View Full Version : cmdservice
Hello,
I've seen other posts with the command service problem, but they all seem to be handled differently. Here are my logs...
--- Search result list ---
Command Service: System Service (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\shit
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService
Command Service: Settings (Registry key, fixing failed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService
Command Service: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\cmdService
--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---
Logfile of HijackThis v1.99.1
Scan saved at 8:23:19 PM, on 11/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMIntex\CMIntex.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,awlqmyf.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{75-5D-D9-9E-ZN}] c:\windows\system32\opdsregm.exe GEN001
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xupcbbrA] C:\WINDOWS\xupcbbrA.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [win3209472341918] C:\WINDOWS\win3209472341918.exe
O4 - HKLM\..\Run: [win3207184723419] C:\WINDOWS\win3207184723419.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [sys09472341918] C:\WINDOWS\sys09472341918.exe
O4 - HKLM\..\Run: [sys02234191847] C:\WINDOWS\sys02234191847.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ms05191847234] C:\WINDOWS\ms05191847234.exe
O4 - HKLM\..\Run: [ms04419184723] C:\WINDOWS\ms04419184723.exe
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [wiwz] C:\PROGRA~1\COMMON~1\wiwz\wiwzm.exe
O4 - HKCU\..\Run: [ugybd] C:\WINDOWS\system32\yrnibt.exe reg_run
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMIntex] "C:\Program Files\CMIntex\CMIntex.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156784624531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: flkeojlf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Hi mhoffee and welcome to Safer Networking Forums :)
You got a nice collection of infections there...
Please rename HijackThis.exe to Scanner.exe
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis (scanner.exe) log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Hello,
I followed your instructions. Here are the new logs...
Todd - 06-11-13 7:37:26.01 Service Pack 2
ComboFix 06.11.9 - Running from: "C:\Documents and Settings\Todd\My Documents\My Downloads"
((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))
* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *
DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\Eim03.exe
C:\WINDOWS\MirarSetup_876075.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\WinNB58.dll
C:\Program Files\Common Files\misc002
C:\Program Files\cmfibula
C:\Program Files\outlook
C:\Program Files\PSLister
C:\WINDOWS\system32\crunner
C:\Program Files\Common Files\{1C275D9E-063A-1033-0910-010807010001}
((((((((((((((((((((((((((((((( Files Created from 2006-10-13 to 2006-11-13 ))))))))))))))))))))))))))))))))))
2006-11-11 16:45 92,208 --a------ C:\WINDOWS\SYSTEM32\WING.DLL
2006-11-11 16:45 188,960 --a------ C:\WINDOWS\SYSTEM32\WINGDE.DLL
2006-11-11 16:45 12,800 --a------ C:\WINDOWS\SYSTEM32\WING32.DLL
2006-11-04 22:55 69,632 --a------ C:\WINDOWS\SYSTEM32\flkeojlf.dll
2006-10-30 20:47 20,747 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AegisP.sys
2006-10-30 20:46 94,208 --a------ C:\WINDOWS\SYSTEM32\GTW32N50.dll
2006-10-30 20:46 40,960 --a------ C:\WINDOWS\SYSTEM32\B11gUSB.dll
2006-10-30 20:46 232,192 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\rt73.sys
2006-10-30 20:46 15,872 --a------ C:\WINDOWS\SYSTEM32\GTNDIS5.sys
2006-10-23 19:06 73,728 --a------ C:\WINDOWS\SYSTEM32\AW32n50.dll
2006-10-23 19:06 16,194 --a------ C:\WINDOWS\SYSTEM32\awindis5.sys
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2006-11-13 07:38 -------- dr------- C:\Program Files\Common Files
2006-11-12 14:59 -------- dr------- C:\Program Files\Messenger
2006-11-12 14:56 -------- d-------- C:\Program Files\iTunes
