PDA

View Full Version : Smitfraud and torpig



IFKSJOLD
2007-06-27, 13:26
Hey, having the same problems as everybody else with SMITFRAUD and TORPIG i turn to you for assistance.

I have ran about all possible virus checks and spyware progs that i could find :-)

XoftSpySE
AVG antivirus
AVG antispyware
Avast antivirus
Ad-aware SE
Ad-aware 2007

And Spybot

These can find and cure a lot of trouble, but i keep receiving SMITFRAUD and TORPIG, hijacking browsers and avast keeps interupting with trojan infections.


I have done what is told in the "before you post" and here are the info:

Did the eTrust Antivirus Web Scanner:

http://www.ca.com/us/securityadvisor/virusinfo/scan.aspx:

Scan Results: 151109 files scanned. 9 viruses were detected.

File Infection Status Path
A0011684.dll Win32/Vundo!generic infected C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\
A0011704.dll Win32/Chisyne!generic infected C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\
A0011716.dll Win32/Vundo!generic infected C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\
bmmbjsbd.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
cgwymmpe.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
hdlbrnrs.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
mqdhhyhe.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
pmnlk.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
game.class-506f6b50-7a2baef5.class Java/Figfub!exploit infected D:\Documents and Settings\Skjold Klub\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\

Scan Results: 151109 files scanned. 9 viruses were detected.

And asked for the site to fix it, then this came:

File Infection Status Path
A0011684.dll Win32/Vundo!generic cannot cure C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\
A0011704.dll Win32/Chisyne!generic cannot cure C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\
A0011716.dll Win32/Vundo!generic cannot cure C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\
bmmbjsbd.dll Win32/Vundo!generic cannot cure C:\WINDOWS\system32\
cgwymmpe.dll Win32/Vundo!generic cannot cure C:\WINDOWS\system32\
hdlbrnrs.dll Win32/Vundo!generic cannot cure C:\WINDOWS\system32\
mqdhhyhe.dll Win32/Vundo!generic cannot cure C:\WINDOWS\system32\
pmnlk.dll Win32/Vundo!generic cannot cure C:\WINDOWS\system32\
game.class-506f6b50-7a2baef5.class Java/Figfub!exploit cannot cure D:\Documents and Settings\Skjold Klub\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\


Did the Trend Micro test: - Found a lot of errors etc and cleaned it, but not all could be cured....

Did the spybot in safe mode and was able to fix those problems i had troubles with before doing it in safe mode...

Ran Hijackthis in normal mode and came up with this: -

Logfile of HijackThis v1.99.1
Scan saved at 18:37:57, on 26-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=DK&range=AD&phase=6&key=SEARCH
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\dan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - (no file)
O2 - BHO: (no name) - {6003C9B6-F909-4A63-B947-F38E4A365726} - C:\WINDOWS\system32\geeba.dll (file missing)
O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - C:\WINDOWS\system32\yayayvw.dll (file missing)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\mqdhhyhe.dll",realset
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O20 - Winlogon Notify: yayayvw - yayayvw.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe

Can anyone help with getting rid of any trouble as well as check if this is done the right way??
Furthermore my cpu is hell slow at the moment....
Rasmus

Shaba
2007-06-28, 12:30
Hi IFKSJOLD

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

IFKSJOLD
2007-06-28, 15:22
Great thank you:-)

Here is the VundoFix.txt:


VundoFix V6.5.1

Checking Java version...

Sun Java not detected
Scan started at 15:01:40 28-06-2007

Listing files found while scanning....

C:\windows\system32\ehyhhdqm.ini
C:\WINDOWS\system32\mqdhhyhe.dll

Beginning removal...

Attempting to delete C:\windows\system32\ehyhhdqm.ini
C:\windows\system32\ehyhhdqm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mqdhhyhe.dll
C:\WINDOWS\system32\mqdhhyhe.dll Has been deleted!

Performing Repairs to the registry.
Done!

And here are the hijackthis.log:

Logfile of HijackThis v1.99.1
Scan saved at 15:18:13, on 28-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\Programmer\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=DK&range=AD&phase=6&key=SEARCH
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\dan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6003C9B6-F909-4A63-B947-F38E4A365726} - (no file)
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O20 - Winlogon Notify: yayayvw - yayayvw.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe

Impressive that one can actually understand these logs ;-)

Shaba
2007-06-28, 15:39
Hi

You are using two antivirus, AVG and avast!

Uninstall one of them.

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {6003C9B6-F909-4A63-B947-F38E4A365726} - (no file)
O20 - Winlogon Notify: geeba - C:\WINDOWS\system32\geeba.dll (file missing)
O20 - Winlogon Notify: winzdn32 - winzdn32.dll (file missing)
O20 - Winlogon Notify: yayayvw - yayayvw.dll (file missing)

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

IFKSJOLD
2007-06-28, 17:54
AVG uninstalled.

Did as told in Hijackthis.

The Kaspersky Online Scanner found about 46 viruses and 678 infected files. Quite a bunch. Here are the log from that check:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 28, 2007 5:47:19 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 28/06/2007
Kaspersky Anti-Virus database records: 354879
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 151395
Number of viruses found: 46
Number of infected objects: 678
Number of suspicious objects: 0
Duration of the scan process: 01:05:45

Infected Object Name / Virus Name / Last Action
C:\Programmer\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\report\Resident (overvågende) beskyttelse.txt Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011849.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011850.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011851.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP70\A0014294.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\change.log Object is locked skipped
C:\VundoFix Backups\mqdhhyhe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\kstmhp.sys Infected: Trojan.Win32.KillAV.ka skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\tuvtroo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wmfptc32.dll Infected: Trojan.Win32.KillAV.ka skipped
C:\WINDOWS\system32\wmfptc32.dl_/ Infected: Trojan.Win32.KillAV.ka skipped
C:\WINDOWS\system32\wmfptc32.dl_ MS Expand: infected - 1 skipped
C:\WINDOWS\TEMP\$_2341233.TMP Object is locked skipped
C:\WINDOWS\TEMP\$_2341234.TMP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_4cc.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Oversigt\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\A0011626.exe.bac_a02076 Infected: Trojan-Downloader.Win32.Tiny.gx skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\A0011684.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\A0011704.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\A0011716.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\bmmbjsbd.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\cgwymmpe.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\CMEIIAPI.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\CMESys.exe.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6034 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146160.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146161.CPY/wbhshare.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146161.CPY/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146161.CPY/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146161.CPY/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146161.CPY/whieshm.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146161.CPY/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146161.CPY Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146168.CPY/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146168.CPY/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146168.CPY/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076/A0146168.CPY Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076 CAB: infected - 12 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02076 CryptFF.b: infected - 12 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146160.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146161.CPY/wbhshare.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146161.CPY/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146161.CPY/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146161.CPY/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146161.CPY/whieshm.dll Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146161.CPY/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146161.CPY Infected: not-a-virus:AdWare.Win32.WebHancer.214 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146168.CPY/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146168.CPY/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146168.CPY/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332/A0146168.CPY Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332 CAB: infected - 12 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1066.CAB.bac_a02332 CryptFF.b: infected - 12 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136287.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136288.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136289.CPY Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136290.CPY Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136291.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136292.CPY Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136293.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136294.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136295.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136296.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136297.CPY Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136298.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136299.CPY Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076/A0136300.CPY Infected: not-a-virus:AdWare.Win32.Gator.4203 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076 CAB: infected - 14 skipped

