I have many viruses including, but not limited to, Smitfraud-C

D

dthor

New member
I seem to have multiple viruses on my PC. I have seen signs of the following; Webhancer, PurityScan, Mirar, ZQuest, Virtumonde and SmitFraud-C.CoreService. I have run Spybot in Safe Mode and some of the problems were resolved, but many remain.

I have also pasted below the HiJackThis log. The Kastersky Online Scan Log is also availbable, but it was omitted due to posting length restrictions.

Is anyone able to assist me in clearing my PC of the aforementioned? Your time and knowledge will be greatly appreciated!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:07:00 PM, on 11/2/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\proper.exe
C:\WINNT\System32\ctfmon.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\Java\j2re1.4.2_04\bin\jucheck.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\samyxa77798.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Insider\Insider.exe
C:\Documents and Settings\marci1\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\marci1\Application Data\Microsoft\Windows\urybv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\System32\proper.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [samyxa] C:\Program Files\Adobe\samyxa77798.exe
O4 - HKLM\..\Run: [Undefined] C:\WINNT\System32\winter.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [28ad0c7d] rundll32.exe "C:\WINNT\System32\aguwhess.dll",b
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ayo] C:\WINNT\?ecurity\s?rvices.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [iukf] C:\PROGRA~1\COMMON~1\iukf\iukfm.exe
O4 - HKCU\..\Run: [Usom] C:\WINNT\system32\?dobe\m?hta.exe
O4 - HKCU\..\Run: [Urdhxo] \\extreme1\home\marci1\??sks\l?gonui.exe
O4 - HKCU\..\Run: [Kxuuik] "C:\Program Files\Common Files\??pPatch\m?hta.exe"
O4 - HKCU\..\Run: [Fhiblnsm] \\extreme1\home\marci1\??sks\n?pdb.exe
O4 - HKCU\..\Run: [Ycv] "C:\Documents and Settings\marci1\Application Data\?dobe\w?auboot.exe"
O4 - HKCU\..\Run: [Olz] C:\WINNT\??sks\s?chost.exe
O4 - HKCU\..\Run: [Ygcl] "C:\Documents and Settings\marci1\Application Data\a?sembly\u?erinit.exe"
O4 - HKCU\..\Run: [Qtqld] C:\WINNT\system32\?icrosoft.NET\l?ass.exe
O4 - HKCU\..\Run: [Bvlzjtkt] "C:\Program Files\?ssembly\i?xplore.exe"
O4 - HKCU\..\Run: [Awubw] "C:\Program Files\Common Files\?asks\w?auboot.exe"
O4 - HKCU\..\Run: [Uxqhwt] C:\WINNT\system32\?asks\r?gedit.exe
O4 - HKCU\..\Run: [Plod] "C:\Program Files\Common Files\W?nSxS\?pool32.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\marci1\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\marci1\Application Data\Microsoft\Windows\urybv.exe
O4 - HKCU\..\Run: [Undefined] C:\WINNT\System32\winter.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: infos.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: autos.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} -
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O17 - HKLM\Software\..\Telephony: DomainName = extremepittsburgh.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A6696E-199F-4577-A53C-0C4E9EA1D0C9}: NameServer = 192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O20 - AppInit_DLLs: C:\WINNT\System32\skuns.dat
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\bazy.html

--
End of file - 7585 bytes
 
Hello and welcome to Safer Networking Forums.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

Since I am still in training, I have to let experts check the content of my fixes before I post them so please be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
 
Deleted ...

All yours km2357

You beat my reply by 3 minutes :lol:
 
Last edited:
Severly Infected Machine

I have a PC that is infected with numerous viruses - based on the Kaspersky, AVG and SpyBot scans. Some problems were resolved but many remain (uncontrollable pop ups, redirects, locked out of task manager and control panel). I am new to this forum, but I have read the "BEFORE you POST" thread and I am prepared with logs (HJT is included below and Kaspersky is available).