2006-11-12 14:56 -------- d-------- C:\Program Files\Internet Explorer
2006-11-12 14:54 -------- d-------- C:\Program Files\CMIntex
2006-11-12 13:43 -------- d-------- C:\Program Files\Common Files\Blizzard Entertainment
2006-11-11 16:53 -------- d-------- C:\Program Files\LEGO Media
2006-11-11 16:42 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-11 16:33 -------- d-------- C:\Program Files\IGN
2006-11-07 22:55 -------- d-------- C:\Documents and Settings\Todd\Application Data\AdobeUM
2006-11-02 15:51 -------- d-------- C:\Program Files\iPod
2006-11-02 15:50 -------- d-------- C:\Program Files\Apple Software Update
2006-11-01 17:25 -------- d-------- C:\Program Files\QuickTime
2006-11-01 16:12 -------- d---s---- C:\Documents and Settings\Todd\Application Data\Microsoft
2006-10-30 20:46 -------- d-------- C:\Program Files\Belkin
2006-09-28 21:42 778656 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-09-24 15:57 -------- d-------- C:\Program Files\AIM
2006-09-24 15:56 -------- d-------- C:\Program Files\Viewpoint
2006-09-24 15:56 -------- d-------- C:\Program Files\AOD
2006-09-19 15:44 15664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\GEARAspiWDM.sys
2006-09-19 15:43 109360 --a------ C:\WINDOWS\SYSTEM32\GEARAspi.dll
2006-09-12 22:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-04 16:22 1233 --a------ C:\WINDOWS\SYSTEM32\cbef0879.sys
2006-09-04 09:54 186223 --a------ C:\WINDOWS\srvwprwrsv.exe
2006-09-04 09:44 186223 --a------ C:\WINDOWS\srvabxdsvk.exe
2006-09-02 17:51 215308 --a------ C:\WINDOWS\Setup90.exe
2006-09-02 17:51 126976 --a------ C:\WINDOWS\SYSTEM32\ieserv.exe
2006-09-02 17:49 186223 --a------ C:\WINDOWS\srvlnlncnh.exe
2006-08-28 09:13 43520 --a--c--- C:\WINDOWS\SYSTEM32\CmdLineExt03.dll
2006-08-27 21:14 225280 --a------ C:\Program Files\Uninstall My Global Search Bar.dll
2006-08-25 08:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-21 05:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 02:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-16 04:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"wiwz"="C:\\PROGRA~1\\COMMON~1\\wiwz\\wiwzm.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"CMIntex"="\"C:\\Program Files\\CMIntex\\CMIntex.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"{75-5D-D9-9E-ZN}"="c:\\windows\\system32\\opdsregm.exe GEN001"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"xupcbbrA"="C:\\WINDOWS\\xupcbbrA.exe"
"win3209472341918"="C:\\WINDOWS\\win3209472341918.exe"
"win3207184723419"="C:\\WINDOWS\\win3207184723419.exe"
"ViewMgr"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"sys09472341918"="C:\\WINDOWS\\sys09472341918.exe"
"sys02234191847"="C:\\WINDOWS\\sys02234191847.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"pop06ap"="C:\\WINDOWS\\pop06ap2.exe"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"ms05191847234"="C:\\WINDOWS\\ms05191847234.exe"
"ms04419184723"="C:\\WINDOWS\\ms04419184723.exe"
"loaddr"="C:\\topaff.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb12.exe"
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"BearShare"="\"C:\\Program Files\\BearShare\\BearShare.exe\" /pause"
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,e6,00,00,00,00,00,00,00,9a,03,00,00,42,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Todd^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
"path"="C:\\Documents and Settings\\Todd\\Start Menu\\Programs\\Startup\\RollerCoaster Tycoon 3 Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\RollerCoaster Tycoon 3 Registration.lnkStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\Todd\\Local Settings\\Temp\\{26DF8B17-3EE0-4B57-B54A-69105E7128F1}\\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\\ATR1.exe /remind /language=ENU /PRNM=\"RollerCoaster Tycoon 3\"/PRMP=\"RCT3\"/SKUN=\"PCXX\"/GTYP=\"STRY\""
"item"="RollerCoaster Tycoon 3 Registration"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job
Completion time: 06-11-13 7:40:57.00
and from scanner.exe ...
