Resurfaced

[Canyoufixitdad]

Hello again,

After a couple of weeks of hassle free surfing I was looking for a dvd xmas present for my son and was looking at HMV, Virgin, Play.com etc and suddenly when I click on a link from Google I have the Hijack again only this time it seems more virilant. I cannot click on any links whatsoever and it keeps going to the same sort of website with a different name (http:wwwblahblah/ghost seems to come up alot but it's too fast to read). All I can visit is the links in my favorites which, lucky enough for me, has this site. I have done another Panda scan, Spybot and HJT and they are attatched. Also here is the link to the original problem that is in your archives. Do you think that someone is deliberately targeting my IP ? If I was visiting dubious sites then fair enough I deserved what I got but Virgin/HMV.....

Original request: http://forums.spybot.info/showthread.php?t=8710


Incident Status Location

Potentially unwanted tool:application/kill&clean Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\extensions\CmdMapping\{BF69DF00-2734-477F-8257-27CD04F88779}
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@247realmedia[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@2o7[2].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@adrevolver[2].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@adtech[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@advertising[2].txt
Spyware:Cookie/Adviva Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@adviva[2].txt
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@apmebf[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@atdmt[2].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@hitbox[2].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@mediaplex[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@overture[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@questionmarket[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@serving-sys[1].txt
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@statse.webtrendslive[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Paula Debling\Cookies\paula debling@xiti[1].txt
Possible Virus. Not disinfected C:\Documents and Settings\Paula Debling\Local Settings\Temp\winlogin.exe
Possible Virus. Not disinfected C:\Documents and Settings\Paula Debling\Local Settings\Temporary Internet Files\Content.IE5\L7BF1LWE\test[1].htm
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean debling@adtech[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean debling@atdmt[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean debling@doubleclick[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Sean Debling\Cookies\sean debling@serving-sys[1].txt
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\backups\backup-20060615-122223-938-PowerReg Scheduler.exe
Possible Virus. Not disinfected C:\fixwareout\FindT\swreg.exe
Virus:Trj/Downloader.GHJ Disinfected C:\WINDOWS\system32\cskvk.exe


Logfile of HijackThis v1.99.1
Scan saved at 13:50:31, on 30/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\GSICON.EXE
C:\WINDOWS\system32\dslagent.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AceGain\LiveUpdate\aceagent.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CursorXP\CursorXP.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\DesktopX.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
C:\PROGRA~1\Stardock\OBJECT~1\DesktopX\dxwidget.exe
C:\Documents and Settings\Sean Debling\My Documents\Unzipped\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AceGain LiveUpdate] C:\Program Files\AceGain\LiveUpdate\LiveUpdate.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogonStudio] "C:\Program Files\WinCustomize\LogonStudio\logonstudio.exe" /RANDOM
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [tunebite.exe] C:\Program Files\tunebite\tunebite.exe -hidden
O4 - HKCU\..\Run: [CursorXP] C:\Program Files\CursorXP\CursorXP.exe
O4 - Startup: GT3 Calendar.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\GT3calendar.exe
O4 - Startup: GT3 cpu monitor.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\GT3 cpu monitor.exe
O4 - Startup: GT3 digital clock.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\GT3 digital clock.exe
O4 - Startup: GT3 recycle bin.lnk = C:\Program Files\Stardock\Object Desktop\DesktopX\Widgets\GT3 recycle bin.exe
O4 - Startup: Registration-INSDVD.lnk = C:\Program Files\Pinnacle\InstantCDDVD\SharedFiles\Pixie\RegTool.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/ca...C_1_0_0_44.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[LonnyRJones]

Hello
Post a report from this tool if any FILES show
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Click the i accept button near the bottom of that page.
click the first download button (version with grapichal user interface)
Download/save (not open) and run blacklite click > scan then > next, next again then exit
there will be a new txt near blacklite. post it please.
Important: If any files show Do not rename them YET.....legitimate files can be listed.

[Canyoufixitdad]

Hi Lonny

Blacklight as follows...

12/07/06 20:38:31 [Info]: BlackLight Engine 1.0.47 initialized
12/07/06 20:38:31 [Info]: OS: 5.1 build 2600 (Service Pack 2)
12/07/06 20:38:31 [Note]: 7019 4
12/07/06 20:38:31 [Note]: 7005 0
12/07/06 20:38:36 [Note]: 7006 0
12/07/06 20:38:36 [Note]: 7011 488
12/07/06 20:38:36 [Note]: 7026 0
12/07/06 20:38:36 [Note]: 7026 0
12/07/06 20:38:44 [Note]: FSRAW library version 1.7.1020
12/07/06 20:46:25 [Note]: 2000 1012
12/07/06 20:47:15 [Note]: 7007 0

Kind regards

[LonnyRJones]

Thats a good sign, nothing in blacklites log.

When you scan with avg antispyware are you still seeing items like this ?
[216] VM_00D60000 -> Downloader.Agent.uj : Cleaned with backup (quarantined).


run findt.bat and post report.txt that will be in the same folder
C:\fixwareout\FindT\

[Canyoufixitdad]

Quite a few things listed on AVG Antispy....

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:15:47 08/12/2006

+ Scan result:



C:\Documents and Settings\Paula Debling\Local Settings\Temporary Internet Files\Content.IE5\F353BXOW\hker[1].htm -> Downloader.Psyme.cf : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@247realmedia[1].txt -> TrackingCookie.247realmedia : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@247realmedia[1].txt -> TrackingCookie.247realmedia : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@122.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@paypal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@royalmail.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@112.2o7[2].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@adrevolver[2].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@adrevolver[3].txt -> TrackingCookie.Adrevolver : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@adtech[2].txt -> TrackingCookie.Adtech : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@advertising[2].txt -> TrackingCookie.Advertising : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@adviva[2].txt -> TrackingCookie.Adviva : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@atdmt[2].txt -> TrackingCookie.Atdmt : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@bfast[2].txt -> TrackingCookie.Bfast : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@doubleclick[1].txt -> TrackingCookie.Doubleclick : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@e-2dj6wgk4qndjsgp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@e-2dj6wgkygic5sbp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@e-2dj6whk4ogczoao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@e-2dj6wjlywkajabo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@fastclick[1].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@ehg-abscissa.hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@ehg-bookpeople.hitbox[1].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@hitbox[2].txt -> TrackingCookie.Hitbox : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@mediaplex[1].txt -> TrackingCookie.Mediaplex : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@overture[2].txt -> TrackingCookie.Overture : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@ads.pointroll[1].txt -> TrackingCookie.Pointroll : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@questionmarket[2].txt -> TrackingCookie.Questionmarket : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@edge.ru4[2].txt -> TrackingCookie.Ru4 : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@bs.serving-sys[2].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@serving-sys[1].txt -> TrackingCookie.Serving-sys : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@tacoda[1].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\Paula Debling\Cookies\paula debling@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Sean Debling\Cookies\sean debling@zedo[2].txt -> TrackingCookie.Zedo : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP505\A0165108.dll -> Trojan.Agent.xk : No action taken.
C:\WINDOWS\system32\msupmobile86.exe -> Trojan.Inject.ar : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163578.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163583.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163632.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163676.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163686.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163691.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163703.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163708.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163713.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP494\A0163718.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163728.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163734.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163739.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163757.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163762.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163764.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163769.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163771.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP495\A0163776.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP496\A0163814.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP496\A0163815.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP496\A0163821.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP496\A0163827.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP496\A0163832.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP496\A0163839.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP496\A0163844.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163855.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163861.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163867.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163873.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163899.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163905.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163913.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163918.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163925.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163930.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163958.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163963.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163966.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163972.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163976.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP497\A0163981.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP500\A0164200.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP500\A0164206.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164226.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164232.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164237.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164284.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164292.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164330.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164338.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164341.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP501\A0164349.exe -> Trojan.Small.fb : No action taken.
C:\System Volume Information\_restore{E1D71D59-8187-4FD8-9DB9-D4A73A6F8B48}\RP510\A0165596.exe -> Trojan.Small.fb : No action taken.
C:\WINDOWS\system32\dmifp.exe -> Trojan.Small.fb : No action taken.


::Report end

FindT report as follows...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.

--------------------------------------------------------------------------

I took the recommended actions and consigned them to quaratine and deleted the cookies. Is it okay to update AVG Anti Virus and Windows or shall I wait until this little fracas is over ?

[LonnyRJones]

No action taken. means exactly that
Have avg antispyware actualy do something with these two files.
C:\WINDOWS\system32\msupmobile86.exe
C:\WINDOWS\system32\dmifp.exe
=========================

Are there any current problems ?

[Canyoufixitdad]

Hi Lonny,

It gave me the option after scanning to quaratine these items which I did. It appears to generate the logfile before any action is taken, not sure if that's supposed to happen. I have checked and both of those files and all the System Volume Info\_ restore blah blah were put into the quarantine folder. I've gone into the settings for AVG and changed the "How to Act ?" to Delete rather than Recommended Actions. Shall I delete all the files in the quarantine folder ? No point in keeping something that I know is bad.

Fingers crossed all links appear to be working okay. Anything else you can suggest to check ?

I've downloaded Zonelabs freebe firewall but not installed it yet. Will do so after the okay from yourselves.

[LonnyRJones]

Good going
Id set it back to take recommended action, in case it finds a infected legit file in the future and leave the items in is quarantine for a week or two then if there are no problems delete them.

Great to hear you've got a firewall

C:\fixwareout < delete since its no longer needed

If there are no problems now Purge System Restore
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Then Reboot. < Dont skip that step.
Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

[Canyoufixitdad]

Id set it back to take recommended action, in case it finds a infected legit file ....

Duly done

C:\fixwareout < delete since its no longer needed

Deleted

If there are no problems now Purge System Restore

Purged

There's me thinking that the M$ firewall must be the best because it's written by the same company that wrote the op system. Shows how naïve I am

[LonnyRJones]

Dont depend on any one antivirus program go get preferably two differant free onlines weekly or bi-weekly

Panda ActiveScan-Free online scanner,
http://www.pandasoftware.com/products/activescan.htm
Kaspersky Lab - Free Online scan:
http://www.kaspersky.com/virusscanner
http://support.f-secure.com/enu/home/ols3.shtml#

Think Prevention: Put in place a good hosts file
http://www.mvps.org/winhelp2002/hosts.htm
How To Download and Extract the HOSTS file:
http://www.mvps.org/winhelp2002/hosts2.htm
Repeat that proccess about once or twice a month


To help avoid reinfection see "So how did I get infected in the first place?"
http://forums.spybot.info/showthread.php?t=279