Whatever I have blocks my ability to send emails or even worse yet respond within the thread (just hangs) so I have to physically drive ~10 miles to a clean PC to communicate within this forum. I believe that I can send private messages which…if anyone is willing…would save me from driving back and forth just to read/respond to the thread. I understand that this request in unorthodox in light of the intent of the forum, but my situation seems to have me in a bit of a precarious situation.

Any assistance you are able to offer will be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59:22 AM, on 11/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\samyxa77798.exe
C:\WINNT\System32\winter.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINNT\System32\rundll32.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Insider\Insider.exe
C:\Documents and Settings\marci1\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\marci1\Application Data\Microsoft\Windows\urybv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\System32\proper.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [samyxa] C:\Program Files\Adobe\samyxa77798.exe
O4 - HKLM\..\Run: [Undefined] C:\WINNT\System32\winter.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [28ad0c7d] rundll32.exe "C:\WINNT\System32\aguwhess.dll",b
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ayo] C:\WINNT\?ecurity\s?rvices.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\Run: [iukf] C:\PROGRA~1\COMMON~1\iukf\iukfm.exe
O4 - HKCU\..\Run: [Usom] C:\WINNT\system32\?dobe\m?hta.exe
O4 - HKCU\..\Run: [Urdhxo] \\extreme1\home\marci1\??sks\l?gonui.exe
O4 - HKCU\..\Run: [Kxuuik] "C:\Program Files\Common Files\??pPatch\m?hta.exe"
O4 - HKCU\..\Run: [Fhiblnsm] \\extreme1\home\marci1\??sks\n?pdb.exe
O4 - HKCU\..\Run: [Ycv] "C:\Documents and Settings\marci1\Application Data\?dobe\w?auboot.exe"
O4 - HKCU\..\Run: [Olz] C:\WINNT\??sks\s?chost.exe
O4 - HKCU\..\Run: [Ygcl] "C:\Documents and Settings\marci1\Application Data\a?sembly\u?erinit.exe"
O4 - HKCU\..\Run: [Qtqld] C:\WINNT\system32\?icrosoft.NET\l?ass.exe
O4 - HKCU\..\Run: [Bvlzjtkt] "C:\Program Files\?ssembly\i?xplore.exe"
O4 - HKCU\..\Run: [Awubw] "C:\Program Files\Common Files\?asks\w?auboot.exe"
O4 - HKCU\..\Run: [Uxqhwt] C:\WINNT\system32\?asks\r?gedit.exe
O4 - HKCU\..\Run: [Plod] "C:\Program Files\Common Files\W?nSxS\?pool32.exe"
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\marci1\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\marci1\Application Data\Microsoft\Windows\urybv.exe
O4 - HKCU\..\Run: [Undefined] C:\WINNT\System32\winter.exe
O4 - Startup: infos.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: autos.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O17 - HKLM\Software\..\Telephony: DomainName = extremepittsburgh.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A6696E-199F-4577-A53C-0C4E9EA1D0C9}: NameServer = 192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O20 - AppInit_DLLs: C:\WINNT\System32\skuns.dat
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\WINNT\System32\rrqfpyed.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN\bazy.html
--
End of file - 7400 bytes
 
I see you have not upgraded to Windows XP SP2. During the time I am helping you, do not upgrade to SP2 until I tell you to do so.



Looking over your log, it seems you don't have any evidence of an anti-virus software.

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network. Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently. Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software from one these vendors NOW:

1)Antivir PersonalEdition Classic
2)avast! 4 Home Edition
3) AVG Anti-Virus Free Edition

Download and install only one!



Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u3 .
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.



Step # 2: Download and Run ComboFix
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Step # 3: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.

You will now be presented with a screen similar to the one below:

uninstall-man.jpg


5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


Step # 4 Post Logs

In your next post/reply, I'd like to see the following:

  • 1. ComboFix Log (C:\Combofix.txt)
    2. A fresh HijackThis Log
    3. Uninstall List

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
 
HI LLINGO/dthor & km2357

I received a PM from LLINGO ( who is the same poster as dthor )

They requested help as they had not heard back from km2357

They also started a new thread, because they could not reply using the "submit reply" button

I have merged the new thread by LLINGO with this thread by dthor ... bearing in mind it is the same poster with the same problem ...

