View Full Version : evil Virtumonde!!!!
flipper55
2008-03-22, 01:25
I have virtumonde and spysherriff. And now the MY COMPUTER icon is a red "X" and won't go away. KAV scan posted below, in two or three posts.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 20, 2008 9:20:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 648510
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 58740
Number of viruses found: 35
Number of infected objects: 305
Number of suspicious objects: 0
Duration of the scan process: 01:19:51
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008032020080321\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\SV2DY1YH\_bm1fcmlke3JpZH1fa3cyX21hNXM_a2FzcGVyc2t5_bm1fNjgwODlfMzI1YTI2ZTQ1MTZiMTFkYzkyODFmNjgwODlmZGZmZmZfZTE3OThkN2M0NDRhNDA5NGJiZWRlNTBiOGFkYjNjNDg_[1].exe Infected: not-virus:Hoax.Win32.Renos.bej skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\McAfee Fire\FireLog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Local Settings\Temp\9fp4i6io.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.dqt skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Local Settings\Temp\9fp4i6io.exe/stream Infected: Trojan-Downloader.Win32.Zlob.dqt skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Local Settings\Temp\9fp4i6io.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Local Settings\Temp\dovqgsae.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Local Settings\Temp\_bm1fcmlkX21hX2t3MV9tYTVz_cGRh_bm1fNjgwODlfMzI1YTI2ZTQ1MTZiMTFkYzkyODFmNjgwODlmZGZmZmZfZTE3OThkN2M0NDRhNDA5NGJiZWRlNTBiOGFkYjNjNDg_.exe Infected: not-virus:Hoax.Win32.Renos.awj skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Novadigm\ManagementAgent\rma.log Object is locked skipped
C:\Program Files\Apoint\Apoint.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\AT&T Global Network Client\NetSP.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\Common Files\rfrr\rfrra.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Program Files\Common Files\rfrr\rfrrl.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Program Files\Common Files\rfrr\rfrrm.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Program Files\Common Files\rfrr\rfrrp.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\IBM\Client Access\cwbckver.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\IBM\Client Access\cwbinhlp.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\IBM\Client Access\cwbsvstr.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\IBM\Client Access\cwbwlwiz.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\Internet Explorer\lavufavel.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Internet Explorer\lavufavel635.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Internet Explorer\lavufavel86.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Internet Explorer\profsysypruk.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\Novadigm\Log\radexecd.log Object is locked skipped
C:\Program Files\Novadigm\Log\radsched.log Object is locked skipped
C:\Program Files\Novadigm\Log\radstgms.log Object is locked skipped
C:\Program Files\Novadigm\radtray.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\Program Files\Windows Media Player\profsysypruk.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\quarantine\Dc2.Vir.Vir Infected: Trojan-Downloader.Win32.VB.cvs skipped
flipper55
2008-03-22, 01:28
Part II of KAV scan:
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP266\A0050363.exe/data0008 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP266\A0050363.exe/data0009 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP266\A0050363.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP266\A0050364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP271\A0050554.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP273\A0050611.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP273\A0050612.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP273\A0050613.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP273\A0050614.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051003.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051004.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051005.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051006.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051007.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051008.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051009.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051010.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051011.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051012.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051013.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051014.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051015.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051016.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051017.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051018.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051019.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051020.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051021.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051022.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051023.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051024.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051025.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051026.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051027.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051028.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051029.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051030.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051031.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051032.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051033.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051034.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051035.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051036.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051037.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051038.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051039.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051040.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051041.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051042.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051044.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051097.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051099.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051100.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051101.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051102.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051103.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051104.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051105.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051108.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051109.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051110.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051111.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051112.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051113.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051114.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051116.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051117.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051119.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051120.dll Infected: Trojan.Win32.Pakes.sc skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051121.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051122.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051123.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051124.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051125.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051126.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051127.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051128.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051129.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051130.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051131.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051132.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051133.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051134.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051135.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051136.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051137.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051138.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051139.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051140.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051147.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051148.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051149.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051150.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051152.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051156.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051158.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051159.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051161.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051162.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051163.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051168.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051169.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051175.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051178.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051179.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051180.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051181.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051182.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051183.dll Infected: Trojan.Win32.Pakes.fr skipped
flipper55
2008-03-22, 01:31
Part III of KAV scan:
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051186.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051187.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051189.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051190.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051191.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051193.dll Infected: Trojan.Win32.Pakes.fr skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051195.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051198.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051200.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051201.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051202.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051203.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051205.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051206.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051207.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051208.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051209.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051210.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051211.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051212.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051213.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051214.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051215.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051216.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051217.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051218.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051219.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051220.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051222.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051223.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051224.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051225.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051226.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051227.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051228.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051229.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051230.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051231.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051232.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051233.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051234.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051235.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051236.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051238.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051239.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051240.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051241.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051242.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051243.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051244.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051245.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051246.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051247.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051248.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051249.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051250.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051252.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051253.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\change.log Object is locked skipped
flipper55
2008-03-22, 01:32
Part IV of KAV scan:
C:\WINDOWS\b103.exe_old Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
C:\WINDOWS\b138.exe_old Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USDR6_0001_D19M2108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWAS7_0001_N99M3108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWAS7_0001_N99M3108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWAS7_0001_N99M3108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\UWAS7_0001_N99M3108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\webinst.dll Infected: not-virus:Hoax.Win32.Renos.asm skipped
C:\WINDOWS\Downloaded Program Files\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\RXhlbCBVc2Vy\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\RXhlbCBVc2Vy\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bdwpiwxw.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\bytkitfr.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\f10WtR\f10WtR1099.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\IBD4\rru22011.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\WINDOWS\system32\IBD4\rru22011.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\igfxtray.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\nvvvroqx.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ogfthvoy.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wqynwhed.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ygpccuoi.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\Temp\Perflib_Perfdata_444.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_67c.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
flipper55
2008-03-22, 01:34
Here is the HJT scan:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:02 PM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.exel.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [c07f0d39] rundll32.exe "C:\WINDOWS\system32\shgtreqo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctorNewReleaseInstall.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9319 bytes
Hi flipper55
Rename HijackThis.exe to flipper55.exe and post back a fresh HijackThis log, please :)
flipper55
2008-03-27, 19:49
Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:38:58 AM, on 3/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Novadigm\radsched.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Administrator\Desktop\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.exel.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F2880B0-7902-43DE-9831-8A55DB095134} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {618F3A1F-C8BC-4A53-199C-9E9B960B1C1B} - C:\Program Files\Internet Explorer\lavufavel86.dll
O2 - BHO: (no name) - {8A146666-E7F1-4FB6-9BDE-9A4F2FE10AD4} - C:\DOCUME~1\BCAMPB~1.AME\LOCALS~1\Temp\pmkhg.dll
O2 - BHO: (no name) - {cab53130-e4ee-410c-b2f1-4eebdd11e804} - C:\WINDOWS\system32\jeblupi.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [c07f0d39] rundll32.exe "C:\WINDOWS\system32\shgtreqo.dll",b
O4 - HKLM\..\Run: [BMc34c3ea5] Rundll32.exe "C:\WINDOWS\system32\exlddqdt.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://cdn.downloadcontrol.com/files/installers/cab/SystemDoctorNewReleaseInstall.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O20 - Winlogon Notify: pmkhg - C:\DOCUME~1\BCAMPB~1.AME\LOCALS~1\Temp\pmkhg.dll
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 10014 bytes
Hi
Move HijackThis.exe to own folder in Desktop.