IFKSJOLD
2007-06-28, 17:55
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02076 CryptFF.b: infected - 14 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136287.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136288.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136289.CPY Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136290.CPY Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136291.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136292.CPY Infected: not-a-virus:AdWare.Win32.Gator.5017 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136293.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136294.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136295.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136296.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136297.CPY Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136298.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136299.CPY Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332/A0136300.CPY Infected: not-a-virus:AdWare.Win32.Gator.4203 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332 CAB: infected - 14 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1152.CAB.bac_a02332 CryptFF.b: infected - 14 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076/A0136301.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076/A0136302.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076/A0136303.CPY Infected: not-a-virus:AdWare.Win32.Gator.6051 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076/A0136304.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076/A0136305.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076/A0136306.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076/A0136312.CPY Infected: not-a-virus:AdWare.Win32.Gator.h skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076/A0136314.CPY Infected: not-a-virus:AdWare.Win32.Gator.h skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076 CAB: infected - 8 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02076 CryptFF.b: infected - 8 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332/A0136301.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332/A0136302.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332/A0136303.CPY Infected: not-a-virus:AdWare.Win32.Gator.6051 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332/A0136304.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332/A0136305.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332/A0136306.CPY Infected: not-a-virus:AdWare.Win32.Gator.5115 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332/A0136312.CPY Infected: not-a-virus:AdWare.Win32.Gator.h skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332/A0136314.CPY Infected: not-a-virus:AdWare.Win32.Gator.h skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332 CAB: infected - 8 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS1153.CAB.bac_a02332 CryptFF.b: infected - 8 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02076/A0119147.CPY Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02076/A0119155.CPY/vsn.exe Infected: not-a-virus:AdWare.Win32.SaveNow.al skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02076/A0119155.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.al skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02076 CAB: infected - 3 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02076 CryptFF.b: infected - 3 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02332/A0119147.CPY Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02332/A0119155.CPY/vsn.exe Infected: not-a-virus:AdWare.Win32.SaveNow.al skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02332/A0119155.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.al skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02332 CAB: infected - 3 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\FS902.CAB.bac_a02332 CryptFF.b: infected - 3 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\GAppMgr.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\GController.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\GDwldEng.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\GIocl.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\GIoclClient.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\GObjs.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\GStore.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\GStoreServer.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\Gtools.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\hdlbrnrs.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\mqdhhyhe.dll.bac_a02076 Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine\NDNuninstall6_38.exe.bac_a02076 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\Documents and Settings\Skjold Klub\Application Data\ѕymbols\lsass.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
D:\Documents and Settings\Skjold Klub\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Identities\{D757A92D-FEAD-48EB-9171-C90B8CB15712}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Identities\{D757A92D-FEAD-48EB-9171-C90B8CB15712}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Oversigt\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Skjold Klub\ntuser.dat.LOG Object is locked skipped

IFKSJOLD
2007-06-28, 17:56
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP66\A0011635.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
D:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\change.log Object is locked skipped
F:\_RESTORE\TEMP\A0029503.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029503.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029503.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029504.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029504.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029504.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029505.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029505.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029505.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029506.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029506.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029506.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029507.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029507.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029507.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029508.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029508.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029508.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029509.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029509.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029509.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029510.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029510.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029510.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029511.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029511.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029511.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029512.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029512.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029512.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029513.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029513.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029513.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029514.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029514.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029514.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029515.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029515.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029515.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029516.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029516.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029516.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029517.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029517.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029517.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029518.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029518.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029518.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029519.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029519.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029519.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029520.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029520.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029520.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029521.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029521.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029521.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029522.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029522.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029522.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029523.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029523.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029523.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029524.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029524.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029524.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029525.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029525.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029525.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029526.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029526.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029526.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029527.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029527.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029527.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029528.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029528.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029528.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029529.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029529.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029529.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029530.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029530.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029530.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029531.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029531.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029531.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029532.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029532.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029532.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029533.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029533.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029533.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029534.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029534.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029534.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029535.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029535.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029535.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029536.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029536.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029536.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029537.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029537.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029537.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029538.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029538.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029538.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029539.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029539.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029539.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029540.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029540.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029540.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029541.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029541.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029541.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029542.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029542.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029542.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029543.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029543.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029543.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029544.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029544.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029544.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029545.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029545.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029545.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029546.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029546.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029546.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029547.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029547.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029547.CPY Embedded CAB: infected - 2 skipped