LLINGO/dthor please try to post back to this thread, each time you post ... if you are unable to post to the thread, then start a new thread with your reply & send me a PM with a link to the new thread, I will then merge it with this thread.

km2357 please feel free to PM me with any comments/questions you may have.

steam
 
Last edited by a moderator:
The requested logs...

As you requested, I have attached the latest logs (combofix log and unnstall). I pasted the hijackthis log becasue I was unsure as to whether I could attach a .log file. Please let me know if you need anything else.

Just for you information, I can reply to the original thread only when I am on a clean pc. However, both physically getting to a clean PC and getting the logs to a clean PC are a bit of a challange. So, I really apprecaite your continued patience (and support) as I use the rather unconventional approach (using both PM and thread response). As soon as I am able to use stricly the thread...I certainly will.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54, on 2007-11-03
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\samyxa77798.exe
C:\WINNT\System32\winter.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\System32\wscript.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe C:\WINNT\System32\proper.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {5837189E-0DAC-4D0F-6298-53AD3699E862} - C:\Program Files\MSN\woqu376.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: (no name) - {AF4837DA-938C-4864-3BDA-A47284DFCC71} - C:\WINNT\System32\msvml8.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B94A36D2-3562-4E2D-BAAE-02C592D3BA31} - C:\WINNT\System32\iifgd.dll (file missing)
O2 - BHO: openfiles - {BB60BF02-2651-46CA-8483-13D5AC93814C} - C:\WINNT\System32\openfiles.dll
O2 - BHO: (no name) - {D1E71B77-1217-4629-A7F4-7D14877E008F} - C:\Program Files\MSN Gaming Zone\safejupe4444.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - C:\WINNT\System32\bronto.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [samyxa] C:\Program Files\Adobe\samyxa77798.exe
O4 - HKLM\..\Run: [Undefined] C:\WINNT\System32\winter.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [28ad0c7d] rundll32.exe "C:\WINNT\System32\xlxrfcme.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Ayo] C:\WINNT\?ecurity\s?rvices.exe
O4 - HKCU\..\Run: [iukf] C:\PROGRA~1\COMMON~1\iukf\iukfm.exe
O4 - HKCU\..\Run: [Usom] C:\WINNT\system32\?dobe\m?hta.exe
O4 - HKCU\..\Run: [Urdhxo] \\extreme1\home\marci1\??sks\l?gonui.exe
O4 - HKCU\..\Run: [Kxuuik] "C:\Program Files\Common Files\??pPatch\m?hta.exe"
O4 - HKCU\..\Run: [Fhiblnsm] \\extreme1\home\marci1\??sks\n?pdb.exe
O4 - HKCU\..\Run: [Ycv] "C:\Documents and Settings\marci1\Application Data\?dobe\w?auboot.exe"
O4 - HKCU\..\Run: [Olz] C:\WINNT\??sks\s?chost.exe
O4 - HKCU\..\Run: [Ygcl] "C:\Documents and Settings\marci1\Application Data\a?sembly\u?erinit.exe"
O4 - HKCU\..\Run: [Qtqld] C:\WINNT\system32\?icrosoft.NET\l?ass.exe
O4 - HKCU\..\Run: [Bvlzjtkt] "C:\Program Files\?ssembly\i?xplore.exe"
O4 - HKCU\..\Run: [Awubw] "C:\Program Files\Common Files\?asks\w?auboot.exe"
O4 - HKCU\..\Run: [Uxqhwt] C:\WINNT\system32\?asks\r?gedit.exe
O4 - HKCU\..\Run: [Plod] "C:\Program Files\Common Files\W?nSxS\?pool32.exe"
O4 - HKCU\..\Run: [Undefined] C:\WINNT\System32\winter.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: infos.exe
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: autos.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O17 - HKLM\Software\..\Telephony: DomainName = extremepittsburgh.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A6696E-199F-4577-A53C-0C4E9EA1D0C9}: NameServer = 192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O20 - Winlogon Notify: tuvtsrq - tuvtsrq.dll (file missing)
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

--
End of file - 8474 bytes
 
I need you to delete the following folder from your network drive: \\extreme1\home\marci1\??sks. The folder will have the letters sks in its name. If you are unsure or have any questions, please ask them.