After that:
1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)
**Note: It is important that it is saved directly to your desktop**
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)
Post:
- a fresh HijackThis log
- combofix report
flipper55
2008-03-28, 19:35
Here is the Combofix log. Thanks again.
ComboFix 08-03-26.3 - ExelAdmin 2008-03-28 10:16:39.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.137 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\BCAMPB~1.AME\LOCALS~1\Temp\pmkhg.dll
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1190215127.old
C:\Program Files\WinBudget\bin\crap.1191423407.old
C:\Program Files\WinBudget\bin\matrix.dll
C:\Program Files\WinBudget\bin\matrix.dll.1191423406.old
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\BMc34c3ea5.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\dobvodwj.ini
C:\WINDOWS\system32\eclqearw.dll
C:\WINDOWS\system32\eeivtjix.ini
C:\WINDOWS\system32\exlddqdt.dll
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\f10WtR\f10WtR1099.exe
C:\WINDOWS\system32\fcgxjihh.ini
C:\WINDOWS\system32\fgjhpisg.ini
C:\WINDOWS\system32\fmeetkvo.ini
C:\WINDOWS\system32\fpuffqkg.dll
C:\WINDOWS\system32\fqjoyxok.ini
C:\WINDOWS\system32\fqqxclbv.ini
C:\WINDOWS\system32\glklrymy.ini
C:\WINDOWS\system32\jfyttiii.ini
C:\WINDOWS\system32\jjewjmsl.ini
C:\WINDOWS\system32\kkpbkspa.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mmkxdeqw.ini
C:\WINDOWS\system32\msssjedu.ini
C:\WINDOWS\system32\naouaptv.ini
C:\WINDOWS\system32\oogltphe.ini
C:\WINDOWS\system32\podfvxak.ini
C:\WINDOWS\system32\qmurhane.ini
C:\WINDOWS\system32\rsgxohuo.ini
C:\WINDOWS\system32\rvgisauq.ini
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\tckihcgg.dll
C:\WINDOWS\system32\uerftawv.dll
C:\WINDOWS\system32\wraeqlce.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-28 )))))))))))))))))))))))))))))))
.
2008-03-27 10:13 . 2008-03-27 10:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-24 14:50 . 2008-03-21 15:41 229,376 --a------ C:\Program Files\Uninstall My Global Search Bar.dll
2008-03-20 17:03 . 2008-03-24 14:49 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-03-20 17:03 . 2008-03-24 14:49 <DIR> d-------- C:\Program Files\AVSMedia
2008-03-20 12:06 . 2008-03-20 21:50 534 ---hs---- C:\WINDOWS\system32\oqertghs.ini
2008-03-19 22:46 . 2008-03-19 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 20:53 . 2008-03-19 20:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thunderbird
2008-03-19 20:40 . 2008-03-19 20:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-19 14:38 . 2008-03-19 14:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-19 14:33 . 2008-03-19 14:35 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-03-19 10:08 . 2008-03-20 10:55 1,434 ---hs---- C:\WINDOWS\system32\nukuwdck.ini
2008-03-18 10:03 . 2008-03-18 10:15 1,314,796 --ahs---- C:\WINDOWS\system32\ygwgxlea.ini
2008-03-17 09:45 . 2008-03-18 09:57 1,314,736 --ahs---- C:\WINDOWS\system32\gwasoeyt.ini
2008-03-14 14:01 . 2008-03-17 09:43 1,314,676 --ahs---- C:\WINDOWS\system32\xbeceqrb.ini
2008-03-13 12:59 . 2008-03-14 13:00 1,314,616 --ahs---- C:\WINDOWS\system32\utiucyhl.ini
2008-03-12 12:59 . 2008-03-13 12:59 1,314,556 --ahs---- C:\WINDOWS\system32\jmjixiac.ini
2008-03-12 11:56 . 2008-03-12 11:57 1,314,496 --ahs---- C:\WINDOWS\system32\xybevcml.ini
2008-03-11 10:26 . 2008-03-12 11:57 1,314,436 --ahs---- C:\WINDOWS\system32\dtjoeian.ini
2008-03-10 10:10 . 2008-03-11 10:24 1,317,789 --ahs---- C:\WINDOWS\system32\dbuwapov.ini
2008-03-07 14:54 . 2008-03-10 10:04 1,307,741 --ahs---- C:\WINDOWS\system32\kueapmtg.ini
2008-03-07 13:48 . 2008-03-07 13:49 1,307,681 --ahs---- C:\WINDOWS\system32\nuoacsfb.ini
2008-03-06 13:26 . 2008-03-07 13:45 1,306,737 --ahs---- C:\WINDOWS\system32\qqdobana.ini
2008-03-06 12:00 . 2008-03-06 13:25 1,306,917 --ahs---- C:\WINDOWS\system32\qiucmbok.ini
2008-03-05 11:57 . 2008-03-06 11:57 1,306,797 --ahs---- C:\WINDOWS\system32\oiixijli.ini
2008-03-05 10:57 . 2008-03-05 10:58 1,307,373 --ahs---- C:\WINDOWS\system32\olkxsltt.ini
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 20:50 --------- d-----w C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Sametime
2008-03-24 20:05 --------- d-----w C:\Program Files\Novadigm
2008-03-21 02:50 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-20 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 05:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-07 21:34 --------- d-----w C:\Program Files\AT&T Global Network Client
2008-03-03 17:36 --------- d-----w C:\Program Files\Google
2008-02-08 20:03 --------- d-----w C:\Program Files\IBM
2007-02-02 20:50 35,480 ----a-w C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\GDIPFONTCACHEV1.DAT
2006-01-27 09:09 360,600 ----a-w C:\WINDOWS\Internet Logs\tvuninstall.exe
2005-08-02 20:46 187,904 --sha-r C:\WINDOWS\RXhlbCBVc2Vy\asappsrv.dll
2005-08-02 20:58 293,888 --sha-r C:\WINDOWS\RXhlbCBVc2Vy\command.exe
2005-07-29 20:24 472 --sha-r C:\WINDOWS\RXhlbCBVc2Vy\lr15vF1pwZpV.vbs
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 155,648 2004-09-13 15:33:20 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Apoint\Apoint.exe
----a-w 10,752 2006-03-17 15:00:00 C:\Program Files\AT&T Global Network Client\bak\NetSP.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\AT&T Global Network Client\NetSP.exe
----a-w 147,514 2003-10-07 16:48:56 C:\Program Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
----a-w 163,576 2006-12-15 18:12:34 C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
----a-w 45,056 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbckver.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\IBM\Client Access\cwbckver.exe
----a-w 24,626 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbinhlp.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\IBM\Client Access\cwbinhlp.exe
----a-w 20,530 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbsvstr.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\IBM\Client Access\cwbsvstr.exe
----a-w 20,530 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbwlwiz.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\IBM\Client Access\cwbwlwiz.exe
----a-w 569,413 2005-12-28 19:00:56 C:\Program Files\Intel\Wireless\Bin\bak\EOUWiz.exe
----a-w 602,182 2005-12-28 18:56:16 C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
----a-w 970,752 2007-02-21 15:17:42 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
----a-w 667,718 2005-12-28 18:55:40 C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
----a-w 819,200 2007-02-21 15:19:58 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
----a-w 139,320 2005-02-25 19:50:00 C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
----a-w 434,176 2005-05-04 09:10:38 C:\Program Files\Novadigm\bak\radtray.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Novadigm\radtray.exe
----a-w 282,624 2006-09-15 17:18:46 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe
----a-w 155,648 2005-02-15 13:02:58 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 38,924 2007-01-18 19:23:58 C:\WINDOWS\system32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F2880B0-7902-43DE-9831-8A55DB095134}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{618F3A1F-C8BC-4A53-199C-9E9B960B1C1B}]
2007-09-10 09:51 70144 --a------ C:\Program Files\Internet Explorer\lavufavel86.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cab53130-e4ee-410c-b2f1-4eebdd11e804}]