IFKSJOLD
2007-06-28, 17:57
F:\_RESTORE\TEMP\A0029548.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029548.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029548.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029549.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029549.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029549.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029550.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029550.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029550.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029551.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029551.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029551.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029552.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029552.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029552.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029553.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029553.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029553.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029554.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029554.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029554.CPY Embedded CAB: infected - 2 skipped
F:\_RESTORE\TEMP\A0029555.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029555.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029555.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029555.CPY Embedded CAB: infected - 3 skipped
F:\_RESTORE\TEMP\A0029556.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029556.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029556.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029556.CPY Embedded CAB: infected - 3 skipped
F:\_RESTORE\TEMP\A0029557.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029557.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029557.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029557.CPY Embedded CAB: infected - 3 skipped
F:\_RESTORE\TEMP\A0029558.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029558.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029558.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029558.CPY Embedded CAB: infected - 3 skipped
F:\_RESTORE\TEMP\A0029559.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029559.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029559.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029559.CPY Embedded CAB: infected - 3 skipped
F:\_RESTORE\TEMP\A0029570.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.k skipped
F:\_RESTORE\TEMP\A0029570.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029570.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029570.CPY Embedded CAB: infected - 3 skipped
F:\_RESTORE\TEMP\A0029571.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\TEMP\A0029571.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029571.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\TEMP\A0029571.CPY Embedded CAB: infected - 3 skipped
F:\_RESTORE\ARCHIVE\FS1117.CAB/A0131625.CPY Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
F:\_RESTORE\ARCHIVE\FS1117.CAB/A0131649.CPY Infected: Trojan-Downloader.Win32.Small.alx skipped
F:\_RESTORE\ARCHIVE\FS1117.CAB CAB: infected - 2 skipped
F:\_RESTORE\ARCHIVE\FS1172.CAB/A0138631.CPY Infected: not-a-virus:AdWare.Win32.MyWay.b skipped
F:\_RESTORE\ARCHIVE\FS1172.CAB/A0138635.CPY Infected: not-a-virus:AdWare.Win32.MyWay.f skipped
F:\_RESTORE\ARCHIVE\FS1172.CAB CAB: infected - 2 skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143952.CPY Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143969.CPY Infected: not-a-virus:AdWare.Win32.Perfnav.a skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143972.CPY Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143984.CPY Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143985.CPY Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3039 skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143987.CPY Infected: not-a-virus:AdWare.Win32.Altnet.j skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143988.CPY Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143989.CPY Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143990.CPY Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143991.CPY Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0143993.CPY Infected: not-a-virus:AdWare.Win32.Altnet.g skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB/A0144047.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS1208.CAB CAB: infected - 12 skipped
F:\_RESTORE\ARCHIVE\FS1209.CAB/W0185708.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS1209.CAB CAB: infected - 1 skipped
F:\_RESTORE\ARCHIVE\FS1217.CAB/A0147370.CPY Infected: Trojan-Downloader.Win32.Keenval.g skipped
F:\_RESTORE\ARCHIVE\FS1217.CAB CAB: infected - 1 skipped
F:\_RESTORE\ARCHIVE\FS549.CAB/A0081296.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS549.CAB CAB: infected - 1 skipped
F:\_RESTORE\ARCHIVE\FS551.CAB/W0093825.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS551.CAB CAB: infected - 1 skipped
F:\_RESTORE\ARCHIVE\FS666.CAB/A0096631.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS666.CAB CAB: infected - 1 skipped
F:\_RESTORE\ARCHIVE\FS671.CAB/W0109316.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS671.CAB CAB: infected - 1 skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110787.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110787.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110787.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110788.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110788.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110788.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110789.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110789.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110789.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110790.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110790.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110790.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110791.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110791.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110791.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110792.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110792.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110792.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110793.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110793.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110793.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110794.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110794.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110794.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110795.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110795.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110795.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110796.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110796.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110796.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110797.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110797.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110797.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110798.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110798.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110798.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110799.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110799.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110799.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110800.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110800.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110800.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110801.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110801.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110801.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110802.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110802.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110802.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110803.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110803.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110803.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110804.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110804.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110804.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110805.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110805.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110805.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110806.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110806.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110806.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110807.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110807.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110807.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110808.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110808.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110808.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110809.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110809.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110809.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110810.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110810.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110810.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110811.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110811.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110811.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110812.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110812.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110812.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110813.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110813.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110813.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110814.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110814.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110814.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110815.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110815.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110815.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110816.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110816.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110816.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110817.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110817.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110817.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110818.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110818.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110818.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped

IFKSJOLD
2007-06-28, 17:58
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110819.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110819.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110819.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110820.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110820.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110820.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110821.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110821.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110821.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110822.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110822.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110822.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110823.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110823.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110823.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110824.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110824.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110824.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110825.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110825.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110825.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110826.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110826.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110826.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110827.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110827.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110827.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110828.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110828.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110828.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110829.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110829.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110829.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110830.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110830.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110830.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110831.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110831.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110831.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110832.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110832.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110832.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110833.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110833.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110833.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110834.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110834.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB/A0110834.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS792.CAB CAB: infected - 144 skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110835.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110835.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110835.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110836.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110836.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110836.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110837.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110837.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110837.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110838.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110838.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110838.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110839.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110839.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110839.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110840.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110840.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110840.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110841.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110841.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110841.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110842.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110842.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110842.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110843.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110843.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110843.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110844.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110844.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110844.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110845.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110845.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110845.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110846.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110846.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110846.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110847.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110847.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110847.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110848.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110848.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110848.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110849.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110849.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110849.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110850.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110850.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110850.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110851.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110851.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110851.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110852.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110852.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110852.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110853.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110853.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110853.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110854.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110854.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110854.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110855.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110855.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110855.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110856.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110856.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110856.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110857.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110857.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110857.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110858.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110858.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110858.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110859.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110859.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110859.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110860.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110860.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110860.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110861.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110861.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110861.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110862.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110862.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110862.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110863.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110863.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110863.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110864.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110864.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110864.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110865.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110865.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110865.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110866.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110866.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110866.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110867.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110867.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110867.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110868.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110868.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110868.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110869.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110869.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110869.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110870.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110870.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110870.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110871.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110871.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110871.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110872.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110872.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110872.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110873.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110873.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110873.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped

IFKSJOLD
2007-06-28, 17:59
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110874.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110874.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110874.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110875.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110875.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110875.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110876.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110876.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110876.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110877.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110877.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110877.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110878.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110878.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110878.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110878.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110879.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110879.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110879.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110879.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110880.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110880.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110880.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110880.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110881.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110881.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110881.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110881.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110882.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110882.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110882.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110882.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110883.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110883.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110883.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110883.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110890.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.c skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110891.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110895.CPY/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.ah skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110895.CPY/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110895.CPY/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB/A0110895.CPY Infected: not-a-virus:AdWare.Win32.SaveNow.m skipped
F:\_RESTORE\ARCHIVE\FS793.CAB CAB: infected - 159 skipped
F:\_RESTORE\ARCHIVE\FS882.CAB/A0115900.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
F:\_RESTORE\ARCHIVE\FS882.CAB CAB: infected - 1 skipped
F:\_RESTORE\ARCHIVE\FS886.CAB/W0138957.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS886.CAB CAB: infected - 1 skipped
F:\_RESTORE\ARCHIVE\FS1348.CAB/A0010276.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS1348.CAB/A0010277.CPY Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\_RESTORE\ARCHIVE\FS1348.CAB/A0010278.CPY Infected: not-a-virus:AdWare.Win32.MyWay.g skipped
F:\_RESTORE\ARCHIVE\FS1348.CAB CAB: infected - 3 skipped
F:\WINDOWS\TEMP\SaveNow\SaveNowInst.exe/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped
F:\WINDOWS\TEMP\SaveNow\SaveNowInst.exe/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
F:\WINDOWS\TEMP\SaveNow\SaveNowInst.exe CAB: infected - 2 skipped
F:\WINDOWS\TEMP\pacificpokersetup.exe/WISE0571.BIN Infected: not-a-virus:AdWare.Win32.Casino.o skipped
F:\WINDOWS\TEMP\pacificpokersetup.exe WiseSFX: infected - 1 skipped
F:\WINDOWS\Temporary Internet Files\Content.IE5\65Y397UD\a579a07a[1].js Infected: Trojan-Downloader.JS.Small.af skipped
F:\WINDOWS\NDNuninstall4_34.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\WINDOWS\NDNuninstall4_80.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\WINDOWS\NDNuninstall4_88.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\WINDOWS\NDNuninstall5_20.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\WINDOWS\NDNuninstall5_40.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\WINDOWS\NDNuninstall6_10.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\WINDOWS\NDNuninstall6_22.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\WINDOWS\NDNuninstall6_30.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.g skipped
F:\Programmer\Internet Explorer\PLUGINS\NPONFLOW.DLL Infected: not-a-virus:AdWare.Win32.OnFlow skipped
F:\Programmer\Internet Explorer\PLUGINS\onflowreport.exe Infected: not-a-virus:AdWare.Win32.OnFlow skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011852.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011854.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011855.dll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011856.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011857.exe Infected: not-a-virus:AdWare.Win32.Gator.6034 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011858.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011861.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011862.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011863.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011864.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011865.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011866.dll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
F:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\change.log Object is locked skipped

Scan process completed.

IFKSJOLD
2007-06-28, 18:01
And the HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 17:49:25, on 28-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=DK&range=AD&phase=6&key=SEARCH
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\dan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe

End of that :-)

Again that was a great load, im really sorry for this lot....

Shaba
2007-06-28, 18:02
Hi

First I have to ask, is F drive some kind of backup drive?

Because it seems to contain system restore files from win me.

IFKSJOLD
2007-06-29, 13:44
Hi.

I actually have no idea....I believe that they are just 3 harddisks put into one cpu to keep important documents and pics from older cpus. Thats is what I wanted, but if there was some higher meaning i don't know (though i don't think there was).

The system i'm running with now should be XP so the ME files i have no clue about... But i know that other harddisks has been added to the cpu for above reasons. Maybe its just system files from the old cpu???

If it is possible i believe it is deletable....

Shaba
2007-06-29, 13:48
Hi

Ok, then you don't need to scan f: drive again :)

Empty this folder:

D:\Documents and Settings\Skjold Klub\.housecall6.6\Quarantine

Delete these:

C:\WINDOWS\system32\drivers\kstmhp.sys
C:\WINDOWS\system32\tuvtroo.dll
C:\WINDOWS\system32\wmfptc32.dll
C:\WINDOWS\system32\wmfptc32.dl_/

Empty Recycle Bin

Re-scan with kaspersky (c: and d: drives only)

Post:

- a fresh HijackThis log
- kaspersky report

IFKSJOLD
2007-06-29, 15:15
Did as told

When i was about to delete the C:\WINDOWS\system32\wmfptc32.dll avast promted me with this one an removed it to the virus chest. Though all is deleted as you told me to....

The Kaspersky check:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 29, 2007 3:09:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/06/2007
Kaspersky Anti-Virus database records: 355352
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 59471
Number of viruses found: 6
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 00:35:59

Infected Object Name / Virus Name / Last Action
C:\Programmer\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\report\Resident (overvågende) beskyttelse.txt Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011849.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011850.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011851.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP70\A0014294.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\A0015420.dll Infected: Trojan.Win32.KillAV.ka skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\A0015421.sys Infected: Trojan.Win32.KillAV.ka skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\A0015422.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\change.log Object is locked skipped
C:\VundoFix Backups\mqdhhyhe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pmnlk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\$_2341233.TMP Object is locked skipped
C:\WINDOWS\TEMP\$_2341234.TMP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_4c8.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Oversigt\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Skjold Klub\Application Data\ѕymbols\lsass.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
D:\Documents and Settings\Skjold Klub\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Identities\{D757A92D-FEAD-48EB-9171-C90B8CB15712}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Identities\{D757A92D-FEAD-48EB-9171-C90B8CB15712}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Oversigt\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Oversigt\History.IE5\MSHist012007062920070630\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Temp\~DFBC39.tmp Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Skjold Klub\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Skjold Klub\UserData\index.dat Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP66\A0011635.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
D:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\change.log Object is locked skipped

Scan process completed.

IFKSJOLD
2007-06-29, 15:16
Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:10:54, on 29-06-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Programmer\Fælles filer\Real\Update_OB\RealOneMessageCenter.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=DK&range=AD&phase=6&key=SEARCH
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\dan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe

IFKSJOLD
2007-06-29, 15:59
Just out of curiosity i'm doing a scan on Kaspersky with the F: and it seems as all the viruses is there. I can post a kaspersky report on request to see if it has anything to do with the rest or if it is harmless stuff.....

Shaba
2007-06-29, 18:57
Hi

"Just out of curiosity i'm doing a scan on Kaspersky with the F: and it seems as all the viruses is there"

There are viruses but they're in ME system restore in backups and inactive. So, those really don't matter :)

You can delete this folder if you like to:

F:\_RESTORE

And empty this folder:

F:\WINDOWS\TEMP

Empty this folder:

C:\VundoFix Backups\

Delete these:

D:\Documents and Settings\Skjold Klub\Application Data\ѕymbols\
C:\WINDOWS\system32\pmnlk.dll

Empty Recycle Bin.

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

IFKSJOLD
2007-07-02, 15:55
Incredible that i had to go to page 9 to find the thread, you people are doing awesome work....

Did as told.

New Kaspersky test:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 02, 2007 3:51:06 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 2/07/2007
Kaspersky Anti-Virus database records: 356778
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 59552
Number of viruses found: 7
Number of infected objects: 11
Number of suspicious objects: 0
Duration of the scan process: 00:36:45

Infected Object Name / Virus Name / Last Action
C:\Programmer\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programmer\Alwil Software\Avast4\DATA\report\Resident (overvågende) beskyttelse.txt Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AGENT_LOG1.txt Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_AUDIO\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BINARY\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_BLOB\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_GLOBAL\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_IMAGE\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_MAIN\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_TV\CLML.db-journal Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db Object is locked skipped
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLML_VIDEO\CLML.db-journal Object is locked skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011683.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011849.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011850.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011851.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP70\A0014294.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\A0015420.dll Infected: Trojan.Win32.KillAV.ka skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\A0015421.sys Infected: Trojan.Win32.KillAV.ka skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP72\A0015422.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP73\A0015437.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP73\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\$_2341233.TMP Object is locked skipped
C:\WINDOWS\TEMP\$_2341234.TMP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_4e8.dat Object is locked skipped
C:\WINDOWS\TEMP\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Oversigt\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Skjold Klub\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Identities\{D757A92D-FEAD-48EB-9171-C90B8CB15712}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Identities\{D757A92D-FEAD-48EB-9171-C90B8CB15712}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Oversigt\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Oversigt\History.IE5\MSHist012007070220070703\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\Lokale indstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Skjold Klub\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Skjold Klub\ntuser.dat.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP66\A0011635.exe Infected: Trojan-Downloader.Win32.Agent.brf skipped
D:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP73\A0015440.exe Infected: Trojan-Downloader.Win32.PurityScan.ej skipped
D:\System Volume Information\_restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP73\change.log Object is locked skipped

Scan process completed.