Step # 1: Run CFScript

Please delete the version of ComboFix you have on your computer, I need you to download the latest version of ComboFix by sUBs here and save it to your Desktop.



  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: 
    File::

C:\WINNT\system32\poroskt.dll
C:\WINNT\system32\msvml8.dll
C:\WINNT\system32\gpe80vNb.exe
C:\Temp\svcipa.exe
C:\WINNT\system32\tmp.reg
C:\WINNT\system32\mscorews.dll
C:\WINNT\system32\tqqktcgi.dll
C:\WINNT\system32\bronto.dll
C:\WINNT\system32\winter.exe
C:\WINNT\system32\proper.exe
C:\WINNT\system32\skuns.dat
C:\WINNT\system32\dgfii.bak2
C:\WINNT\system32\dgfii.bak1
C:\Program Files\MSN\woqu376.dll
C:\WINNT\System32\iifgd.dll
C:\WINNT\System32\openfiles.dll
C:\Program Files\MSN Gaming Zone\safejupe4444.dll
C:\Program Files\Adobe\samyxa77798.exe
C:\WINNT\System32\xlxrfcme.dll
C:\Documents and Settings\marci1\Start Menu\Programs\Startup\infos.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
C:\WINNT\system32\tuvtsrq.dll

Folder:: 

C:\WINNT\system32\Mz02r
C:\Temp\mZOr
C:\Program Files\Common Files\iukf

Registry:: 

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5837189E-0DAC-4D0F-6298-53AD3699E862}]
			
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AF4837DA-938C-4864-3BDA-A47284DFCC71}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B94A36D2-3562-4E2D-BAAE-02C592D3BA31}]
			
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB60BF02-2651-46CA-8483-13D5AC93814C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1E71B77-1217-4629-A7F4-7D14877E008F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"samyxa"=-
"Undefined"=-
"28ad0c7d"=-

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ayo"=-
"iukf"=-
"Usom"=-
"Urdhxo"=-
"Kxuuik"=-
"Fhiblnsm"=-
"Ycv"=-
"Olz"=-
"Ygcl"=-
"Qtqld"=-
"Bvlzjtkt"=-
"Awubw"=-
"Uxqhwt"=-
"Plod"=-
"Undefined"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
"DisableTaskMgr"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoControlPanel"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"DisablePersonalDirChange"=-
"NoControlPanel"=-
"NoWindowsUpdate"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"Shell"="Explorer.exe"

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtsrq]

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


    CFScript.gif


  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.



Step # 2 Post Logs

In your next post/reply, I'd like to see the following:

  • 1. ComboFix Log (C:\ComboFix.txt)
    2. A fresh HiJackThis Log
    3. Let me know if you have access to the Control Panel. Add/Remove Programs, etc

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
 
New Logs...

KM2357,

Attached are the newest logs. I DO now have access to the Control Panel with the ability to Add/Remove Programs. And while the machine may not be 100% clean, it is now much easier for me navigate and to get seemingly simple things done. Please let me know if you have any questions and/or further instruction.

-dthor
 
Hi

The file & folder sections of the CFScript executed OK ... but for some reason the Registry section did not ... You have access to the Control Panel etc, again because Combofix now automatically removes those restrictions from the registry ... the CFScript didn't do it ... I have NO idea why the registry section didn't execute ... it looks fine to me.

There is still a lot of cleaning to do, but the source of the infection has gone ... keep a watch for km2357's next post.

steam
 
Hi dthor.