C:\WINDOWS\system32\jeblupi.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-01-18 12:23 38924]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-18 12:23 38924]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2007-01-18 12:23 38924]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2007-01-18 12:23 38924]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2007-01-18 12:23 38924]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2007-01-18 12:23 38924]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2007-01-18 12:23 38924]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2007-01-18 12:23 38924]
"RUNRADTRAY"="C:\Program Files\Novadigm\radtray.exe" [2007-01-18 12:23 38924]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 08:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 08:17 970752]
"c07f0d39"="C:\WINDOWS\system32\shgtreqo.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
McAfee Desktop Firewall Tray.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe [2005-07-26 07:51:53 679996]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
"LogonType"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RecycleBinSize"= 10 (0xa)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= Msimn.exe
"2"= Outlook.exe
"3"= wab.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 08:01 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=adsi_startup.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
"Apoint"=C:\Program Files\Apoint\Apoint.exe
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe"
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe"
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
"QuickTime Task"="C:\Program Files\Satsuki Decoder Pack\filtres\qt\QTSystem\qttask.exe" -atboottime
"RUNRADTRAY"=C:\Program Files\Novadigm\radtray.exe
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2006-03-17 10:49]
R2 radexecd;Radia Notify Daemon;"C:\Program Files\Novadigm\radexecd.exe" [2005-05-11 08:01]
R2 radsched;Radia Scheduler Daemon;"C:\Program Files\Novadigm\radsched.exe" [2005-06-10 02:10]
R2 Radstgms;Radia MSI Redirector;"C:\Program Files\Novadigm\Radstgms.exe" [2004-08-04 03:53]
R3 ABVPN2K;AGN VPN Client Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2005-10-26 09:40]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-28 10:27:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2008-03-28 10:29:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-28 17:29:15
Pre-Run: 24,732,549,120 bytes free
Post-Run: 24,761,294,848 bytes free
Hi
Please post a fresh HijackThis log as well :)
flipper55
2008-03-28, 20:32
Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:20 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {618F3A1F-C8BC-4A53-199C-9E9B960B1C1B} - C:\Program Files\Internet Explorer\lavufavel86.dll
O2 - BHO: (no name) - {cab53130-e4ee-410c-b2f1-4eebdd11e804} - C:\WINDOWS\system32\jeblupi.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [c07f0d39] rundll32.exe "C:\WINDOWS\system32\shgtreqo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9760 bytes
flipper55
2008-03-28, 20:44
Here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:31:20 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {618F3A1F-C8BC-4A53-199C-9E9B960B1C1B} - C:\Program Files\Internet Explorer\lavufavel86.dll
O2 - BHO: (no name) - {cab53130-e4ee-410c-b2f1-4eebdd11e804} - C:\WINDOWS\system32\jeblupi.dll (file missing)
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [c07f0d39] rundll32.exe "C:\WINDOWS\system32\shgtreqo.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9760 bytes
Hi
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.
Open notepad and copy/paste the text in the quotebox below into it:
AWF::
C:\Program Files\Apoint\bak\Apoint.exe
C:\Program Files\AT&T Global Network Client\bak\NetSP.exe
Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe
C:\Program Files\IBM\Client Access\bak\cwbckver.exe
C:\Program Files\IBM\Client Access\bak\cwbinhlp.exe
C:\Program Files\IBM\Client Access\bak\cwbsvstr.exe
C:\Program Files\IBM\Client Access\bak\cwbwlwiz.exe
C:\Program Files\Intel\Wireless\Bin\bak\EOUWiz.exe
C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe
C:\Program Files\Novadigm\bak\radtray.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\igfxtray.exe
File::
C:\WINDOWS\system32\oqertghs.ini
C:\WINDOWS\system32\nukuwdck.ini
C:\WINDOWS\system32\ygwgxlea.ini
C:\WINDOWS\system32\gwasoeyt.ini
C:\WINDOWS\system32\xbeceqrb.ini
C:\WINDOWS\system32\utiucyhl.ini
C:\WINDOWS\system32\jmjixiac.ini
C:\WINDOWS\system32\xybevcml.ini
C:\WINDOWS\system32\dtjoeian.ini
C:\WINDOWS\system32\dbuwapov.ini
C:\WINDOWS\system32\kueapmtg.ini
C:\WINDOWS\system32\nuoacsfb.ini
C:\WINDOWS\system32\qqdobana.ini
C:\WINDOWS\system32\qiucmbok.ini
C:\WINDOWS\system32\oiixijli.ini
C:\WINDOWS\system32\olkxsltt.ini
C:\Program Files\Uninstall My Global Search Bar.dll
Folder::
C:\WINDOWS\RXhlbCBVc2Vy
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F2880B0-7902-43DE-9831-8A55DB095134}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{618F3A1F-C8BC-4A53-199C-9E9B960B1C1B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cab53130-e4ee-410c-b2f1-4eebdd11e804}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"c07f0d39"=-
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
flipper55
2008-03-29, 22:11
You provide a wonderful and useful service, and even on weekends. Thanks again.
Combofix log:
ComboFix 08-03-26.3 - ExelAdmin 2008-03-29 12:57:15.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.180 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\Program Files\Uninstall My Global Search Bar.dll
C:\WINDOWS\system32\dbuwapov.ini
C:\WINDOWS\system32\dtjoeian.ini
C:\WINDOWS\system32\gwasoeyt.ini
C:\WINDOWS\system32\jmjixiac.ini
C:\WINDOWS\system32\kueapmtg.ini
C:\WINDOWS\system32\nukuwdck.ini
C:\WINDOWS\system32\nuoacsfb.ini
C:\WINDOWS\system32\oiixijli.ini
C:\WINDOWS\system32\olkxsltt.ini
C:\WINDOWS\system32\oqertghs.ini
C:\WINDOWS\system32\qiucmbok.ini
C:\WINDOWS\system32\qqdobana.ini
C:\WINDOWS\system32\utiucyhl.ini
C:\WINDOWS\system32\xbeceqrb.ini
C:\WINDOWS\system32\xybevcml.ini
C:\WINDOWS\system32\ygwgxlea.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Uninstall My Global Search Bar.dll
C:\WINDOWS\b104.exe
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S1502NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWA7P_0001_N99M2908NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\UWAS7_0001_N99M3108NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\WinAntiSpyware2007FreeInstall.exe
C:\WINDOWS\RXhlbCBVc2Vy
C:\WINDOWS\RXhlbCBVc2Vy\asappsrv.dll
C:\WINDOWS\RXhlbCBVc2Vy\command.exe
C:\WINDOWS\RXhlbCBVc2Vy\lr15vF1pwZpV.vbs
C:\WINDOWS\system32\dbuwapov.ini
C:\WINDOWS\system32\dtjoeian.ini
C:\WINDOWS\system32\gwasoeyt.ini
C:\WINDOWS\system32\jmjixiac.ini
C:\WINDOWS\system32\jrvjmhzx.dllbox
C:\WINDOWS\system32\kueapmtg.ini
C:\WINDOWS\system32\nukuwdck.ini
C:\WINDOWS\system32\nuoacsfb.ini
C:\WINDOWS\system32\oiixijli.ini
C:\WINDOWS\system32\olkxsltt.ini
C:\WINDOWS\system32\oqertghs.ini
C:\WINDOWS\system32\qiucmbok.ini
C:\WINDOWS\system32\qqdobana.ini
C:\WINDOWS\system32\utiucyhl.ini
C:\WINDOWS\system32\xbeceqrb.ini
C:\WINDOWS\system32\xybevcml.ini
C:\WINDOWS\system32\ygwgxlea.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.