IFKSJOLD
2007-07-02, 15:56
New Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 15:52:14, on 02-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=DK&range=AD&phase=6&key=SEARCH
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\dan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe

Rasmus :-)

Shaba
2007-07-02, 15:58
Hi

Yes, we're busy :D:

Logs look good.

All viruses are in system restore and inactive at the moment

I give you later instructions how to empty it.

Other than that, any problems left?

IFKSJOLD
2007-07-02, 16:45
The CPU seems rather slow (not as much as it has been) but it might just be me remembering it faster. Don't worry about that problem...:-)

When running Spybot it still registers SMITFRAUD-C. TOOLBAR888, TORPIG and some tracking coockies

When i run XoftSpySE it registers TORPIG and a bunch of other moderate/low risk stuff (coockies). Something called WIN32.SALITY.X (type: Registry Value) is checked as a severe risk together with TORPIG.

A quick AVG Anti-Spyware finds 9 tracking coockies.

Don't know if it's what you called inactive viruses and i can try and post some logs on it if you need it?

Shaba
2007-07-02, 16:47
Hi

Please post then spybot report here :)

Don't worry about tracking cookies.

IFKSJOLD
2007-07-02, 17:06
Spybot log (found in previous check reports). This is the most recent check done after i did as posted and the one finding the further problems.

02.07.2007 16:10:44 - ##### check started #####
02.07.2007 16:10:44 - ### Version: 1.4
02.07.2007 16:10:44 - ### Date: 02-07-2007 16:10:44
02.07.2007 16:10:45 - ##### checking bots #####
02.07.2007 16:14:07 - found: Smitfraud-C.Toolbar888 Settings
02.07.2007 16:17:24 - found: Torpig Temporary file
02.07.2007 16:17:24 - found: Torpig Temporary file
02.07.2007 16:21:01 - found: Avenue A, Inc. Tracking cookie (Internet Explorer: Skjold Klub)
02.07.2007 16:21:09 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
02.07.2007 16:21:16 - ##### check finished #####

and this one a bit longer:


--- Report generated: 2007-07-02 16:21 ---

Smitfraud-C.Toolbar888: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP

Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-06-27 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-06-27 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-06-27 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-06-27 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-06-27 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-06-27 Includes\PUPSC.sbi (*)
2007-06-27 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-06-27 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-06-27 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-06-27 Includes\Trojans.sbi (*)
2007-06-27 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Shaba
2007-07-02, 17:30
Hi

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Empty this folder:

C:\WINDOWS\Temp\

Empty Recycle Bin

Re-scan with spybot

Post a fresh spybot report.

IFKSJOLD
2007-07-03, 11:48
Doing fine untill the "empty C:\WINDOWS\Temp\"

It can delete some but not these files

C:\WINDOWS\Temp\_avast4_\Webshlock
C:\WINDOWS\Temp\Perflib_Perfdata_4e8 (video cd film-file)
C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341234.TMP

What to do then???

Shaba
2007-07-03, 18:57
Hi

Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341234.TMP

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder:

C:\!KillBox

Empty Recycle Bin

Then just move on, please :)

IFKSJOLD
2007-07-04, 11:48
Hi

Got Killbox, ran it, deleted the files and did as told...
Though no Pending Operations prompt.

Restarted (files are gone :))

Emptied Killbox folder and recycle bin

The Spybot search finds both Virtumonde and Torpig :sad: (the smitfraud seems to be gone).

heres the log from spybot (probably with to much info but i forgot to uncheck some of the report optins :)):


--- Search result list ---
Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd

Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB886903)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: FIX: ASP stops responding when calling Response.Redirect to another server using msxml4 sp2
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 6.4: Sikkerhedsopdatering til Windows Media Player 6.4 (KB925398)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873333
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885250
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888113
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890047
/ Windows XP / SP3: Windows XP Hotfix - KB890175
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB890923
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Windows XP Hotfix - KB893066
/ Windows XP / SP3: Windows XP Hotfix - KB893086
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Opdatering til Windows XP (KB894391)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896358)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896423)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB896428)
/ Windows XP / SP3: Opdatering til Windows XP (KB898461)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB899587)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB899591)
/ Windows XP / SP3: Opdatering til Windows XP (KB900485)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB900725)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901017)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901190)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB901214)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB902400)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB904706)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB905414)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB905749)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB908519)
/ Windows XP / SP3: Opdatering til Windows XP (KB908531)
/ Windows XP / SP3: Opdatering til Windows XP (KB910437)
/ Windows XP / SP3: Opdatering til Windows XP (KB911280)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB911562)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB911927)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB913580)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB914388)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB914389)
/ Windows XP / SP3: Opdatering til Windows XP (KB916595)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917344)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917422)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB917953)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB918118)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB918439)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB919007)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920213)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920670)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920683)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB920685)
/ Windows XP / SP3: Opdatering til Windows XP (KB920872)
/ Windows XP / SP3: Opdatering til Windows XP (KB922582)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB922819)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923191)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923414)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923694)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB923980)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924191)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924270)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924496)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB924667)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB926255)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB926436)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB927779)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB927802)
/ Windows XP / SP3: Opdatering til Windows XP (KB927891)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB928255)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB928843)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB929123)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB929969)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB930178)
/ Windows XP / SP3: Opdatering til Windows XP (KB930916)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931261)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931768)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB931784)
/ Windows XP / SP3: Opdatering til Windows XP (KB931836)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB932168)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB933566)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB935839)
/ Windows XP / SP3: Sikkerhedsopdatering til Windows XP (KB935840)


--- Startup entries list ---
Located: HK_LM:Run, !AVG Anti-Spyware
command: "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
file: C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
size: 6731312
MD5: cc6bc45dd5a58158645e7fb2953604fe

Located: HK_LM:Run, avast!
command: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
file: C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
size: 75392
MD5: 41b88784128c1eb3a24a928ce58b2455

Located: HK_LM:Run, PHIME2002A
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, PHIME2002ASync
command: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
file: C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE
size: 455168
MD5: 024dc0f68df5fd6ae9dd82dfbaf479d6

Located: HK_LM:Run, QuickTime Task
command: "C:\Programmer\QuickTime\qttask.exe" -atboottime
file: C:\Programmer\QuickTime\qttask.exe
size: 98304
MD5: 76a3a30b58405c2c6d833895253a51a9

Located: HK_LM:Run, SoundMan
command: SOUNDMAN.EXE
file: C:\WINDOWS\SOUNDMAN.EXE
size: 77824
MD5: 63657c6e0df49bbaabf6f5800bcb5479

Located: HK_LM:Run, SunJavaUpdateSched
command: C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
file: C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
size: 36975
MD5: 1f6573d67dd5dc06dd29ec7fcf81dc6f

Located: HK_LM:Run, TkBellExe
command: "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
file: C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
size: 180269
MD5: 77ed13fd3196ebc7311ccd6899c7488c

Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
command: "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
file: C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
size: 153136
MD5: 59d9856cd1420e2af778821b7e1b81d0

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, WgaLogon
command: WgaLogon.dll
file: WgaLogon.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll



--- Browser helper object list ---
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 22-10-2006 23:08:42
Date (last access): 04-07-2007 11:08:02
Date (last write): 22-10-2006 23:08:42
Filesize: 62080
Attributes: archive
MD5: C11F6A1F61481E24BE3FDC06EA6F7D2A
CRC32: E388508F
Version: 8.0.0.456

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 25-06-2007 17:35:52
Date (last access): 04-07-2007 11:08:06
Date (last write): 31-05-2005 01:04:00
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

IFKSJOLD
2007-07-04, 11:54
Well, found these instead....

04.07.2007 11:27:29 - ##### check started #####
04.07.2007 11:27:29 - ### Version: 1.4
04.07.2007 11:27:29 - ### Date: 04-07-2007 11:27:29
04.07.2007 11:27:30 - ##### checking bots #####
04.07.2007 11:35:09 - found: Torpig Temporary file
04.07.2007 11:35:10 - found: Torpig Temporary file
04.07.2007 11:38:36 - found: Virtumonde Settings
04.07.2007 11:39:11 - found: Avenue A, Inc. Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:19 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:24 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:24 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:25 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 11:39:27 - ##### check finished #####

and this one:


--- Report generated: 2007-07-04 11:39 ---

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd

Avenue A, Inc.: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Let me know if you need the long one which include all the Spybot report options.

Shaba
2007-07-04, 12:02
Hi

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_USERS\S-1-5-21-2691327672-3628651169-961296325-1006\Software\Microsoft\aldd]

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Please download the OTMoveIt by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


C:\WINDOWS\Temp\$_2341234.TMP
C:\WINDOWS\Temp\$_2341233.TMP


Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Re-scan with spybot

Post a fresh spybot report.

IFKSJOLD
2007-07-04, 12:38
04.07.2007 12:17:51 - ##### check started #####
04.07.2007 12:17:51 - ### Version: 1.4
04.07.2007 12:17:51 - ### Date: 04-07-2007 12:17:51
04.07.2007 12:17:52 - ##### checking bots #####
04.07.2007 12:24:16 - found: Torpig Temporary file
04.07.2007 12:24:16 - found: Torpig Temporary file
04.07.2007 12:27:43 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:47 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:47 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:48 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 12:27:49 - ##### check finished #####


--- Report generated: 2007-07-04 12:27 ---

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP

Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Shaba
2007-07-04, 12:43
Hi

A bit better.

Copy text below to Notepad and save it as rem.bat (save it as all files, *.*)

@ECHO OFF
attrib -r -h C:\WINDOWS\Temp\*.*
del /a /f /q C:\WINDOWS\Temp\*.*

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/bat.JPG

Doubleclick rem.bat; black dos windows will flash, that's normal.

(In case you are unsure how to create a bat file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Bat_File) with screenshots.)

Re-scan with spybot

Post a fresh spybot report.

IFKSJOLD
2007-07-04, 13:04
Ok, now it seems that Virtumonde is gone, but torpig still exists:

04.07.2007 12:51:53 - ##### check started #####
04.07.2007 12:51:53 - ### Version: 1.4
04.07.2007 12:51:53 - ### Date: 04-07-2007 12:51:53
04.07.2007 12:51:53 - ##### checking bots #####
04.07.2007 12:57:57 - found: Torpig Temporary file
04.07.2007 12:57:57 - found: Torpig Temporary file
04.07.2007 13:01:14 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:18 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:19 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:20 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:01:21 - ##### check finished #####


--- Report generated: 2007-07-04 13:01 ---

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP

Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Shaba
2007-07-04, 13:06
Hi

Follow these (http://support.microsoft.com/kb/308421) instructions for those files.

Re-scan with spybot

Post a fresh spybot report.

IFKSJOLD
2007-07-04, 13:14
Can't seem to find the files in the folder
C:\WINDOWS\Temp
And i have marked the show hidden files option....

I believe they dissapeared after running killbox but spybox still found them???

???

What to do then?? is Spybot just oversensitive...? or is it even another hidden problem??

Shaba
2007-07-04, 13:20
Hi

Well they might be superhidden.

1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\Temp\$_2341234.TMP
C:\WINDOWS\Temp\$_2341233.TMP

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply

Re-scan with spybot

Post:

- c:\avenger.txt
- spybot report

IFKSJOLD
2007-07-04, 13:42
Ok, it seems more complicated than i thought....Well did as told, but the avenger folder does not contain anything and as i followed the reboot the dos command box contained a cannot find file or file does not exist message but only saw it briefly...

alas...no avenger.txt and also no C:\avenger\backup.zip?????

But here is the hijackthis log and the next post will contain a new spybot report:

Logfile of HijackThis v1.99.1
Scan saved at 13:38:51, on 04-07-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
C:\Programmer\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe
C:\Programmer\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
C:\Programmer\Fælles filer\Ahead\Lib\NMIndexStoreSvr.exe
C:\Programmer\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe
C:\Programmer\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packardbell.com/cgi-bin/redirect/?country=DK&range=AD&phase=6&key=SEARCH
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.dk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = file://C:\APPS\IE\offline\dan.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.ifkskjold.dk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ifkskjold.dk
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Hyperlinks
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmer\Fælles filer\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Programmer\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Programmer\Fælles filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmer\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Programmer\Fælles filer\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programmer\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programmer\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\dan.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Programmer\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programmer\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programmer\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Programmer\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Programmer\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Programmer\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: NBService - Nero AG - C:\Programmer\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Programmer\Fælles filer\Ahead\Lib\NMIndexingService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Programmer\Fælles filer\Ulead Systems\DVD\ULCDRSvr.exe

Shaba
2007-07-04, 13:46
Hi

Well, it looks like that those files really don't exist and spybot finds something on his own.

Did you copy all these lines to avenger?

Files to delete:
C:\WINDOWS\Temp\$_2341234.TMP
C:\WINDOWS\Temp\$_2341233.TMP

IFKSJOLD
2007-07-04, 14:01
Yup all of it....

The new spybot report:

04.07.2007 13:43:42 - ##### check started #####
04.07.2007 13:43:42 - ### Version: 1.4
04.07.2007 13:43:42 - ### Date: 04-07-2007 13:43:42
04.07.2007 13:43:42 - ##### checking bots #####
04.07.2007 13:50:12 - found: Torpig Temporary file
04.07.2007 13:50:13 - found: Torpig Temporary file
04.07.2007 13:53:40 - found: Statcounter Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:44 - found: Advertising.com Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:45 - found: Tradedoubler Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:46 - found: TagASaurus Tracking cookie (Internet Explorer: Skjold Klub)
04.07.2007 13:53:47 - ##### check finished #####


--- Report generated: 2007-07-04 13:53 ---

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341234.TMP

Torpig: Temporary file (File, nothing done)
C:\WINDOWS\Temp\$_2341233.TMP

Statcounter: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Advertising.com: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)


TagASaurus: Tracking cookie (Internet Explorer: Skjold Klub) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-06-25 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-01-02 Tools.dll (2.0.1.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-07-03 Includes\Cookies.sbi (*)
2007-05-30 Includes\Dialer.sbi (*)
2007-07-03 Includes\DialerC.sbi (*)
2007-06-20 Includes\Hijackers.sbi (*)
2007-07-03 Includes\HijackersC.sbi (*)
2007-06-27 Includes\Keyloggers.sbi (*)
2007-07-03 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2007-06-20 Includes\Malware.sbi (*)
2007-07-03 Includes\MalwareC.sbi (*)
2007-03-21 Includes\PUPS.sbi (*)
2007-07-03 Includes\PUPSC.sbi (*)
2007-07-03 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-07-03 Includes\SecurityC.sbi (*)
2007-06-20 Includes\Spybots.sbi (*)
2007-07-03 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2007-07-03 Includes\Trojans.sbi (*)
2007-07-03 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

Shaba
2007-07-04, 14:04
Hi

I think that we can't do much more.

Looks like those files don't exist(if avenger can't find those, it's 99,9% sure that they don't). If they do exist, they're leftovers and quite harmless.

You can try to run temp file cleaner and tell me if those still exist after that:

Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

IFKSJOLD
2007-07-05, 12:26
Did the ATF Cleaner but torpig still comes up in Spybot, when trying to fix it prompts me with a warning saying:


some problems couldn't be fixed; the reason could be that the associated files are still in use (in memeory). This could be fixed after a restart. Mayb Spybot-S&D run on your next startup?

I will reboot and hopefully it will kill it :-)

otherwise i trust that you are right in that they just are imaginary and that the progs are oversensitive......

IFKSJOLD
2007-07-05, 12:55
Before reboot i ran XoftSpySE and it found:

2 Torpig files:

C:\programmer\fælles filer\microsoft shared\web folders\ibm00002.dll
C:\programmer\fælles filer\microsoft shared\web folders\ibm00002.dll

5 Torpig (type: Registry Key):

1 in system\currentcontrolset\services\ntmlsvc
1 in system\currentcontrolset\services\ntmlsvc\enum
1 in system\currentcontrolset\services\ntmlsvc\parameters
1 in system\currentcontrolset\services\ntmlsvc\security
1 in system\controlset001\services\ntmlsvc\parameters

3 Win32.Sality.X (type: Registry Value):

1 in system\currentcontrolset\services\ndisfileservices32\enum\0
1 in system\currentcontrolset\services\ndisfileservices32\enum\count
1 in system\currentcontrolset\services\ndisfileservices32\enum\nextinstance

11 Torpig (type Registry Value):

1 in system\currentcontrolset\services\ntmlsvc\imagepath
1 in system\controlset001\services\ntmlsvc\parameters\servicedll
1 in system\currentcontrolset\services\ntmlsvc\parameters\servicedll
1 in system\currentcontrolset\services\ntmlsvc\errorcontrol
1 in system\currentcontrolset\services\ntmlsvc\objectname
1 in system\currentcontrolset\services\ntmlsvc\start
1 in system\currentcontrolset\services\ntmlsvc\type
1 in system\currentcontrolset\services\ntmlsvc\enum\count
1 in system\currentcontrolset\services\ntmlsvc\enum\nextinstance
1 in system\currentcontrolset\services\ntmlsvc\enum\0
1 in system\currentcontrolset\services\ntmlsvc\security\security

This seems like a lot of troubles still left but as i'm not a pro i might fear for nothing?????????

Will see after the reboot (which means that i won't remove the XoftSpySE found files untill after reboot).
By the way Spybot only found the two usual files :-) :
C:\WINDOWS\Temp\$_2341234.TMP
C:\WINDOWS\Temp\$_2341233.TMP but these i can't find so they might be gone as you told me.

IFKSJOLD
2007-07-05, 13:09
that being


C:\programmer\fælles filer\microsoft shared\web folders\ibm00001.dll
C:\programmer\fælles filer\microsoft shared\web folders\ibm00002.dll

in the first quote of previous message
sorry :)

Shaba
2007-07-05, 13:24
Hi

Yes it looks like there are torpig files/entries.

I suggest changing all online passwords (torpig is keylogger).

Did XoftSpySE remove those successfully after reboot?

IFKSJOLD
2007-07-05, 14:08
XofSpySE removed all but the .dll files...

and didn't find anything other than those two files in the additional scan i made....

Is it possible to remove those two??


C:\programmer\fælles filer\microsoft shared\web folders\ibm00001.dll
C:\programmer\fælles filer\microsoft shared\web folders\ibm00002.dll

Shaba
2007-07-05, 14:38
Hi

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\programmer\fælles filer\microsoft shared\web folders\ibm00001.dll
C:\programmer\fælles filer\microsoft shared\web folders\ibm00002.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder:

C:\!KillBox

Empty Recycle Bin

Are those gone now?

IFKSJOLD
2007-07-05, 15:09
Well i thought that was what i had to do...

It seems as they are gone :eek:

XoftSpySE can't find the torpig and Spybot still only finds these:


C:\WINDOWS\Temp\$_2341233.TMP
C:\WINDOWS\Temp\$_2341234.TMP
+ some tracking coockies.

BUT...XoftSpySE still finds the:

3 Win32.Sality.X (type: Registry Value):

1 in system\currentcontrolset\services\ndisfileservices32\enum\0
1 in system\currentcontrolset\services\ndisfileservices32\enum\count
1 in system\currentcontrolset\services\ndisfileservices32\enum\nextinstance
and some coockies :-)

It calls the Win32.Sality.X for severe risk....

Is it??? :sad:

IFKSJOLD
2007-07-05, 15:11
Actually i just had a scan where they (Win32.Sality.X) were not found (before the previous post) but now they are back???

weird

Shaba
2007-07-05, 15:55
Hi

Well, those reg keys aren't very bad if there are no corresponding files.

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Now, go to Start > Run, and copy/paste the following into the Open box:
sc stop ndisfileservices32, Click: OK
Then type sc delete ndisfileservices32, Click: OK

Go in regedit here (if still exists):

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\ndisfileservices32

Right-click and delete that key.

Run another scan with XoftSpySE and tell if it still finds those?

If it does, we need further research.

IFKSJOLD
2007-07-05, 16:02
Delete the whole ndisfileservices32 folder with subfolders or the file in that folder?

Shaba
2007-07-05, 16:03
Hi

Entire registry key, yes.

IFKSJOLD
2007-07-05, 16:41
It can't find it now:D:

BUT...

True Sword 4 tester (trial download)
finds this malicious components: each quote is for a new malicious entry in the test:


Malicious component in file: C:\Windows\system32\hidphone.tsp which is a part of the "Win32.trojandownloader.zlob malware"
this is solved with one of the three free repairs the program allowes but don't know if it will return???


Known DIALER Netvision in startup list
this is solved with one of the three free repairs the program allowes but don't know if it will return???


Malicious Registry Value "quicktime task" at key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ which is a part of "CWS" hijacker


Malicious registry value "NextInstance" at key HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32 which is part of "win32.sality.x" spyware/trojan


Malicious registry value "Service" at key HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "win32.sality.x" spyware/trojan


Malicious registry value "Legacy" at key HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "win32.sality.x" spyware/trojan


Malicious registry value "ConfigFlags" at key HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "win32.sality.x" spyware/trojan


Malicious registry value "Class" at key HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "win32.sality.x" spyware/trojan


Malicious registry value "ClassGUID" at key HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "win32.sality.x" spyware/trojan


Malicious registry value "DeviceDesc" at key HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000 which is part of "win32.sality.x" spyware/trojan
this is solved with one of the three free repairs the program allowes but don't know if it will return???

Checked these pages for info on the win32.sality.x but did nothing but downloading the true sword to test my cpu and used the three free repair slots:
http://www.virusbuster.hu/en/viruslab/descriptions/sality.x
http://www.securitystronghold.com/gates/win32.sality.x.html#Manual

Just for the fun of it i ran XoftSpySE again as i have read that it might return after a while.....AND....
It found these:


system\currentcontrolset\enum\root\legacy_ndisfileservices32\0000\services
system\currentcontrolset\enum\root\legacy_ndisfileservices32\0000\legacy
system\currentcontrolset\enum\root\legacy_ndisfileservices32\0000\configflags
system\currentcontrolset\enum\root\legacy_ndisfileservices32\0000\class
system\currentcontrolset\enum\root\legacy_ndisfileservices32\0000\classguid

which pretty much is similar to those found by true sword and not repaired though some is not found....

Believe the problem to be bigger than first thought...but Torpig is gone.....

Shaba
2007-07-05, 16:50
Hi

"Malicious component in file: C:\Windows\system32\hidphone.tsp which is a part of the "Win32.trojandownloader.zlob malware"

False positive, I have that file, too.

"Malicious Registry Value "quicktime task" at key HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\ which is a part of "CWS" hijacker"

As well false positive, related to quicktime.

Rest are real.

Download Registrar Lite from here ( http://www.majorgeeks.com/download469.html) and install it.
Start Registrar Lite.
Type in to Address field this and click ok: HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32
Right-click that key and choose Properties. Click "Take ownership".
Right-click that key again and choose Delete.


If you can't do it, perform same steps for subkeys like this:

HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000

Does it still finds those?

IFKSJOLD
2007-07-06, 11:25
Hi, i can find both of them and take ownership, but when trying to delete it promtps me with an "acces denied"....

What to do then??

Shaba
2007-07-06, 11:54
Hi

Are there any subkeys in HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\ENUM\ROOT\LEGACY_NDISFILESERVICES32\0000?

If so, do that process first to them, please :)

IFKSJOLD
2007-07-06, 12:50
Ah why didn't i think about that myself from the last post you wrote about the \0000 folder....stupid me...and thanks...

Well the True Sword tester can't find anything else (on the C:\) but coockies and some SunjavaUpdateSched in the startup list that it calls NON-malicious problemware.

On the D:\ the True sword found also the SunJava (might be the same??) and
the same coockies

XoftSpySE found some coockies but none of the win32.sality.x stuff as before :)

On the F:\ the True Sword found these (but you told before that they were inactive so it might not be a problem right?)


Malicious component in file F:\System Volume Information\_Restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011853.exe which is a part of "Adware.P2PNetworking" spyware/trojan


Malicious component in file F:\programmer\fælles filer\CMEII\store\core\appmgrgui.zip which is a part of "gain" data miner


Malicious component in file F:\Windows\System\chktrust.exe which is part of the "ExactSearchBar" browser helper object


Malicious component in file F:\Windows\System\Macromed\shockwave 8\xtras\download\thegroovealliance\3Dgroovextrav18\groove.x32 which is part of "Coulomb Dialer" dialer

So it looks much better now as i'm not getting any problems in my scans....

Shaba
2007-07-06, 12:57
Hi

Yes, they are inactive.

"Malicious component in file F:\System Volume Information\_Restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011853.exe which is a part of "Adware.P2PNetworking" spyware/trojan"

In system restore, we'll get rid of it later.

Delete this:

F:\programmer\fælles filer\CMEII

"Malicious component in file F:\Windows\System\chktrust.exe which is part of the "ExactSearchBar" browser helper object"

False positive.

Delete this:

F:\Windows\System\Macromed\shockwave 8\xtras\download\thegroovealliance\3Dgroovextrav18\groove.x32

Any more problems?

IFKSJOLD
2007-07-06, 13:41
Well it seems as there are not...

Spybot still detects the good old torpig .tmp files...
and some coockies....

XoftSpySE can't find anything but the coockies.

True Sword finds on the
C:\ - nothing malicious
D:\ - nothing malicious
F:\ -
Malicious component in file F:\System Volume Information\_Restore{4D25720C-D913-4297-878B-534CFAB8E819}\RP69\A0011853.exe which is a part of "Adware.P2PNetworking" spyware/trojan
But that one you said we'll get rid of later. :)


Malicious component in file F:\Windows\System\chktrust.exe which is part of the "ExactSearchBar" browser helper object
but that was a false positive. :)

By the way, i must say i have taken an honour in creating on of the longest thread in here :laugh:

Shaba
2007-07-06, 18:55
Hi

Then you're clean!

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm (http://www.zonelabs.com/store/content/catalog/products/sku_list_za.jsp?dc=12bms&ctry=US&lang=en&lid=nav_za)
2) Agnitum (http://www.agnitum.com/products/outpostfree/download.php)
3) Sunbelt/Kerio (http://www.sunbelt-software.com/Kerio-Download.cfm)
4) Comodo (http://www.personalfirewall.comodo.com/)

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 2 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.

Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)

Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

Shaba
2007-07-08, 12:20
Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.