From now on for any logs/reports I ask for you to post, I would like for you to post them in the thread and not as attachments. Thanks. :)


Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.


Step # 1 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u3 .
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:
  • Java 2 Runtime Environment, SE v1.4.2_04
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.


Step # 2 Run AVG Anti-Spyware

Please do the following:

  • Click the Update icon at the top and under Manual Update click the Start update button.
  • The program will either update or inform you that no update was available.
  • It is essential that you get the update - keep trying until successful. (Note: If you have problems getting the update, you can download an installer for the full database from here (save it on your desktop). Once you have downloaded the installer, make sure that AVG Anti-Spyware is closed and then double-click on avgas-signatures-full-current.exe to install the database).
Please set up the program as follows:
  • Click the Shield icon at the top and under Resident shield is... click active. This should now
    change to inactive.
  • Click the Update icon and untick the automatic update option.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act? - make sure that Quarantine is selected.
    • Under How to scan? - All checkboxes should be ticked.
    • Under Possibly unwanted software - All checkboxes should be ticked.
    • Under Reports - Select Do not automatically generate reports.
    • Under What to scan? - Select Scan every file.
Close all open windows.
Do not run a scan yet


Step # 3: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Step # 4: View Hidden Files/Folders


Reconfigure Windows XP to show hidden files:
To enable the viewing of Hidden files follow these steps:

  • Close all programs so that you are at your desktop.
  • Double-click on the My Computer icon.
  • Select the Tools menu and click Folder Options.
  • After the new window appears select the View tab.
  • Put a checkmark in the checkbox labeled Display the contents of system folders.
  • Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
  • Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
  • Remove the checkmark from the checkbox labeled Hide protected operating system files.
  • Press the Apply button and then the OK button and shutdown My Computer.
  • Now your computer is configured to show all hidden files.

Be sure to re-hide your files once you are finished cleaning your computer.


Step # 5: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.



Step # 6: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm

    O2 - BHO: 0 - {5837189E-0DAC-4D0F-6298-53AD3699E862} - C:\Program Files\MSN\woqu376.dll (file missing)

    O2 - BHO: (no name) - {B94A36D2-3562-4E2D-BAAE-02C592D3BA31} - C:\WINNT\System32\iifgd.dll (file missing)

    O4 - HKLM\..\Run: [samyxa] C:\Program Files\Adobe\samyxa77798.exe

    O4 - HKLM\..\Run: [28ad0c7d] rundll32.exe "C:\WINNT\System32\xlxrfcme.dll",b

    O4 - HKCU\..\Run: [Ayo] C:\WINNT\?ecurity\s?rvices.exe

    O4 - HKCU\..\Run: [iukf] C:\PROGRA~1\COMMON~1\iukf\iukfm.exe

    O4 - HKCU\..\Run: [Usom] C:\WINNT\system32\?dobe\m?hta.exe

    O4 - HKCU\..\Run: [Urdhxo] \\extreme1\home\marci1\??sks\l?gonui.exe

    O4 - HKCU\..\Run: [Kxuuik] "C:\Program Files\Common Files\??pPatch\m?hta.exe"

    O4 - HKCU\..\Run: [Fhiblnsm] \\extreme1\home\marci1\??sks\n?pdb.exe

    O4 - HKCU\..\Run: [Ycv] "C:\Documents and Settings\marci1\Application Data\?dobe\w?auboot.exe"

    O4 - HKCU\..\Run: [Olz] C:\WINNT\??sks\s?chost.exe

    O4 - HKCU\..\Run: [Ygcl] "C:\Documents and Settings\marci1\Application Data\a?sembly\u?erinit.exe"

    O4 - HKCU\..\Run: [Qtqld] C:\WINNT\system32\?icrosoft.NET\l?ass.exe

    O4 - HKCU\..\Run: [Bvlzjtkt] "C:\Program Files\?ssembly\i?xplore.exe"

    O4 - HKCU\..\Run: [Awubw] "C:\Program Files\Common Files\?asks\w?auboot.exe"

    O4 - HKCU\..\Run: [Uxqhwt] C:\WINNT\system32\?asks\r?gedit.exe

    O4 - HKCU\..\Run: [Plod] "C:\Program Files\Common Files\W?nSxS\?pool32.exe"

    O20 - Winlogon Notify: tuvtsrq - tuvtsrq.dll (file missing)
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.



