PDA

View Full Version : two.exe and suspected other spywares and trojans



kari.kentang
2006-12-05, 12:13
Dear Experts,
Need your expertise and advise to help clean my cousin's laptop. Using WinXP Home Edition SP2. IE will pop up occassionally with some unidentified URL. Suspect browser hijacked. Am unable to run Panda Activescan. Not sure why. It stopped with 'error on page' at Select a Device for scan. Used eTrust instead, had not attempt any cleaning yet. Also ran Spybot in Safe mode and attempted to fix whatever detected. Would greatly appreciate any advise and help rendered. Thanking in advance.

Here is eTrust log:

Scan Results: 50712 files scanned. 45 viruses were detected.

File Infection Status Path
two.exe Win32/Secdrop.MW infected C:\Documents and Settings\cel\Desktop\
333333[1].htm JS/MHTMLRedir!exploit infected C:\Documents and Settings\cel\Local Settings\Temporary Internet Files\Content.IE5\A9ANFVMS\
A0004561.exe Win32/Thoog.LG infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004562.exe Win32/Licat.X infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004572.exe Win32/Canbede.M infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004574.exe Win32/SillyDl.YQ infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004578.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004584.exe Win32/Thoog.LB infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004591.exe Win32/Licat.U infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004592.exe Win32/Thoog.KX infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004593.exe Win32/Thoog.KW infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004599.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004600.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\
A0004625.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
A0004626.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
A0004634.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
A0004639.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
A0004676.exe Win32/Thoog.KU infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
A0004678.exe Win32/SillyDl.YQ infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
A0004680.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
A0004688.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\
A0004756.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004769.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004776.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004783.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004787.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004792.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004799.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004805.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004812.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004818.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004824.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004830.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004834.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004842.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004887.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004893.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004901.exe Win32/NetMon.A infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004905.exe Win32/Thoog.ME infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004909.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004968.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004976.exe Win32/Secdrop.MW infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004979.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004992.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\
A0004998.dll Win32/Canbede infected C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\


Here is HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 05:53:36 PM, on 05/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\windows_e53.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cel\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc.support.global.toshiba.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] launchapp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [windows] C:\\windows_e53.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e54.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e90.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e90.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: BITS - C:\WINDOWS\
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\jtp0077me.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

kari.kentang
2006-12-05, 13:55
Hi again, did another round of spybot scanning. Here are the logs done earlier in safe mode and later in normal mode. Really hope for any advises and help with this. Many thanks again.

SafeMode Scan:
05.12.2006 17:45:42 - ##### check started #####
05.12.2006 17:45:42 - ### Version: 1.4
05.12.2006 17:45:42 - ### Date: 05/12/2006 17:45:42
05.12.2006 17:45:42 - ##### checking bots #####
05.12.2006 17:46:56 - found: Command Service Data
05.12.2006 17:46:56 - found: Command Service Autorun settings
05.12.2006 17:46:56 - found: Command Service Program file
05.12.2006 17:46:56 - found: Command Service Settings
05.12.2006 17:46:56 - found: Command Service Settings
05.12.2006 17:46:56 - found: Command Service Settings
05.12.2006 17:47:30 - found: Smitfraud-C. Autorun settings (defender)
05.12.2006 17:47:30 - found: Smitfraud-C. Autorun settings (keyboard)
05.12.2006 17:48:04 - found: Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify Settings
05.12.2006 17:50:11 - ##### check finished #####

--- Report generated: 2006-12-05 17:50 ---

Command Service: Data (File, nothing done)
C:\windows\newname.dat

Command Service: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newname

Command Service: Program file (File, nothing done)
C:\\nwnmff_e54.exe

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\cmdService

Command Service: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\cmdService

Smitfraud-C.: Autorun settings (defender) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defender

Smitfraud-C.: Autorun settings (keyboard) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keyboard

Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-05 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-01 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-12-01 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-01 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-12-01 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-01 Includes\PUPSC.sbi (*)
2006-12-01 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-12-01 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-01 Includes\Trojans.sbi (*)
2006-12-01 Includes\TrojansC.sbi (*)