Logfile of HijackThis v1.99.1
Scan saved at 7:43:45 AM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CMIntex\CMIntex.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackthis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [{75-5D-D9-9E-ZN}] c:\windows\system32\opdsregm.exe GEN001
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [xupcbbrA] C:\WINDOWS\xupcbbrA.exe
O4 - HKLM\..\Run: [win3209472341918] C:\WINDOWS\win3209472341918.exe
O4 - HKLM\..\Run: [win3207184723419] C:\WINDOWS\win3207184723419.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sys09472341918] C:\WINDOWS\sys09472341918.exe
O4 - HKLM\..\Run: [sys02234191847] C:\WINDOWS\sys02234191847.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ms05191847234] C:\WINDOWS\ms05191847234.exe
O4 - HKLM\..\Run: [ms04419184723] C:\WINDOWS\ms04419184723.exe
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [wiwz] C:\PROGRA~1\COMMON~1\wiwz\wiwzm.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [CMIntex] "C:\Program Files\CMIntex\CMIntex.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156784624531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: flkeojlf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
;)
Hi again, we'll continue :)
One or more of the identified infections steal information. If this system is used for online banking or has credit card information on it, all passwords should be changed immediately by using a different computer (not the infected one!) to make the changes. Banking and credit card institutions, if any, should be notified of the possible security breech. I suggest that you read this (http://www.dslreports.com/faq/10451) article too.
You have ViewPoint software installed. The program has a suspicious reputation and I recommend that you remove it.
If you want to keep it, skip the blue steps.
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).
Do not do anything with these yet!
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Then, make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Open Control Panel -> Add/Remove programs -> Remove all the of the following programs if found:
ViewPoint
Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
CMIntex.exe
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"wiwz"=-
"CMIntex"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{75-5D-D9-9E-ZN}"=-
"xupcbbrA"=-
"win3209472341918"=-
"win3207184723419"=-
"sys09472341918"=-
"sys02234191847"=-
"pop06ap"=-
"ms05191847234"=-
"ms04419184723"=-
"loaddr"="-
"ACTX1"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O4 - HKLM\..\Run: [{75-5D-D9-9E-ZN}] c:\windows\system32\opdsregm.exe GEN001
O4 - HKLM\..\Run: [xupcbbrA] C:\WINDOWS\xupcbbrA.exe
O4 - HKLM\..\Run: [win3209472341918] C:\WINDOWS\win3209472341918.exe
O4 - HKLM\..\Run: [win3207184723419] C:\WINDOWS\win3207184723419.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [sys09472341918] C:\WINDOWS\sys09472341918.exe
O4 - HKLM\..\Run: [sys02234191847] C:\WINDOWS\sys02234191847.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [ms05191847234] C:\WINDOWS\ms05191847234.exe
O4 - HKLM\..\Run: [ms04419184723] C:\WINDOWS\ms04419184723.exe
O4 - HKLM\..\Run: [loaddr] C:\topaff.exe
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKCU\..\Run: [wiwz] C:\PROGRA~1\COMMON~1\wiwz\wiwzm.exe
O4 - HKCU\..\Run: [CMIntex] "C:\Program Files\CMIntex\CMIntex.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O20 - AppInit_DLLs: flkeojlf.dll
Please run Killbox.
Select "Delete on Reboot".
Select "All Files".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
c:\windows\system32\opdsregm.exe
C:\WINDOWS\xupcbbrA.exe
C:\WINDOWS\win3209472341918.exe
C:\WINDOWS\win3207184723419.exe
C:\WINDOWS\sys09472341918.exe
C:\WINDOWS\sys02234191847.exe
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\ms05191847234.exe
C:\WINDOWS\ms04419184723.exe
C:\topaff.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\SYSTEM32\flkeojlf.dll
C:\WINDOWS\SYSTEM32\cbef0879.sys
C:\WINDOWS\srvwprwrsv.exe
C:\WINDOWS\srvabxdsvk.exe
C:\WINDOWS\Setup90.exe
C:\WINDOWS\SYSTEM32\ieserv.exe
C:\WINDOWS\srvlnlncnh.exe
C:\Program Files\Uninstall My Global Search Bar.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following folders (if present):
C:\Program Files\Common Files\wiwz
C:\Program Files\CMIntex
C:\Program Files\ViewPoint
Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, post the following logs to here:
- AVG's report
- a fresh HijackThis log
Hello Again,
I followed your instructions. I had two minor glitches. I received a warning message when I ran either the BFU or ATF program (I can't remember which one I was running when the warning popped up). Here is the warning...
An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: flkeojlf.dll)
Error #5 - Invalid procedure call or argument
Please email me at merijn@spywareinfo.com, reporting the following:
* What you were trying to fix when the error occurred, if applicable
* How you can reproduce the error
* A complete HijackThis scan log, if possible
Windows version: Windows NT 5.01.2600
MSIE version: 6.0.2900.2180
HijackThis version: 1.99.1
This message has been copied to your clipboard.
Click OK to continue the rest of the scan.
Then, when it was time to run AVG in safemode, I couln't see much of the screen (like which boxes were checked) because of the 640X resolution. I could not change the resolution, so I booted in regular mode to complete that step. Following are the logs...
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 8:03:18 PM 11/13/2006
+ Scan result:
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP88\A0033947.exe/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043521.EXE/clientax.dll -> Adware.180Solutions : Cleaned with backup (quarantined).
C:\!KillBox\flkeojlf.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP127\A0047815.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048362.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048135.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-21-1220945662-1965331169-682003330-500\Dc1\CMIntex.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048130.exe -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048131.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048132.dll -> Adware.CASClient : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP127\A0047830.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048283.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP124\A0047477.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048281.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043437.dll -> Adware.SpywareStorm : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00028399.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00028400.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00028408.EXE -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043387.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043388.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043472.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043473.EXE -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00029187.EXE -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00029193.EXE -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00029199.EXE -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP127\A0047804.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043523.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043527.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043532.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048286.exe -> Downloader.Agent.c : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048288.exe -> Downloader.Agent.c : Cleaned with backup (quarantined).
C:\Program Files\Common Files\wiwz\wiwzd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0041337.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0041382.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043545.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP92\A0044131.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\Program Files\html1.htm -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\Program Files\html2.htm -> Hijacker.Small.jf : Cleaned with backup (quarantined).
C:\RECYCLER\NPROTECT\00026099.TXT -> TrackingCookie.Goclick : Cleaned.
::Report end
And the hijackthis log...
Logfile of HijackThis v1.99.1
Scan saved at 8:09:45 PM, on 11/13/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\Scanner.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156784624531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
How do we look?
Hi again, it is looking quite good :)
You seem to have one Symantec (Norton) leftover running. You have uninstalled Symantec earlier, right ?
We'll get rid of this leftover:
Open Notepad and copy the following lines into a new document:
@echo off
sc stop SymWSC
sc delete SymWSC
Save the document to your desktop as Removal.bat and filetype: All Files
Go to your desktop and run the file Removal.bat and allow to run it.
Go to the My Computer and delete the following folders (if present):
C:\Program Files\Common Files\wiwz
Then you have BearShare on your computer. The program is on the "infected/bundled"-list in here (http://p2p.malwareremoval.com/). I would recommend that you uninstall it. It is of course your call.
Reboot the computer.
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post along with a fresh HijackThis log.
;)
When I clicked removal.bat from my desktop, a dos windows briefly flashed on the screen, but there was never a prompt to 'allow it to run'. I assume it ran.
I would like to remove bearshare. It does not show up under control panel/add remove programs. It does not show up if I click start/programs either. IF I explore C:\programs, there is a folder titled bearshare with files in it. Shuld I just delete the folder?
I am curious why all these different programs are finding viruses. Are they all diffent viruses or are they just the same virus reinstalling themselves? In other words, when this all gets cleaned up, will there be one antivirus / spam program than I can use or will I need to keep using 3-5 programs to keep clean? :red:
Here are the new logs... Thanks for your help!!! :bigthumb:
OK, I just tried to post the logs and I get an error message that the text is too long "The text that you have entered is too long (33489 characters). Please shorten it to 20000 characters long."
I will break it up into two posts...
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 14, 2006 10:19:20 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/11/2006
Kaspersky Anti-Virus database records: 241476
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 52097
Number of viruses found: 13
Number of infected objects: 56 / 0
Number of suspicious objects: 4
Duration of the scan process: 00:50:37
Infected Object Name / Virus Name / Last Action
C:\!KillBox\Setup90.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\!KillBox\Setup90.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\!KillBox\Setup90.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\!KillBox\Setup90.exe NSIS: infected - 3 skipped
C:\!KillBox\srvabxdsvk.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\!KillBox\srvabxdsvk.exe NSIS: infected - 1 skipped
C:\!KillBox\srvlnlncnh.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\!KillBox\srvlnlncnh.exe NSIS: infected - 1 skipped
C:\!KillBox\srvwprwrsv.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\!KillBox\srvwprwrsv.exe NSIS: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0723997d656887c95b680458819971c2_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0737d5e5abb32a8137dba98540612422_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0b51246bb3c8a7337377ab52a74e7d2f_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0c287a9daab83550e121260c87e1505c_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0c74919c2cdcdf98d7b0c89fe72691c7_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d3ebc9ee97e8a68ff9236e2b8d97e54_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0e61e519f18a78bdaafa8b1ccb239b84_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\119900a3106890dfba0110e404510ef9_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\12a12ec3669f65560394cb8f92441037_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\136713ec1288b19d14bef6979b7cbb84_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2009eaa5c61535d2a23e73d40d814fc3_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2080a7f060ecdc8b5fa5b32386a48053_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\21bf8c83bcc6609c826c7ef4b1845140_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\25a5704d697c604133cf4ef1e1963b0b_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\26d25816788fa9b967d02977d458cc96_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2e8d2cd767e84e425057b6b5e990902b_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2fcc289bcb92827c4e5bf20f7c0f3dce_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\30f37966095e48a84690293c22069031_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\33945f1bf67aa3c7839beafc0b979503_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\355c3bcf2de2f54e27c5460f23dfa84d_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3898fe68f9c9a047feb7b12887328440_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\393ea63d6dd4b481e9379300b3f7dc3d_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3a5828a9fe45f0f883122645c737b469_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3af7ccea528f0e7eefcb33e8b8e7b729_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\43e9cc6fb26a8269c1cb9c27d2fe47d2_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4489abdc146f909c733cc115092a7f10_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\45217620af22e9ee248b7a8005f432e3_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\45f49f5ea98fbcd7315b741d5f0c92c5_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4a2a0efee1a974625411dab9b11d30a6_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4b5c275059e51d460e2ff1125c3a9e28_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\504d6cfa4a15e41f0da37e44d4ad80c6_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\573f991276138cddf398475197d8bb62_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5963318598f33d79ea32cef34a6d9671_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ad4a890567fbf43e42ed24c8baa7dc8_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5cce8b473aec757ab5099541923809c3_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5e8d1765bc38655a957e951145c9cc0b_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f2ef3f4687f33b929ae5ee979348f50_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6369cbf79ad5eb1c76658520d2c73fd5_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\63ca21dafdc5c24343ae758e879806b6_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\667ec5598af196204524895c8f925cab_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6806d377dc207e8e0dbb8975d27e982c_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\69e6cc827367adf58f9421d5c866bfed_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6db6fdccd096e80c0252375759c8bc58_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6e60ead1e1538d984895822cdbf5d2ba_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6edb3d181a56085ec842871179f9ba09_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\713309caadcb6f3b00954451e195fbfc_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7a7aeca3c6f71311596552b091394eb7_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b5aa8570f38e5c838a0cb874847d23d_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7c0965e7e27d6ef49fe8ef7d2c48ff18_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7cfa7599b79814da31ad5bf97eccd628_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8287983074bbb6aea632a703c0031660_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\83fcdb6c57a38f48c9cbf9675194d697_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\85ded75324fff8cde72ef7af6832eb0c_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8bcb1866e85d0f439c377436323ed5ce_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8d1c2f38ab0b3facea44b9907da8be51_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8d517c0cd1448f0ec8ab7e8a1fbdc793_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8facab0c9f53a39e352c5a8b9da7df96_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9056a4719775fb62d1cf071d3e6306a0_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9082ef66ec9c19e5b8c31a7ea5e39149_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\91386425bc23db50973488e595fcf24f_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9198f894e476bd9c80285100fcbf5462_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\91fa75fc6b38f80fd441fe0f15f597cb_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\96673e4bc7d3d4f16ed3e28b35597897_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\979a6687e74b8668e1f1cf9ecd825511_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\989d9d6de607cf1b2beef5df4124e5a8_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9e854b1dc5c86b363ad1ae9595d7fef1_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a10c2439915704869b4a61525f62f149_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a1152ce0a301820b4d57d07ca4355f81_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\a992143e1506a41792c43735b874aec5_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ac53909ee65b058a53829256dd6d3190_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\adfe05230bd05eaa4aa30e59d8e7ae40_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b2f1f6800e6de759a08a01ab6db7168e_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b35f807f0ca1d783f66e3e0cb183d37a_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b40dc97e2bfdd5afd4742dfff504474c_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b49c4547889a25949c833f9dddb456de_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b9eea6d7551fb13495c0be14fb5a91ef_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bd68f5e1c42a10286cb4a1e9c01f96df_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\be3b3a96ce380324338b9c10b246abd6_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bef9be9d76e53e6b1f8d1ee93ae63eb7_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c29febbece147c0a559acef206156fb7_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c5e86722c387b37ed83c8347e082cf17_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c603e127760ba9f2142416671383dad2_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca4cd8d9d248002bff3447e7a4644a4a_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca57aae157f65f14f3e0f5f583c3255c_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf1dcd8e83057894be9fc1d7e74ba7ee_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf4ffaa7fc1ee82ba5b449824bf2bd42_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d1f50fd94f321acfb42efa845c930285_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d314bd3f16c1ea2f6771c2be0d5f44ba_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d7506fa15e559ef23c289457d808e00b_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\db228ad64b343d703ff6517eef8b43cb_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dcd205f11cef2f9cca384cb175afd54f_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dd0159ad91e19e3ec85a37d64e4303a3_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dd7f9e8eceaa6d6cc3eadb7a5644ed72_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\de965358ca7a4c50281373e721d411dc_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\df7c2e2d219049a2ce3588fca2f1f706_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e0db972ff2c45722e5acf9f2cd8e5626_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e0e0727677c7228dd8a277324a708298_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e2aac9a7e4ad6c3eed29fab2a8cb7c99_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e7fe41fca3b7d9f74b2283b9f9820483_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ead8f7563b6332701a287d1898b81516_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ebf168792bfdf56fa49ac51d5c5b9533_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ec392ccb8674039b7d3ed39dd3895bf2_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f01c1f42d3a4819ce482c58325556cae_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f1a0e3e3673de7b3b2bc893dea4129ca_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\facecabb082935cc342137a74e80c2da_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fce9e020b635df6bea1c51b9a5e726a5_5b240077-0201-4617-a2bf-c4c4b5ef6472 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip/offun.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PurityScan.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos6.zip/stdrun2.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Todd\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\History\History.IE5\MSHist012006111420061115\index.dat Object is locked skipped
C:\Documents and Settings\Todd\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Todd\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Todd\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\NPROTECT\00025956.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\NPROTECT\00025956.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\NPROTECT\00025956.exe NSIS: infected - 2 skipped
C:\RECYCLER\NPROTECT\00026408.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\NPROTECT\00026408.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\NPROTECT\00026408.exe NSIS: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP127\A0047829.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP127\A0047829.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP127\A0047829.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048280.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048280.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048280.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048284.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.p skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048284.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048364.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048364.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048365.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048365.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048366.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048366.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048366.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048366.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048368.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0048368.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049377.dll Infected: not-a-virus:AdWare.Win32.Agent.e skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049378.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049379.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049380.EXE Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049381.EXE Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049382.EXE Infected: not-a-virus:AdWare.Win32.ZenoSearch.s skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049383.EXE Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049384.exe Infected: not-a-virus:AdWare.Win32.CASClient.p skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\A0049385.ocx Infected: Trojan-Dropper.Win32.VB.dq skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP132\change.log Object is locked skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043436.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043469.EXE/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043469.EXE/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043469.EXE/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043469.EXE/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043469.EXE/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043469.EXE RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043480.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043480.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043480.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043535.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043535.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{5D42AEA8-7E71-498B-9400-E615B6D9054B}\RP91\A0043535.exe NSIS: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D8A689B1-25A7-4A46-B89F-076424070D72}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
*******************************************************
hijackthis file log ...
*******************************************************
Logfile of HijackThis v1.99.1
Scan saved at 10:20:03 AM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [BearShare] "C:\Program Files\BearShare\BearShare.exe" /pause
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156784624531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Hi again :)
Ok looks really good now :)
When I clicked removal.bat from my desktop, a dos windows briefly flashed on the screen, but there was never a prompt to 'allow it to run'. I assume it ran.
That's ok, the service was succesfully removed :)
I would like to remove bearshare. It does not show up under control panel/add remove programs. It does not show up if I click start/programs either. IF I explore C:\programs, there is a folder titled bearshare with files in it. Shuld I just delete the folder?
That's great, we'll remove it.
I am curious why all these different programs are finding viruses. Are they all diffent viruses or are they just the same virus reinstalling themselves? In other words, when this all gets cleaned up, will there be one antivirus / spam program than I can use or will I need to keep using 3-5 programs to keep clean?
Not any single scanner is 100% effective. I recommend the use of at least 2 different scanners...
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
O4 - HKLM\..\Run: "C:\Program Files\BearShare\BearShare.exe" /pause
Go to the My Computer and delete the following folders (if present):
C:\Program Files\BearShare
You don't seem to a [b]firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection.
Disable Windows firewall after installing a new firewall.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Then you should update your Java to the latest version (5.0 update 9) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 8
Download the latest version of Java Runtime Environment (JRE) 5.0 Update 9 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Reboot the computer and post a one more HijackThis log to here just in case.
Let me know how things are running :bigthumb:
My computer is running great :D:
You've really helped me a ton! :bigthumb:
but I ran spybot again and it stil shows cmdservice :eek: .
Logfile of HijackThis v1.99.1
Scan saved at 6:59:52 PM, on 11/14/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hoffee.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156784624531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Ok let's get rid of the cmdservice....
Please download and unzip Ren-cmdservice to your desktop.
http://downloads.subratam.org/Lon/ren-cmdservice.zip
Open the ren-cmdservice folder by doubleclicking it and then doubleclick the
ren-cmdservice.bat file to run the program.
A text will open when it is finished, Post it please.
Then restart the PC run SpyBot check for and fix any problems found.
When next you check for problems it wont or shouldnt be there.
alternate download
http://www.bleepingcomputer.com/files/lonny/ren-cmdservice.zip
Please let me know how it went :bigthumb:
Running from C:\Documents and Settings\Todd\Desktop\ren-cmdservice\ren-cmdservice
No Image Path Listed in Registry
-----------------
Deleting cmdservice key
cmdservice key deleted
..
-----------------
Commandline utilities (SWReg and SWSC)
Written by Bobbi Flekman © 2005
-----------------
Finised, Post this text then
Please Restart your PC
ren-cmdservice.bat edited 6-25-2006
-----------------
Logfile of HijackThis v1.99.1
Scan saved at 7:09:57 AM, on 11/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackthis\Scanner.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://hoffee.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by108fd.bay108.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1156784624531
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe
Hi again, it is looking clean now :)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
You can remove the following backup folder, C:\!Killbox
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://castlecops.com/postlite7736-.html)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
Thank You! You have provided me with an incredible service. Can you please leave this thread up for a little while so I can complete all the final downloads?
BEST REGARDS...
:D: :D: :D: :D:
You're very welcome, nice that we were able to help :)
Yes I'll keep this open, please let me know when I can archive it :bigthumb:
As the problem appears to be resolved this topic has been archived.
If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.
Glad we could help :2thumb: