINDOWS\system32\atiptaxx.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\Netropa\OSD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\hijack\HiJackThis_v2.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;<local>
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [IncredimailDownloader] C:\WINDOWS\DOWNLO~1\imloader.exe
O4 - HKLM\..\Run: [ImInstaller] C:\DOCUME~1\Dave\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -product IncrediMail
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [DellTouch] C:\WINDOWS\DELLMMKB.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] c:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [PPMemCheck] c:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [CookiePatrol] c:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE /P39 "EPSON Stylus Photo R300 Series (Copy 1)" /O6 "USB003" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [IM] C:\PROGRA~1\EARTHL~4\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Display All Images with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/228"
O8 - Extra context menu item: Display Image with Full Quality - "res://C:\Program Files\NetZero\qsacc\appres.dll/227"
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {9239E4EC-C9A6-11D2-A844-00C04F68D538} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20011217/qtinstall.info.apple.com/qt505/us/win/QuickTimeInstaller.exe
O16 - DPF: {4E888414-DB8F-11D1-9CD9-00C04F98436A} (Microsoft.WinRep) - https://webresponse.one.microsoft.com/oas/ActiveX/winrep.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1181004992187
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebSWK.cab
O16 - DPF: {9B03C5F1-F5AB-47EE-937D-A8EDA626F876} (Anonymizer Anti-Spyware Scanner) - http://download.zonelabs.com/bin/promotions/spywaredetector/WebAAS.cab
O16 - DPF: {A7E092C3-692A-11D0-A7E5-08002B322F3B} (WebResponseAttachments Control) - https://webresponse.one.microsoft.com/oas/ActiveX/FileXfer.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {D68DAEED-C2A6-4C6F-9365-4676B173D8EF} (OcarptMain Class) - https://oca.microsoft.com/secure/OCARPT.CAB
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O16 - DPF: {FEC3E5A3-50F7-4B0C-97D8-01CF69DFBFC7} (Measurement Service Client) - http://ccon.madonion.com/global/msc.cab
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitch.com/netscape/TrueInstallNetscape.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Netropa NHK Server (Nhksrv) - Unknown owner - C:\WINDOWS\Nhksrv.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 11601 bytes
Thanks
pskelley
2007-06-19, 02:20
Looks good:bigthumb: how is it running, let's clean System Restore and finish like this.
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?Open&src=sec_doc_nam
AVG Anti-Spyware is a good program but it does use some resources. Once the trial is over you can update and use the scanner for as long as you wish, but unless you purchase it you should turn it off completely so it does not run unless you start it manually.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Here is some great information from Tony Klein, Texruss, ChrisRLG and Grinler to help you stay clean and safe online:
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
lucemonkey
2007-06-19, 05:00
Thank you for your help on getting rid of the malware problem.:2thumb:
pskelley
2007-06-23, 14:01
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks...pskelley