Normal mode Scan:
05.12.2006 19:23:02 - ##### check started #####
05.12.2006 19:23:02 - ### Version: 1.4
05.12.2006 19:23:02 - ### Date: 05/12/2006 07:23:02 PM
05.12.2006 19:23:02 - ##### checking bots #####
05.12.2006 19:24:37 - found: Command Service Autorun settings
05.12.2006 19:24:53 - found: Look2Me.Topconverting Temporary file
05.12.2006 19:25:26 - found: Command Service Settings
05.12.2006 19:25:35 - found: Smitfraud-C. Autorun settings (defender)
05.12.2006 19:25:35 - found: Smitfraud-C. Autorun settings (keyboard)
05.12.2006 19:29:50 - ##### check finished #####


--- Report generated: 2006-12-05 19:29 ---

Command Service: Autorun settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newname

Look2Me.Topconverting: Temporary file (File, nothing done)
C:\WINDOWS\system32\guard.tmp

Command Service: Settings (Registry value, nothing done)
HKEY_USERS\S-1-5-21-229516171-2466090699-1829343848-1006\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:\nwnmff_e??.exe

Smitfraud-C.: Autorun settings (defender) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\defender

Smitfraud-C.: Autorun settings (keyboard) (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\keyboard


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-12-05 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2006-12-01 Includes\Cookies.sbi (*)
2006-10-13 Includes\Dialer.sbi (*)
2006-12-01 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2006-12-01 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2006-12-01 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2006-10-13 Includes\Malware.sbi (*)
2006-12-01 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2006-12-01 Includes\PUPSC.sbi (*)
2006-12-01 Includes\Revision.sbi (*)
2006-10-13 Includes\Security.sbi (*)
2006-12-01 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2006-12-01 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-01 Includes\Trojans.sbi (*)
2006-12-01 Includes\TrojansC.sbi (*)

Rgs,
Kari

Mr_JAk3
2006-12-05, 15:01
Hi kari.kentang and welcome to Safer Networking Forums :)

You got infections there.....

Disable Spybot S&D Teatimer. (may interfere with our cleaning process)
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu select "Advanced Mode"
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

kari.kentang
2006-12-05, 15:24
Dear Warrior, tks for your help. I have unchecked the Tea Timer in Spybot and ran the ComboFix. Below pls find the combofix log. Thanks.


cel - 06-12-05 21:17:35.35 Service Pack 2
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\cel\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{5E315E10-D62C-495E-A3E3-FD26BC5CBCEF}]
@=""

[HKEY_CLASSES_ROOT\clsid\{5E315E10-D62C-495E-A3E3-FD26BC5CBCEF}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{5E315E10-D62C-495E-A3E3-FD26BC5CBCEF}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{5E315E10-D62C-495E-A3E3-FD26BC5CBCEF}\InprocServer32]
@="C:\\WINDOWS\\system32\\bnsendto_office.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{02E874E6-F5D4-49BE-B2D4-B18531A941C3}]
@=""

[HKEY_CLASSES_ROOT\clsid\{02E874E6-F5D4-49BE-B2D4-B18531A941C3}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{02E874E6-F5D4-49BE-B2D4-B18531A941C3}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{02E874E6-F5D4-49BE-B2D4-B18531A941C3}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{419F22E9-2EB5-4654-8239-A2ED4FA3FEA4}]
@=""

[HKEY_CLASSES_ROOT\clsid\{419F22E9-2EB5-4654-8239-A2ED4FA3FEA4}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{419F22E9-2EB5-4654-8239-A2ED4FA3FEA4}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{419F22E9-2EB5-4654-8239-A2ED4FA3FEA4}\InprocServer32]
@="C:\\WINDOWS\\system32\\pprfdisk.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{E9FEDF17-CB8E-4526-B1D6-3CBA9C361886}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E9FEDF17-CB8E-4526-B1D6-3CBA9C361886}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{E9FEDF17-CB8E-4526-B1D6-3CBA9C361886}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E9FEDF17-CB8E-4526-B1D6-3CBA9C361886}\InprocServer32]
@="C:\\WINDOWS\\system32\\igput.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\bnsendto_office.dll
C:\WINDOWS\system32\cobjmon.dll
C:\WINDOWS\system32\h0n0la5m1d.dll
C:\WINDOWS\system32\igput.dll
C:\WINDOWS\system32\r0r60a9sed.dll
C:\WINDOWS\system32\guard.tmp_tobedeleted


Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\deskbar_e70.exe
C:\deskbar_e90.exe
C:\nwnmff_e53.exe
C:\ac3_0010.exe
C:\RDFX4.exe
C:\Installer5.exe
C:\Program Files\Deskbar