Step # 7: Deleting Files/Folders

Once in Safe Mode, I need you to use Windows Explorer to delete the files/folders I have marked in Red(if found):

Files:

C:\windows\system32\blank.htm
C:\Program Files\MSN\woqu376.dll
C:\WINNT\System32\iifgd.dll
C:\WINNT\System32\xlxrfcme.dll
C:\WINNT\system32\tuvtsrq.dll


Step # 8 Run AVG Anti-Spyware

  • Click on Scanner on the toolbar.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan your computer.
  • When the scan has finished, follow the instructions below:
    • Make sure that Set all elements to: shows Quarantine
    • Important: Click on the Apply all Actions button (*** This must done before saving the report ***)
    • When the program has finished, it will display the message All actions have been applied.
    • Then click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Tray Icon and select Exit.
  • Reboot your computer.
  • Now copy the report back to this topic.


Step # 9 Post Logs

In your next post/reply, I'd like to see the following:

  • 1. AVG Anti-Spyware Report
    2. A fresh HijackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
 
Question for you before proceeding...

My PC is networked with several others (as you may have noticed from the logs). So, when I have booted in Safe Mode in the past it was typically necessary for me to utilize "with Networking" (in order to log into the network). However, I expect that this may be defeating the purpose of booting in safe mode. Is that true? If so, any suggestions?
 
New Logs

KM2357,

I executed all of the steps and included the logs below. The only thing that I was unable to do was delete the files in Step #7 as none of them were there except 'C:\Program Files\MSN\woqu376.dll' which I did delete.

Any questions, just me know and again, thank you.

-dthor

-----------------------------------
AVG Anti-Spyware - Scan Report
-----------------------------------

+ Created at: 19:51 2007-11-07

+ Scan result:

C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1181\A0019800.exe -> Downloader.VB.bkw : Cleaned with backup (quarantined).

::Report end

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:55, on 2007-11-07
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\system32\userinit.exe
C:\WINNT\System32\wuauclt.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O17 - HKLM\Software\..\Telephony: DomainName = extremepittsburgh.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A6696E-199F-4577-A53C-0C4E9EA1D0C9}: NameServer = 192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
--
End of file - 6106 bytes
 
Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

  • First, go to Add/Remove Programs and uninstall all previous versions.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Note: Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php


Step # 2: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)
    • Scan Options:

    • Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

    • Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt


Step # Post Logs

In your next post/reply, I'd like to see the following:

  • 1. Kaspersky Log (KAV.txt)
    2. A fresh HiJackThis Log
    3. How is your computer running?/Any problems?

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
 
KAV.txt

So, I updated Adobe, I ran the Kaspersky Online Scan and I created a new HijackThis Log. The PC seems to be running ok, but after running the aforementioned and checking out the logs...it seems as if the machine is still pretty ill.

One thing in particular...when I turn the PC on one of the first screens that I see is from AVG stating that a threat has been found...how do I want to proceed? I typically use task manger to end the process. However, I am not convinced that this is not part of one of the viruses and I am reenabling it by clicking on the screen (moving, closing, etc.). Is this possible or does that sound like AVG to you? I have never used AVG in the past. Also, everytime I reboot, AVG updates it files. Does this sound legit to you?

Well, I hope that this info is useful. WHen you are ready to advise...I am ready to act.

Many thanks,
dthor

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-08 21:41
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/11/2007
Kaspersky Anti-Virus database records: 454887
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
G:\
H:\
O:\
P:\
Q:\

Scan Statistics:
Total number of scanned objects: 50474
Number of viruses found: 13
Number of infected objects: 140
Number of suspicious objects: 4
Duration of the scan process: 01:23:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/retadpu.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\marci1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\marci1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\marci1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\marci1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\marci1\Local Settings\History\History.IE5\MSHist012007110820071109\index.dat Object is locked skipped
C:\Documents and Settings\marci1\Local Settings\Temp\Perflib_Perfdata_9d4.dat Object is locked skipped
C:\Documents and Settings\marci1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\marci1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\marci1\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MSN Gaming Zone\safejupe83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\Program Files\Adobe\samyxa77798.exe.vir Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\qoobox\Quarantine\C\Program Files\MSN Gaming Zone\safejupe4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINNT\system32\bronto.dll.vir Infected: Backdoor.Win32.Small.cls skipped
C:\qoobox\Quarantine\C\WINNT\system32\e2\caws83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINNT\system32\e2\caws83122.exe.vir NSIS: infected - 1 skipped
C:\qoobox\Quarantine\C\WINNT\system32\gouykyho.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINNT\system32\iobenph.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\qoobox\Quarantine\C\WINNT\system32\kecdloqe.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\qoobox\Quarantine\C\WINNT\system32\openfiles.dll.vir Infected: Trojan.Win32.Agent.cnb skipped
C:\qoobox\Quarantine\C\WINNT\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\qoobox\Quarantine\C\WINNT\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1144\A0019270.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1144\A0019271.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1145\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1146\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1147\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1148\A0019301.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1148\A0019301.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1148\A0019301.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1148\A0019301.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1148\A0019305.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1148\A0019306.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1148\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1149\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1149\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1150\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1150\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1151\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1151\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1152\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1152\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1153\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1153\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1154\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1154\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1155\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1155\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1156\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1156\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1157\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1157\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1158\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1158\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1159\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1159\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1160\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1160\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1161\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1161\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1162\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1162\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1163\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1163\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1164\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1164\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1165\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1165\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1166\A0019448.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1166\A0019448.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1166\A0019448.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1166\A0019448.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1166\A0019452.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1166\A0019453.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1166\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1166\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1167\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1167\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1167\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1168\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1168\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1168\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1169\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1169\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1169\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1170\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1170\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1170\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1171\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1171\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1171\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1172\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1172\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1172\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1173\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1173\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1173\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1174\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1174\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1174\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1175\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1175\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1175\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1176\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1176\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1176\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
 
KAV.txt Cont'd

C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1177\A0019489.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1177\A0019489.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1177\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1177\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1177\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\A0019505.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\A0019506.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\A0019529.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\A0019531.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\A0019552.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\A0019556.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\snapshot\MFEX-10.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\snapshot\MFEX-15.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\snapshot\MFEX-16.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1178\snapshot\MFEX-5.DAT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019580.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019582.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019583.dll Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019596.dll Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019597.dll Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019598.dll Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019599.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019600.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019604.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019605.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019605.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019605.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019605.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1179\A0019606.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1180\A0019638.dll Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1181\A0019789.dll Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1181\A0019795.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1181\A0019796.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1181\A0019797.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1181\A0019798.dll Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1181\A0019799.dll Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1181\A0019801.exe Object is locked skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1182\A0019821.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1182\A0019822.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1182\A0019823.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1182\A0019828.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1182\A0019828.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1182\A0019833.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1182\A0019833.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1183\A0019984.dll Infected: Backdoor.Win32.Small.cls skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1183\A0019987.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1183\A0019988.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1183\A0019992.dll Infected: Trojan.Win32.Agent.cnb skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1183\A0020015.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1186\A0020177.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1186\A0020177.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1186\A0020177.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{5EDDC099-25B6-4DA8-A63B-6FCA8B7A5560}\RP1188\change.log Object is locked skipped
C:\WINNT\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINNT\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINNT\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINNT\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\dao360.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\msexcl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\msjet40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\msjetol1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\msjetoledb40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\msjtes40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\mspbde40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\msrepl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\mstext40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB829558$\msxbde40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB833998$\shell32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB833998$\sxs.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINNT\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINNT\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINNT\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINNT\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\CSC\00000002 Object is locked skipped
C:\WINNT\CSC\00000003 Object is locked skipped
C:\WINNT\CSC\d1\00000020 Object is locked skipped
C:\WINNT\CSC\d1\00000110 Object is locked skipped
C:\WINNT\CSC\d2\00000011 Object is locked skipped
C:\WINNT\CSC\d2\00000169 Object is locked skipped
C:\WINNT\CSC\d3\0000017A Object is locked skipped
C:\WINNT\CSC\d5\00000024 Object is locked skipped
C:\WINNT\CSC\d6\0000010D Object is locked skipped
C:\WINNT\CSC\d6\00000165 Object is locked skipped
C:\WINNT\CSC\d6\80000195 Infected: Trojan.Win32.Agent.cnc skipped
C:\WINNT\CSC\d8\00000017 Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\oakley.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\drivers\etc\hosts.20071102-085629.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINNT\system32\drivers\etc\hosts.20071102-085733.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINNT\system32\drivers\etc\hosts.20071102-092347.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINNT\system32\drivers\etc\hosts.20071103-104455.backup Infected: Trojan.Win32.Qhost.mg skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
G:\V_Data.ldb Object is locked skipped
G:\V_Data.mdb Object is locked skipped
H:\tmpms45.exe Infected: Trojan.Win32.Agent.cnc skipped
O:\Extreme Fitness 3\Technology\PNC\DJTBKUP\My Documents\Personal\Humor\Zippedhumor.zip/yourfunny.exe Infected: not-virus:BadJoke.Win32.Stupen.c skipped
O:\Extreme Fitness 3\Technology\PNC\DJTBKUP\My Documents\Personal\Humor\Zippedhumor.zip ZIP: infected - 1 skipped
O:\Extreme Fitness 3\Technology\PNC\DJTBKUP\Personal\Humor\Zippedhumor.zip/yourfunny.exe Infected: not-virus:BadJoke.Win32.Stupen.c skipped
O:\Extreme Fitness 3\Technology\PNC\DJTBKUP\Personal\Humor\Zippedhumor.zip ZIP: infected - 1 skipped

Scan process completed.
 
HijackThis Log...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:41, on 2007-11-08
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\ctfmon.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINNT\System32\RUNDLL32.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\APC\APC PowerChute Personal Edition\apcsystray.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINNT\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINNT\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\inf\GETPLUSo.INF, DefaultUninstall
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: APC UPS Status.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O17 - HKLM\Software\..\Telephony: DomainName = extremepittsburgh.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{37A6696E-199F-4577-A53C-0C4E9EA1D0C9}: NameServer = 192.168.2.10
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = extremepittsburgh.local
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe

--
End of file - 6413 bytes
 
HI

It's not as bad as it looks ...

Most of the infected files are in backups :-

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery (spybot's backup folder)
C:\qoobox\Quarantine (Combofix backup folder)
C:\System Volume Information\_restore (infected restore points, OK as long as you don't perform a system restore)

On your C: drive ...

1 infected dll file & 4 infected backed up HOSTS files ...

Please provide some information for km2357 ...

What are your H:\ & O:\ drives ?

Are they flash drives which were connected when you ran the scan, or are they hard-drives (from multiple partitions on your hard-drive)

RE: AVG ... km2357 will need to know the name of the file\process you are stopping & the location of the file.

Do NOT act upon anything I've said here, wait for km2357

steam
 
Well, that's good news. Thank you for the feedback.

The other drives that you asked about are not flash drives, but rather additional network drives. Technically speaking, they are part of a larger portioned drive and they were connected during the scan.

Also, because I was attempting to follow KM2357's directions explicitly, I did not attempt to ‘fix’ any of the problems after Kaspersky Online Scan ran – just ran and saved the report (KAV.txt). Just fyi…

-dthor
 
You must log in or register to reply here.
Back
Top