2008-03-27 10:13 . 2008-03-27 10:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 17:03 . 2008-03-24 14:49 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-03-20 17:03 . 2008-03-24 14:49 <DIR> d-------- C:\Program Files\AVSMedia
2008-03-19 22:46 . 2008-03-19 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 20:53 . 2008-03-19 20:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thunderbird
2008-03-19 20:40 . 2008-03-19 20:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-19 14:38 . 2008-03-19 14:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-19 14:33 . 2008-03-19 14:35 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 19:59 --------- d-----w C:\Program Files\AT&T Global Network Client
2008-03-29 19:57 --------- d-----w C:\Program Files\Apoint
2008-03-26 20:50 --------- d-----w C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Sametime
2008-03-24 20:05 --------- d-----w C:\Program Files\Novadigm
2008-03-21 02:50 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-20 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 05:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-03 17:36 --------- d-----w C:\Program Files\Google
2008-02-08 20:03 --------- d-----w C:\Program Files\IBM
2008-01-04 06:00 9,123 ----a-w C:\WINDOWS\system32\pgcwlyls.dll
2007-02-02 20:50 35,480 ----a-w C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\GDIPFONTCACHEV1.DAT
2006-01-27 09:09 360,600 ----a-w C:\WINDOWS\Internet Logs\tvuninstall.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-28_10.28.57.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-19 22:34:40 41,066 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-28 17:29:25 41,066 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-19 22:34:40 313,514 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-28 17:29:25 313,514 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-29 19:53:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_36c.dat
+ 2008-03-29 19:53:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_d0.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 147,514 2003-10-07 16:48:56 C:\Program Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
----a-w 163,576 2006-12-15 18:12:34 C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
----a-w 45,056 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbckver.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\IBM\Client Access\cwbckver.exe
----a-w 24,626 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbinhlp.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\IBM\Client Access\cwbinhlp.exe
----a-w 20,530 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbsvstr.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\IBM\Client Access\cwbsvstr.exe
----a-w 20,530 2002-05-07 09:20:00 C:\Program Files\IBM\Client Access\bak\cwbwlwiz.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\IBM\Client Access\cwbwlwiz.exe
----a-w 569,413 2005-12-28 19:00:56 C:\Program Files\Intel\Wireless\Bin\bak\EOUWiz.exe
----a-w 602,182 2005-12-28 18:56:16 C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
----a-w 970,752 2007-02-21 15:17:42 C:\Program Files\Intel\Wireless\Bin\iFrmewrk.exe
----a-w 667,718 2005-12-28 18:55:40 C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
----a-w 819,200 2007-02-21 15:19:58 C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
----a-w 139,320 2005-02-25 19:50:00 C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
----a-w 434,176 2005-05-04 09:10:38 C:\Program Files\Novadigm\bak\radtray.exe
----a-w 38,924 2007-01-18 19:23:58 C:\Program Files\Novadigm\radtray.exe
----a-w 282,624 2006-09-15 17:18:46 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 05:56:50 C:\WINDOWS\system32\ctfmon.exe
----a-w 155,648 2005-02-15 13:02:58 C:\WINDOWS\system32\bak\igfxtray.exe
----a-w 38,924 2007-01-18 19:23:58 C:\WINDOWS\system32\igfxtray.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 08:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2007-01-18 12:23 38924]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2007-01-18 12:23 38924]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2007-01-18 12:23 38924]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2007-01-18 12:23 38924]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2007-01-18 12:23 38924]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2007-01-18 12:23 38924]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2007-01-18 12:23 38924]
"RUNRADTRAY"="C:\Program Files\Novadigm\radtray.exe" [2007-01-18 12:23 38924]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 08:19 819200]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 08:17 970752]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
McAfee Desktop Firewall Tray.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe [2005-07-26 07:51:53 679996]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
"LogonType"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RecycleBinSize"= 10 (0xa)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= Msimn.exe
"2"= Outlook.exe
"3"= wab.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 08:01 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=adsi_startup.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
"Apoint"=C:\Program Files\Apoint\Apoint.exe
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe"
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe"
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
"QuickTime Task"="C:\Program Files\Satsuki Decoder Pack\filtres\qt\QTSystem\qttask.exe" -atboottime
"RUNRADTRAY"=C:\Program Files\Novadigm\radtray.exe
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2006-03-17 10:49]
R2 radexecd;Radia Notify Daemon;"C:\Program Files\Novadigm\radexecd.exe" [2005-05-11 08:01]
R2 radsched;Radia Scheduler Daemon;"C:\Program Files\Novadigm\radsched.exe" [2005-06-10 02:10]
R2 Radstgms;Radia MSI Redirector;"C:\Program Files\Novadigm\Radstgms.exe" [2004-08-04 03:53]
R3 ABVPN2K;AGN VPN Client Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2005-10-26 09:40]
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 12:59:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"
.
Completion time: 2008-03-29 12:59:58
ComboFix-quarantined-files.txt 2008-03-29 19:59:49
ComboFix2.txt 2008-03-28 17:29:19
Pre-Run: 24,738,811,904 bytes free
Post-Run: 24,707,092,480 bytes free
flipper55
2008-03-29, 22:12
And the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:01:11 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9366 bytes
Hi
AWF part didn't went right so let's try again:
Open notepad and copy/paste the text in the quotebox below into it:
AWF::
C:\Program Files\Apoint\bak\Apoint.exe
C:\Program Files\AT&T Global Network Client\bak\NetSP.exe
C:\Program Files\Common Files\Network Associates\TalkBack\bak\tbmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\bak\GoogleToolbarNotifier.exe
C:\Program Files\IBM\Client Access\bak\cwbckver.exe
C:\Program Files\IBM\Client Access\bak\cwbinhlp.exe
C:\Program Files\IBM\Client Access\bak\cwbsvstr.exe
C:\Program Files\IBM\Client Access\bak\cwbwlwiz.exe
C:\Program Files\Intel\Wireless\Bin\bak\EOUWiz.exe
C:\Program Files\Intel\Wireless\Bin\bak\ifrmewrk.exe
C:\Program Files\Intel\Wireless\Bin\bak\ZCfgSvc.exe
C:\Program Files\Network Associates\Common Framework\bak\UpdaterUI.exe
C:\Program Files\Novadigm\bak\radtray.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\WINDOWS\system32\bak\ctfmon.exe
C:\WINDOWS\system32\bak\igfxtray.exe
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
flipper55
2008-03-31, 01:28
Hello Shaba
Nothing happened. I copied the text, saved it to a file called CFScript.txt, then dragged it onto Combofix.exe. Combofix looks like it is beginning to start, then nothing happens. I downloaded Combofix again, and tried copying and pasting several times, all to no effect.
Any ideas?
Hi
Try to do the same in safe mode.
If no go, we use other methods :)
flipper55
2008-03-31, 22:01
It ran in SAFE mode, but not sure if it did anything. Combofix log in this message, and a new HJT log in the next. Thanks.
ComboFix 08-03-30.2 - ExelAdmin 2008-03-31 7:35:59.3 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.366 [GMT -7:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\fswseoep.ini
C:\WINDOWS\system32\fuymuxyk.ini
C:\WINDOWS\system32\ikymievm.ini
C:\WINDOWS\system32\jagpmvhv.ini
C:\WINDOWS\system32\jkbnycfl.ini
C:\WINDOWS\system32\karlxhda.ini
C:\WINDOWS\system32\nbhweaty.ini
C:\WINDOWS\system32\ndevvomb.ini
C:\WINDOWS\system32\qxnqpkpu.ini
C:\WINDOWS\system32\rhjvhooo.ini
C:\WINDOWS\system32\ujooaxpc.ini
C:\WINDOWS\system32\umiegfxa.ini
C:\WINDOWS\system32\wwrajmvr.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.
2008-03-27 10:13 . 2008-03-27 10:13 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-20 17:03 . 2008-03-24 14:49 <DIR> d-------- C:\Program Files\Common Files\AVSMedia
2008-03-20 17:03 . 2008-03-24 14:49 <DIR> d-------- C:\Program Files\AVSMedia
2008-03-19 22:46 . 2008-03-19 22:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 20:53 . 2008-03-19 20:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Thunderbird
2008-03-19 20:40 . 2008-03-19 20:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-19 14:38 . 2008-03-19 14:38 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2008-03-19 14:33 . 2008-03-19 14:35 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-02-08 13:23 . 2008-02-08 13:23 <DIR> d-------- C:\Documents and Settings\Bcampbell.AMER-AD\SametimeTranscripts
2008-02-08 13:03 . 2008-03-26 13:50 <DIR> d-------- C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Sametime
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-31 14:35 --------- d-----w C:\Program Files\QuickTime
2008-03-31 14:35 --------- d-----w C:\Program Files\Novadigm
2008-03-29 19:59 --------- d-----w C:\Program Files\AT&T Global Network Client
2008-03-29 19:59 --------- d-----w C:\Program Files\Apoint
2008-03-21 02:50 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-03-20 05:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-20 05:26 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-03 17:36 --------- d-----w C:\Program Files\Google
2008-02-08 20:03 --------- d-----w C:\Program Files\IBM
2008-01-04 06:00 9,123 ----a-w C:\WINDOWS\system32\pgcwlyls.dll
2007-12-04 19:13 4,672 ----a-w C:\WINDOWS\system32\bdwpiwxw.exe
2007-02-02 20:50 35,480 ----a-w C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\GDIPFONTCACHEV1.DAT
2006-01-27 09:09 360,600 ----a-w C:\WINDOWS\Internet Logs\tvuninstall.exe
.
((((((((((((((((((((((((((((( snapshot@2008-03-28_10.28.57.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-18 19:23:58 38,924 ----a-w C:\WINDOWS\system32\igfxtray.exe
+ 2005-02-15 13:02:58 155,648 ----a-w C:\WINDOWS\system32\igfxtray.exe
- 2008-03-19 22:34:40 41,066 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-28 17:29:25 41,066 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-19 22:34:40 313,514 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-28 17:29:25 313,514 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 22:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 08:33 155648]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-02-15 06:02 155648]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-08-18 08:00 94208]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2005-02-25 12:50 139320]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe" [2003-10-07 09:48 147514]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-05-07 02:20 20530]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2002-05-07 02:20 24626]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2002-05-07 02:20 45056]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-05-07 02:20 20530]
"RUNRADTRAY"="C:\Program Files\Novadigm\radtray.exe" [2005-05-04 02:10 434176]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2005-12-28 11:55 667718]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2005-12-28 11:56 602182]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
McAfee Desktop Firewall Tray.lnk - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe [2005-07-26 07:51:53 679996]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableCAD"= 0 (0x0)
"LogonType"= 0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoWelcomeScreen"= 1 (0x1)
"NoMSAppLogo5ChannelNotify"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"RecycleBinSize"= 10 (0xa)
"ForceStartMenuLogOff"= 1 (0x1)
"NoSimpleStartMenu"= 1 (0x1)
"NoSMBalloonTip"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= Msimn.exe
"2"= Outlook.exe
"3"= wab.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2003-10-31 08:01 8704 C:\WINDOWS\system32\PCANotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=adsi_startup.vbs
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
"Apoint"=C:\Program Files\Apoint\Apoint.exe
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe"
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe"
"IgfxTray"=C:\WINDOWS\system32\igfxtray.exe
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
"KernelFaultCheck"=%systemroot%\system32\dumprep 0 -k
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
"QuickTime Task"="C:\Program Files\Satsuki Decoder Pack\filtres\qt\QTSystem\qttask.exe" -atboottime
"RUNRADTRAY"=C:\Program Files\Novadigm\radtray.exe
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
"UserFaultCheck"=%systemroot%\system32\dumprep 0 -u
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
R3 ABVPN2K;AGN VPN Client Miniport Interface;C:\WINDOWS\system32\DRIVERS\abvpn2k.sys [2005-10-26 09:40]
S2 agnwifi;AT&T Wi-Fi Support Driver;C:\WINDOWS\system32\DRIVERS\agnwifi.sys [2006-03-17 10:49]
S2 radexecd;Radia Notify Daemon;"C:\Program Files\Novadigm\radexecd.exe" [2005-05-11 08:01]
S2 radsched;Radia Scheduler Daemon;"C:\Program Files\Novadigm\radsched.exe" [2005-06-10 02:10]
S2 Radstgms;Radia MSI Redirector;"C:\Program Files\Novadigm\Radstgms.exe" [2004-08-04 03:53]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINDOWS\system32\DRIVERS\avpnnic.sys [2003-04-04 12:48]
S3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys [2004-05-03 18:26]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 07:37:33
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\rma]
"ImagePath"="C:/Novadigm/ManagementAgent/nvdkit.exe"
.
Completion time: 2008-03-31 7:38:00
ComboFix-quarantined-files.txt 2008-03-31 14:37:53
ComboFix2.txt 2008-03-29 19:59:59
ComboFix3.txt 2008-03-28 17:29:19
Pre-Run: 25,227,182,080 bytes free
Post-Run: 25,203,077,120 bytes free
flipper55
2008-03-31, 22:06
Here is the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:09 AM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 8062 bytes
Hi
At least looks much better :)
Please post next a fresh HijackThis log taken in normal mode.
flipper55
2008-04-01, 17:37
Thanks again.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:36:05 AM, on 4/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Novadigm\radtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9652 bytes
Hi and sorry for delay
Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
Re-scan with kaspersky.
Post:
- a fresh HijackThis log
- kaspersky report
flipper55
2008-04-03, 18:42
Thanks for the help. Here is the HJT log. KAV log to follow.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:14 AM, on 4/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Novadigm\radtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~2\FIREFOX.EXE
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9719 bytes
Hi
Have you finished KAV scan yet? :)
flipper55
2008-04-04, 02:43
Thanks for checking. I haven't been able to run the Kaspersky scan.
I keep getting a message from Kaspersky telling me that SCAN FAILED. YOU MUST BE ONLINE FOR SCAN TO RUN. This despite the fact that I am online.
I will try it from home tonight when I'm not behind a bloated firewall.
Look for it in about 6 hours!
flipper55
2008-04-04, 10:28
The firewall was the problem. Do you know how to get rid of the RED "X" icon that has appeared in place of my C: icon? KAV scan posted below in 3-4 posts:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 04, 2008 12:22:31 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/04/2008
Kaspersky Anti-Virus database records: 681068
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 57366
Number of viruses found: 34
Number of infected objects: 339
Number of suspicious objects: 8
Duration of the scan process: 01:11:00
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008040320080404\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\UpdaterUI_USFUL-GENL001.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\McAfee Fire\FireLog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Inbox/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html/[From "Help Wanted" <no_reply@contumiakie.com>][Date Thu, 09 Aug 2007 13:52:58 -0700]/html/[From h=Date:From:Subject:To:X-Header-CompanyDBUserName:Errors-To:List-Unsubscribe:Reply-To:X-Header-MasterId:X-Header-Versions:Message-ID:MIME-Version:Content-Type;][Date Mon, 13 Aug 2007 09:02:32 -0700 (PDT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Inbox/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html/[From "Help Wanted" <no_reply@contumiakie.com>][Date Thu, 09 Aug 2007 13:52:58 -0700]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Inbox/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Inbox Mail Berkeley mbox: suspicious - 3 skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Trash/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html/[From "dodgers.com" <feedback@lists.mlb.com>][Date Thu, 09 Aug 2007 15:31:52 -0400 (EDT)]/UNNAMED/[From h=Date:From:Subject:To:X-Header-CompanyDBUserName:Errors-To:List-Unsubscribe:Reply-To:X-Header-MasterId:X-Header-Versions:Message-ID:MIME-Version:Content-Type;][Date Mon, 13 Aug 2007 09:02:32 -0700 (PDT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Trash/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html/[From "dodgers.com" <feedback@lists.mlb.com>][Date Thu, 09 Aug 2007 15:31:52 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Trash/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Trash Mail Berkeley mbox: suspicious - 3 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Novadigm\ManagementAgent\rma.log Object is locked skipped
C:\Program Files\Common Files\rfrr\rfrra.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Program Files\Common Files\rfrr\rfrrl.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Program Files\Common Files\rfrr\rfrrm.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Program Files\Common Files\rfrr\rfrrp.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Program Files\Internet Explorer\lavufavel.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Internet Explorer\lavufavel635.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Internet Explorer\lavufavel86.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Internet Explorer\profsysypruk.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\Novadigm\Log\radexecd.log Object is locked skipped
C:\Program Files\Novadigm\Log\radsched.log Object is locked skipped
C:\Program Files\Novadigm\Log\radstgms.log Object is locked skipped
C:\Program Files\Novadigm\Log\radtray.log Object is locked skipped
C:\Program Files\Windows Media Player\profsysypruk.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\QooBox\Quarantine\C\Program Files\Apoint\Apoint.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\AT&T Global Network Client\NetSP.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\IBM\Client Access\cwbckver.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\IBM\Client Access\cwbinhlp.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\IBM\Client Access\cwbsvstr.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\IBM\Client Access\cwbwlwiz.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\Network Associates\Common Framework\UpdaterUI.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\Novadigm\radtray.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\Program Files\Uninstall My Global Search Bar.dll.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\QooBox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UERS_9999_N91S1502NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UERS_9999_N91S2507NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\USDR6_9999_N18M1603NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UWA7P_0001_N99M2908NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UWAS7_0001_N99M3108NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\WinAntiSpyware2007FreeInstall.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\QooBox\Quarantine\C\WINDOWS\RXhlbCBVc2Vy\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\QooBox\Quarantine\C\WINDOWS\RXhlbCBVc2Vy\command.exe.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\eclqearw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\exlddqdt.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f10WtR\f10WtR1099.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\igfxtray.exe.vir Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tckihcgg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File skipped
C:\quarantine\Av-test.txt.Vir.0 Infected: EICAR-Test-File skipped
flipper55
2008-04-04, 10:34
Part 2:
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP266\A0050363.exe/data0008 Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP266\A0050363.exe/data0009 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP266\A0050363.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP266\A0050364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP271\A0050554.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP273\A0050611.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP273\A0050612.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP273\A0050613.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP273\A0050614.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051003.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051004.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051005.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051006.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051007.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051008.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051009.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051010.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051011.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051012.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051013.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051014.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051015.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051016.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051017.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051018.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051019.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051020.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051021.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051022.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051023.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051024.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051025.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051026.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051027.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051028.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051029.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051030.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051031.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051032.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051033.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051034.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051035.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051036.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051037.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051038.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051039.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051040.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051041.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051042.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051044.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051097.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051098.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051099.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051100.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051101.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051102.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051103.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051104.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051105.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051107.dll Infected: not-a-virus:AdWare.Win32.Agent.asj skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051108.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051109.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051110.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051111.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051112.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051113.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051114.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051116.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051117.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051119.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051120.dll Infected: Trojan.Win32.Pakes.sc skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051121.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051122.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051123.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051124.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051125.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051126.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051127.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051128.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051129.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051130.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051131.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051132.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051133.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051134.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051135.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051136.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051137.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051138.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051139.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051140.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051141.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051142.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051143.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051144.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051145.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051146.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051147.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051148.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051149.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051150.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051151.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051152.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051156.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051158.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051159.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051161.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051162.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051163.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051168.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051169.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051170.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051171.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051172.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051173.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051175.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051176.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051177.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051178.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051179.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051180.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051181.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051182.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051183.dll Infected: Trojan.Win32.Pakes.fr skipped
flipper55
2008-04-04, 10:37
Part 3:
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051186.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051187.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051188.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051189.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051190.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051191.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051192.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051193.dll Infected: Trojan.Win32.Pakes.fr skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051194.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051195.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051197.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051198.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051200.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051201.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051202.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051203.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051205.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051206.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051207.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051208.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051209.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051210.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051211.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051212.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051213.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051214.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051215.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051216.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051217.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051218.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051219.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051220.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051221.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051222.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051223.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051224.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051225.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051226.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051227.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051228.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051229.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051230.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051231.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051232.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051233.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051234.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051235.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051236.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051237.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051238.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051239.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051240.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051241.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051242.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051243.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051244.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051245.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051246.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051247.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051248.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051249.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051250.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051251.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051252.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP276\A0051253.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP277\A0051353.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP277\A0051354.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP277\A0051355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP278\A0051606.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP278\A0051607.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP278\A0051627.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP280\A0051670.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP280\A0051671.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP280\A0051673.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP280\A0051695.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051827.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051828.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051831.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051832.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051834.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.ak skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051851.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051851.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051851.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP281\A0051851.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051970.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051971.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051972.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051973.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051974.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051975.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051978.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051979.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP282\A0051981.exe Infected: Trojan-Downloader.Win32.Agent.exa skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP283\change.log Object is locked skipped
C:\WINDOWS\b103.exe_old Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\WINDOWS\b138.exe_old Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
flipper55
2008-04-04, 10:38
Part 4 Thanks again.
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USDR6_0001_D19M2108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UWAS7_0001_N99M3108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.10\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.11\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.12\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.13\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.14\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.15\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UWAS7_0001_N99M3108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UERS_9999_N91S2507NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UWAS7_0001_N99M3108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UERS_9999_N91S1502NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.5\WinAntiSpyware2007FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.6\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.7\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.8\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UDC6_0001_D19M1908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.9\UWA7P_0001_N99M2908NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINDOWS\Downloaded Program Files\webinst.dll Infected: not-virus:Hoax.Win32.Renos.asm skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bdwpiwxw.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\bytkitfr.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\IBD4\rru22011.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\WINDOWS\system32\IBD4\rru22011.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\nvvvroqx.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ogfthvoy.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wqynwhed.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ygpccuoi.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_66c.dat Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_c4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
"Do you know how to get rid of the RED "X" icon that has appeared in place of my C: icon?"
Yes, we will come to that later.
Delete these mails:
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Inbox/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html/[From "Help Wanted" <no_reply@contumiakie.com>][Date Thu, 09 Aug 2007 13:52:58 -0700]/html/[From h=Date:From:Subject:To:X-Header-CompanyDBUserName:Errors-To:List-Unsubscribe:Reply-To:X-Header-MasterId:X-Header-Versions:Message-ID:MIME-Version:Content-Type;][Date Mon, 13 Aug 2007 09:02:32 -0700 (PDT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Inbox/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html/[From "Help Wanted" <no_reply@contumiakie.com>][Date Thu, 09 Aug 2007 13:52:58 -0700]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Inbox/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Inbox Mail Berkeley mbox: suspicious - 3 skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Trash/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html/[From "dodgers.com" <feedback@lists.mlb.com>][Date Thu, 09 Aug 2007 15:31:52 -0400 (EDT)]/UNNAMED/[From h=Date:From:Subject:To:X-Header-CompanyDBUserName:Errors-To:List-Unsubscribe:Reply-To:X-Header-MasterId:X-Header-Versions:Message-ID:MIME-Version:Content-Type;][Date Mon, 13 Aug 2007 09:02:32 -0700 (PDT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Trash/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html/[From "dodgers.com" <feedback@lists.mlb.com>][Date Thu, 09 Aug 2007 15:31:52 -0400 (EDT)]/UNNAMED Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\Bcampbell.AMER-AD\Application Data\Thunderbird\Profiles\ggsjvp34.default\Mail\Local Folders\Trash/[From excluded from the list][Date Wed, 11 Jul 2007 07:45:15 -0400 (EDT)]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).
Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
C:\Program Files\Common Files\rfrr
C:\Program Files\Internet Explorer\lavufavel.dll
C:\Program Files\Internet Explorer\lavufavel635.dll
C:\Program Files\Internet Explorer\lavufavel86.dll
C:\Program Files\Internet Explorer\profsysypruk.html
C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll
C:\WINDOWS\b103.exe_old
C:\WINDOWS\b138.exe_old
C:\WINDOWS\system32\IBD4
C:\WINDOWS\system32\nvvvroqx.exe
C:\WINDOWS\system32\ogfthvoy.exe
C:\WINDOWS\system32\wqynwhed.exe
C:\WINDOWS\system32\ygpccuoi.exe
C:\WINDOWS\system32\bdwpiwxw.exe
C:\WINDOWS\system32\bytkitfr.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.1
C:\WINDOWS\Downloaded Program Files\CONFLICT.10
C:\WINDOWS\Downloaded Program Files\CONFLICT.11
C:\WINDOWS\Downloaded Program Files\CONFLICT.12
C:\WINDOWS\Downloaded Program Files\CONFLICT.13
C:\WINDOWS\Downloaded Program Files\CONFLICT.14
C:\WINDOWS\Downloaded Program Files\CONFLICT.15
C:\WINDOWS\Downloaded Program Files\CONFLICT.2
C:\WINDOWS\Downloaded Program Files\CONFLICT.3
C:\WINDOWS\Downloaded Program Files\CONFLICT.4
C:\WINDOWS\Downloaded Program Files\CONFLICT.5
C:\WINDOWS\Downloaded Program Files\CONFLICT.6
C:\WINDOWS\Downloaded Program Files\CONFLICT.7
C:\WINDOWS\Downloaded Program Files\CONFLICT.8
C:\WINDOWS\Downloaded Program Files\CONFLICT.9
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
flipper55
2008-04-04, 18:27
Here is the Log:
C:\Program Files\Common Files\rfrr\rfrrd moved successfully.
C:\Program Files\Common Files\rfrr moved successfully.
LoadLibrary failed for C:\Program Files\Internet Explorer\lavufavel.dll
C:\Program Files\Internet Explorer\lavufavel.dll NOT unregistered.
C:\Program Files\Internet Explorer\lavufavel.dll moved successfully.
LoadLibrary failed for C:\Program Files\Internet Explorer\lavufavel635.dll
C:\Program Files\Internet Explorer\lavufavel635.dll NOT unregistered.
C:\Program Files\Internet Explorer\lavufavel635.dll moved successfully.
LoadLibrary failed for C:\Program Files\Internet Explorer\lavufavel86.dll
C:\Program Files\Internet Explorer\lavufavel86.dll NOT unregistered.
C:\Program Files\Internet Explorer\lavufavel86.dll moved successfully.
C:\Program Files\Internet Explorer\profsysypruk.html moved successfully.
DllUnregisterServer procedure not found in C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll
C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll NOT unregistered.
C:\Program Files\Mozilla Firefox\plugins\NPMyGlSh.dll moved successfully.
C:\WINDOWS\b103.exe_old moved successfully.
C:\WINDOWS\b138.exe_old moved successfully.
C:\WINDOWS\system32\IBD4 moved successfully.
C:\WINDOWS\system32\nvvvroqx.exe moved successfully.
C:\WINDOWS\system32\ogfthvoy.exe moved successfully.
C:\WINDOWS\system32\wqynwhed.exe moved successfully.
C:\WINDOWS\system32\ygpccuoi.exe moved successfully.
C:\WINDOWS\system32\bdwpiwxw.exe moved successfully.
C:\WINDOWS\system32\bytkitfr.exe moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.1 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.10 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.11 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.12 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.13 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.14 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.15 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.2 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.3 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.4 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.5 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.6 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.7 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.8 moved successfully.
C:\WINDOWS\Downloaded Program Files\CONFLICT.9 moved successfully.
OTMoveIt2 by OldTimer - Version 1.0.4.0 log created on 04042008_082549
flipper55
2008-04-04, 18:29
And another HJT log (in case you need it):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:32 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Novadigm\radtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9701 bytes
Hi
Empty these folders:
C:\_OTMoveIt\MovedFiles
C:\QooBox\Quarantine
Empty Recycle Bin.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Re-scan with kaspersky.
Post:
- a fresh HijackThis log
- kaspersky report
flipper55
2008-04-04, 20:19
Here is the HJT log. KAV scan to follow later.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:32 AM, on 4/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Novadigm\radtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1A26F07F-0D60-4835-91CF-1E1766A0EC56} (WebInstall Class) - http://scanner2.malware-scan.com/setup/webinst.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9701 bytes
flipper55
2008-04-05, 11:11
Wow! Much better. Here is the KAV scan:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 05, 2008 1:09:39 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 683208
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 51849
Number of viruses found: 3
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:02:54
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008040420080405\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\UpdaterUI_USFUL-GENL001.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\McAfee Fire\FireLog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Novadigm\ManagementAgent\rma.log Object is locked skipped
C:\Program Files\Novadigm\Log\radexecd.log Object is locked skipped
C:\Program Files\Novadigm\Log\radsched.log Object is locked skipped
C:\Program Files\Novadigm\Log\radstgms.log Object is locked skipped
C:\Program Files\Novadigm\Log\radtray.log Object is locked skipped
C:\Program Files\Windows Media Player\profsysypruk.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File skipped
C:\quarantine\Av-test.txt.Vir.0 Infected: EICAR-Test-File skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP284\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\webinst.dll Infected: not-virus:Hoax.Win32.Renos.asm skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_66c.dat Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_c4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
Delete these:
C:\Program Files\Windows Media Player\profsysypruk.html
C:\WINDOWS\Downloaded Program Files\webinst.dll
Empty Recycle Bin.
Still problems?
flipper55
2008-04-05, 19:35
Looks great! Thanks much. A couple of questions:
1) the HJT log has a reference to drivecleaner in it. Is this something to be worried about? I have posted the most recent log below and BOLDED the reference.
2) the KAV scan lists one virus remaining. Is this something to be worried about? I have posted the most recent log below (or in the next post if it won't fit)
3) the C:\ icon is still a red "X". Is this something that can be changed?
Thanks again.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:18 AM, on 4/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
C:\Program Files\Novadigm\radexecd.exe
C:\Program Files\Novadigm\radsched.exe
C:\Program Files\Novadigm\Radstgms.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Novadigm\ManagementAgent\nvdkit.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
C:\Program Files\Novadigm\radtray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireTray.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Desktop\hijackthis\flipper55.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.exel.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://88.80.5.21/70/checkin.php?cid=17070314&aid=10086&time=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\\1205955778&fw=1088&v=70&m=0&vm=0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;198.*;128.*;*.exelusa.com;*.exel-intra.net;*.tbgamericas.com;*.tbgna.com
;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [RUNRADTRAY] C:\Program Files\Novadigm\radtray.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: McAfee Desktop Firewall Tray.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.exel.com
O16 - DPF: RevealJFC - http://198.176.168.59/revealjavaweb/applet/revealjfc.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {3BA3B159-7533-4F96-A2CE-EE5894BBD3D5} (Scanner.SysScanner) - http://i.dell.com/images/global/js/scanner/SYSSCANNER.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - http://10.35.108.51/iNotes6W.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1122304495406
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/securelogin-devel.cab
O16 - DPF: {8D9563A9-8D5F-459B-87F2-BA842255CB9A} (Whale Client Components) - https://americasportal.exel.com/InternalSite/WhlCompMgr.cab
O16 - DPF: {9b935470-ad4a-11d5-b63e-00c04faedb18} (Oracle JInitiator 1.1.8.16) -
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\Software\..\Telephony: DomainName = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = amer.exel-intra.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = amer.exel-intra.net
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: McAfee Desktop Firewall Service (FireSvc) - Networks Associates Technology, Inc. - C:\Program Files\Network Associates\McAfee Desktop Firewall for Windows XP\FireSvc.exe
O23 - Service: Iap - Dell Inc - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\PROGRA~1\AT&TGL~1\NetCfgSv.EXE
O23 - Service: PsExec (PSEXESVC) - Unknown owner - C:\WINDOWS\PSEXESVC.EXE (file missing)
O23 - Service: Radia Notify Daemon (radexecd) - Novadigm - C:\Program Files\Novadigm\radexecd.exe
O23 - Service: Radia Scheduler Daemon (radsched) - Novadigm - C:\Program Files\Novadigm\radsched.exe
O23 - Service: Radia MSI Redirector (Radstgms) - Novadigm - C:\Program Files\Novadigm\Radstgms.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Radia Management Agent (rma) - Unknown owner - C:/Novadigm/ManagementAgent/nvdkit.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 9578 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 05, 2008 9:26:58 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/04/2008
Kaspersky Anti-Virus database records: 684595
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 51964
Number of viruses found: 1
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:00:39
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008040520080406\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\UpdaterUI_USFUL-GENL001.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\McAfee Fire\FireLog.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Novadigm\ManagementAgent\rma.log Object is locked skipped
C:\Program Files\Novadigm\Log\radexecd.log Object is locked skipped
C:\Program Files\Novadigm\Log\radsched.log Object is locked skipped
C:\Program Files\Novadigm\Log\radstgms.log Object is locked skipped
C:\Program Files\Novadigm\Log\radtray.log Object is locked skipped
C:\quarantine\Av-test.txt.Vir Infected: EICAR-Test-File skipped
C:\quarantine\Av-test.txt.Vir.0 Infected: EICAR-Test-File skipped
C:\System Volume Information\_restore{B5A37487-8612-40FE-9C54-76B1B20DC5C7}\RP284\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D110 MDC V.92 Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_66c.dat Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_c4.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Hi
"1) the HJT log has a reference to drivecleaner in it. Is this something to be worried about? I have posted the most recent log below and BOLDED the reference."
My bad, you can fix this entry.
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://drivecleaner.com/.freeware/in...eanerstart.cab
"
2) the KAV scan lists one virus remaining. Is this something to be worried about? I have posted the most recent log below (or in the next post if it won't fit)"
No, those are EICAR test viruses.
3)
Go to Start > Run
Type regedit and click OK.
On the leftside, click to highlight My Computer at the top.
Go up to "File > Export"
Make sure in that window there is a tick next to "All" under Export Branch.
Leave the "Save As Type" as "Registration Files".
Under "Filename" put backup
Choose to save it to C:\ or in somewhere else safe location so that you will remember where you put it (don't put it on the Desktop!)
Click Save and then go to File > Exit.
Open Notepad and copy the contents of the following box to a new file.
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]
Save it as fix.reg (save type: "All files" (*.*)) to your desktop.
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Go to Desktop, double-click fix.reg and merge the infomation with the registry.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Reboot. Did it help?
flipper55
2008-04-06, 00:15
Everything seems to be GREAT!! The icon is back to normal, and everything seems to be working fine.
Like most, I cannot thank you enough for your work in fixing this computer.
Consider this issue CLOSED!
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Next we remove all used tools.
Please download OTCleanIt (http://download.bleepingcomputer.com/oldtimer/OTCleanIt.exe) and save it to desktop.
Double-click OTCleanIt.exe.
Click the CleanUp! button.
Select Yes when the "Begin cleanup Process?" prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTCleanIt attempting to contact the internet, please allow it to do so.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Malwarebytes' Anti-Malware - Malwarebytes' Anti-Malware is a new and powerful anti-malware tool. It is
totally free but for real-time protection you will have to pay a small one-time fee. Tutorial on installing & using this product can be found below:
Malwarebytes' Anti-Malware Setup Guide (http://bfccomputers.com/index.php?showtopic=1644)
Malwarebytes' Anti-Malware Scanning Guide (http://bfccomputers.com/index.php?showtopic=1645)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean! :bigthumb:
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.
Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.