((((((((((((((((((((((((((((((( Files Created from 2006-11-05 to 2006-12-05 ))))))))))))))))))))))))))))))))))


2006-12-05 16:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-12-05 14:33 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2006-12-05 13:07 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-05 13:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-11-29 22:39 52,161 --a------ C:\Documents and Settings\cel\mt-uninstaller.exe
2006-11-10 20:22 430,080 --a------ C:\windows_e53.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-12-05 21:14 -------- d-------- C:\Program Files\Common Files
2006-12-05 12:03 -------- d-------- C:\Program Files\Mozilla Firefox
2006-11-27 23:50 -------- d-------- C:\Program Files\Internet Explorer
2006-11-27 22:11 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-10 22:24 -------- d-------- C:\Program Files\MSN Messenger
2006-10-20 19:32 -------- d-------- C:\Documents and Settings\cel\Application Data\DivX
2006-10-20 19:25 -------- d-------- C:\Program Files\DivX
2006-10-13 20:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll
2006-10-07 23:33 -------- d-------- C:\Program Files\Symantec
2006-10-03 03:04 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-10-03 03:04 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-10-03 03:04 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-10-03 03:04 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-15 22:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-13 13:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"TOSCDSPD"="C:\\Program Files\\TOSHIBA\\TOSCDSPD\\toscdspd.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Norton SystemWorks"="\"C:\\Program Files\\Norton SystemWorks\\cfgwiz.exe\" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz"
"Yahoo! Pager"="\"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YAHOOM~1.EXE\" -quiet"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"LaunchApp"="launchapp"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"Persistence"="C:\\WINDOWS\\system32\\igfxpers.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SmoothView"="C:\\Program Files\\TOSHIBA\\TOSHIBA Zooming Utility\\SmoothView.exe"
"NDSTray.exe"="NDSTray.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"Toshiba Hotkey Utility"="\"C:\\Program Files\\Toshiba\\Windows Utilities\\Hotkey.exe\" /lang en"
"PadTouch"="C:\\Program Files\\TOSHIBA\\Touch and Launch\\PadExe.exe"
"CFSServ.exe"="CFSServ.exe -NoClient"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"windows"="C:\\\\windows_e53.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Net Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - cel.job
C:\WINDOWS\tasks\Norton SystemWorks One Button Checkup.job
C:\WINDOWS\tasks\Symantec Drmc.job

Completion time: 06-12-05 21:19:31.73
C:\ComboFix.txt ... 06-12-05 21:19

Mr_JAk3
2006-12-05, 19:02
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download Brute Force Uninstaller (http://www.merijn.org/files/bfu.zip) to your desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C: ) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE (http://metallica.geekstogo.com/alcanshorty.bfu) and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.
windows_e53.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O4 - HKLM\..\Run: [windows] C:\\windows_e53.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e54.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdff_e90.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrff_e90.exe
O20 - Winlogon Notify: BITS - C:\WINDOWS\
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\
O20 - Winlogon Notify: ModuleUsage - C:\WINDOWS\
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\jtp0077me.dll

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\Documents and Settings\cel

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon http://metallica.geekstogo.com/foldericon.png and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

kari.kentang
2006-12-06, 17:53
Dear Mr_JAk3 sorry for the late response. Had carried out the instructions :) When tried to delete C:\Documents and Settings\cel, I encountered error. It says that cel is a windows system folder and is required for windows to run properly. It cannot be deleted. However, had tried to delete its contents as much as I can.

Here are the logs (Kindly refer to next post for HJT logs. Thanks!):

AVG AntiSpyware scan:
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:28:16 PM 06/12/2006

+ Scan result:



C:\WINDOWS\Y2Vs\asappsrv.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\WINDOWS\Y2Vs\command.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004571.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004572.exe -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004573.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004575.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004576.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004578.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004596.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004599.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004600.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004625.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004626.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004634.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004639.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004680.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004688.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004756.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004767.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004769.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004776.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004783.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004787.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004792.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004799.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004805.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004812.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004818.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004824.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004830.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004834.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004842.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004887.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004893.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004909.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004968.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004979.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004992.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004998.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005057.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005126.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005136.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005137.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005149.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005150.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005249.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005250.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005251.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005252.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005253.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004560.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004677.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005461.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004569.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004674.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004806.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004807.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004885.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004899.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004765.exe -> Adware.Zestyfind : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004591.exe -> Backdoor.MSNMaker.w : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004597.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004906.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004907.exe -> Downloader.Adload.fu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004831.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004832.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004843.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004844.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004845.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004846.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004894.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004895.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004896.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004897.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005518.exe -> Downloader.Adload.fy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004676.exe -> Downloader.Adload.gw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004561.exe -> Downloader.Adload.hd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004905.exe -> Downloader.Adload.ik : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004641.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004902.exe -> Downloader.Adload.ncp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005230.exe -> Downloader.Adload.ncy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004574.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004678.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004584.exe -> Downloader.VB.afl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004976.exe -> Dropper.PurityScan.ah : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005509.exe -> Dropper.PurityScan.ah : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004901.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004592.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004593.exe -> Trojan.Pakes : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004766.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0004900.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004562.exe -> Worm.Licat.h : Cleaned with backup (quarantined).


::Report end


Rgds,
Kari

kari.kentang
2006-12-06, 17:55
Fresh HJT log:

New HighjackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 11:33:42 PM, on 06/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe
C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\igfxext.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\RAMASST.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\cel\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://pc.support.global.toshiba.com/
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [LaunchApp] launchapp
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SmoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe
O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Toshiba Hotkey Utility] "C:\Program Files\Toshiba\Windows Utilities\Hotkey.exe" /lang en
O4 - HKLM\..\Run: [PadTouch] C:\Program Files\TOSHIBA\Touch and Launch\PadExe.exe
O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Norton SystemWorks] "C:\Program Files\Norton SystemWorks\cfgwiz.exe" /GUID {05858CFD-5CC4-4ceb-AAAF-CF00BF39736A} /MODE CfgWiz
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: RAMASST.lnk = C:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Rdgs,
Kari

Mr_JAk3
2006-12-06, 20:59
Hi again, looks better :)
How is the computer running ?

I made a mistake, sorry. Please delete the following file if found, not the whole "cel" folder, C:\Documents and Settings\cel\mt-uninstaller.exe
If you have the things you deleted in your recycle bin, please restore those. Sorry again.

Delete the following folder if found:
C:\WINDOWS\Y2Vs

Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

kari.kentang
2006-12-07, 05:14
Hi, no worries...so far the computer seems to be working fine. No more popups. Am doing the Kaspersky now. Will be posting the logs soon :) Y2Vs folder not found already. Had deleted the mt_uninstaller.exe as well :)

Thanks so much again for being here for us!

Rdgs,
Kari

kari.kentang
2006-12-07, 05:29
Hi again. Here's the Kaspersky Log: (Need to break it into 2 parts)
--------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, December 07, 2006 11:17:02 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 7/12/2006
Kaspersky Anti-Virus database records: 248666
--------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 38017
Number of viruses found: 19
Number of infected objects: 131 / 0
Number of suspicious objects: 8
Duration of the scan process: 00:25:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XPreload.zip/mc44a54.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XPreload.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XPreload1.zip/mc44a53.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\XPreload1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-12-07_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\cel\Application Data\Spybot - Search & Destroy\Recovery\XPreload.zip/mc44a54.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\cel\Application Data\Spybot - Search & Destroy\Recovery\XPreload.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\cel\Application Data\Spybot - Search & Destroy\Recovery\XPreload1.zip/mc44a53.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\cel\Application Data\Spybot - Search & Destroy\Recovery\XPreload1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\cel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\cel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\cel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\cel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\cel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\cel\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\13D4240C.exe Infected: Trojan-Dropper.Win32.PurityScan.q skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\21295889.exe Infected: Trojan-Dropper.Win32.Small.auc skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\28A0596B.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe Inno: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\333056DF.exe CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3FB73999.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe Inno: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42563223.exe CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.exe NSIS: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.tmp/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.tmp NSIS: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\42595C1F.tmp CryptFF: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\425C061C.exe Infected: Trojan-Downloader.Win32.Adload.gw skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\425F3018.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\47380D97.exe Infected: Trojan-Dropper.Win32.PurityScan.q skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\488478AB.exe Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\488A4CA3.com Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\488D76A0.exe Infected: Trojan-Downloader.Win32.Adload.ik skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4891209C.exe Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\48944A99.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\599C020B.exe Infected: Trojan-Downloader.Win32.Adload.gw skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B1B0DBA.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5B7A6636.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5E2432A7.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F92257F.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F92257F.exe NSIS: infected - 1 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5F92257F.exe CryptFF: infected - 1 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\62D66166.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream/data0005 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe NSIS: infected - 5 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66CA67DE.exe CryptFF: infected - 5 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\66E861BD.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A3935AE.exe Infected: Trojan.Win32.Pakes skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A7A7D66.exe Infected: Trojan.Win32.Pakes skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6A872557.exe Infected: Trojan.Win32.Pakes skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6E5E1F9B.exe Infected: Trojan-Dropper.Win32.PurityScan.q skipped

----- END of Part 1 -----

kari.kentang
2006-12-07, 05:30
Kaspersky log Part 2:

----- Start of Part 2 -----

C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6E8250F6.exe Infected: Trojan.Win32.Pakes skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6EFB6271.exe Infected: Trojan.Win32.Pakes skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74591D3A.exe Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745C4736.com Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745C4736.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745C4736.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745C4736.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745C4736.exe Inno: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745C4736.exe CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745F7133.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745F7133.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745F7133.exe NSIS: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\745F7133.exe CryptFF: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74631B2F.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74631B2F.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74631B2F.tmp/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74631B2F.tmp NSIS: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74631B2F.tmp CryptFF: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7466452C.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7466452C.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7466452C.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7466452C.exe Inno: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7466452C.exe CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74696F28.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74696F28.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\746D1924.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\746D1924.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\74704321.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B13744.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B13744.exe NSIS: infected - 1 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B13744.exe CryptFF: infected - 1 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B56140.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B56140.tmp/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B56140.tmp NSIS: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B56140.tmp CryptFF: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B80B3D.exe Infected: not-a-virus:AdWare.Win32.Zestyfind skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77B80B3D.mp3 Infected: Trojan-Dropper.Win32.PurityScan.ah skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77BB3539.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77BE5F36.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\79EF5B99.exe Infected: Trojan-Downloader.Win32.Adload.fu skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A5559F3.exe Infected: Backdoor.Win32.MSNMaker.w skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A5903EF.pif Infected: Backdoor.Win32.MSNMaker.w skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A662BE1.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A662BE1.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A662BE1.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A662BE1.exe Inno: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A662BE1.exe CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A6955DD.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A6955DD.tmp/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A6955DD.tmp NSIS: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A6955DD.tmp CryptFF: infected - 2 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A6C7FDA.exe Infected: Trojan-Downloader.Win32.Adload.fu skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A6C7FDA.mp3 Infected: Trojan-Downloader.Win32.Adload.hd skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A7029D6.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A7029D6.exe/Stream/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A7029D6.exe/Stream/data0002 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A7029D6.exe/Stream Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A7029D6.exe Inno: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A7029D6.exe CryptFF: infected - 3 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A7353D2.exe Infected: Trojan-Downloader.Win32.VB.afl skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A767DCF.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.u skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A767DCF.exe NSIS: infected - 1 skipped
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7A767DCF.exe CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004570.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004570.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004570.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP31\A0004570.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004675.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004675.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004675.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP32\A0004675.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005227.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005227.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005227.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005227.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005228.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005228.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005228.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005228.exe ZIP: infected - 3 skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005536.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\A0005537.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{68012480-FF62-4D55-8453-089CE71C6B8D}\RP33\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

----- END -----

Appreciate your help. Thanks again.

Rdgs,
Kari

Mr_JAk3
2006-12-07, 15:02
Hi again, it is looking clean now :)
The computer is running fine ?

If you Norton doesn't include a firewall, you don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection. Disable Windows firewall after installing a new firewall.

These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)

Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.

You could also clean Spybot recovery section and empty Norton's quarantine (http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506).

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

kari.kentang
2006-12-07, 17:13
Dear Mr_JAk3, alls working fine now :bigthumb: . Thanks for all the help! Appreciate your guidence and advises. We have emptied Quarantines and installed Outpost Firewall :) Am now clearing restore points and going to recreate a new one.
Would you suggest monitoring the system these 2 days before archiving this post?:red:

Thanks again.

Rdgs,
Kari

Mr_JAk3
2006-12-07, 20:51
Nice to hear and you're very welcome :)

Yes I'll keep the thread open for two days, let me know if anything occur :bigthumb:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Glad we could help :2thumb: