I have Spybot and Spyware Blaster both on my computer and keep them up to date. Yesterday, out of nowhere, my computer starting telling me I was infected. I was suspicious at first, and then noticed my desktop was blue with another warning. I ran Spybot and got 38 entries which included Smithfraud, Zango, 202, and several others. I have tried 4 times now to remove it with Spybot. ALthough it says the problems are fixed, they are not. They keep causing issues with the computer and show up everytime I run Spybot. Help!
Spyware that won't be removed!
- Thread starter AmerBamer
- Start date
- Status
Hijackthis log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:39:59 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ocucom\PreCast\tmon.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\NCDaemon.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\Temporary Internet Files\Content.IE5\U1MHYTCN\HiJackThis_v2[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medicalaffairs.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [DvVideo32] C:\WINDOWS\dvvid32.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - Global Startup: PreCast Monitor.lnk = C:\Program Files\Ocucom\PreCast\tmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.lbcity.biz
O15 - Trusted Zone: http://armyproject.leoburnett.com
O15 - Trusted Zone: http://www.missioncontrolglobal.com
O15 - Trusted Zone: http://itproject.publicisgroupe.com
O15 - Trusted Zone: http://resourcesutility.publicisgroupe.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O17 - HKLM\Software\..\Telephony: DomainName = nelsoncomm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
--
End of file - 9902 bytes
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:39:59 AM, on 3/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\sbwltbxa.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ocucom\PreCast\tmon.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\NCDaemon.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
c:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Temp\Temporary Internet Files\Content.IE5\U1MHYTCN\HiJackThis_v2[1].exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medicalaffairs.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [DvVideo32] C:\WINDOWS\dvvid32.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - Global Startup: PreCast Monitor.lnk = C:\Program Files\Ocucom\PreCast\tmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.lbcity.biz
O15 - Trusted Zone: http://armyproject.leoburnett.com
O15 - Trusted Zone: http://www.missioncontrolglobal.com
O15 - Trusted Zone: http://itproject.publicisgroupe.com
O15 - Trusted Zone: http://resourcesutility.publicisgroupe.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O17 - HKLM\Software\..\Telephony: DomainName = nelsoncomm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
--
End of file - 9902 bytes
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
Appears you did not read the directions, if you still want help, do so then follow these.
1) Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
2) Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Thanks
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
Appears you did not read the directions, if you still want help, do so then follow these.
1) Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
2) Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.
Thanks
KASPERSKY ONLINE SCANNER REPORT
Monday, March 31, 2008 4:55:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 605479
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
I:\
J:\
N:\
P:\
S:\
U:\
Z:\
Scan Statistics
Total number of scanned objects 253008
Number of viruses found 10
Number of infected objects 24
Number of suspicious objects 8
Duration of the scan process 07:02:22
Infected Object Name Virus Name Last Action
C:\99gcpf.exe Infected: Trojan-Downloader.Win32.Tiny.alr skipped
C:\Documents and Settings\ABrown\Application Data\PreCast\terrapin.xdb Object is locked skipped
C:\Documents and Settings\ABrown\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{89C66A0C-3DAA-4B4D-8FA9-59F06D3CFE35} Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\History\History.IE5\MSHist012008033120080401\index.dat Object is locked skipped
C:\Documents and Settings\ABrown\ntuser.dat Object is locked skipped
C:\Documents and Settings\ABrown\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\EmailOnDeliveryLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03272008-153837.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_GA125-110321.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_GA125-110321.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/updatetc.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant2.zip/180ax.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant3.zip/sais.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango2.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\f34z2n.exe Infected: Trojan-Downloader.Win32.Tiny.alr skipped
C:\Program Files\lotus\notes\data\as_ABrown.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\bookmark.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\Cache.NDK Object is locked skipped
C:\Program Files\lotus\notes\data\desktop6.ndk Object is locked skipped
C:\Program Files\lotus\notes\data\headline.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\IBM_TECHNICAL_SUPPORT\console.log Object is locked skipped
C:\Program Files\lotus\notes\data\log.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\names.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\perweb.nsf Object is locked skipped
C:\Program Files\Microsoft Office\OFFICE11\STARTUP\PDFMaker.dot Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EA486083-850A-442C-89A8-CC22CCC15A5A}\RP5\change.log Object is locked skipped
C:\Temp\NAILogs\UpdaterUI_GA125-110321.log Object is locked skipped
C:\Temp\NLPgaa.tmp Object is locked skipped
C:\Temp\NLPhaa.tmp Object is locked skipped
C:\Temp\NLPiaa.tmp Object is locked skipped
C:\Temp\rsyncini.exe Infected: Trojan.Win32.Shutdowner.em skipped
C:\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Temp\~DF5366.tmp Object is locked skipped
C:\Temp\~DF5E25.tmp Object is locked skipped
C:\Temp\~DF632C.tmp Object is locked skipped
C:\Temp\~DFF80E.tmp Object is locked skipped
C:\Temp\~WRF0001.tmp Object is locked skipped
C:\Temp\~WRS0000.tmp Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\dvvid32.exe Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L98ZGS3E\backsp32[1].exe Infected: not-virus:Hoax.Win32.Renos.bhz skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\sbwltbxa.exe Infected: not-virus:Hoax.Win32.Renos.bhz skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\IRMS5\DB\DBAE.ldb Object is locked skipped
I:\IRMS5\DB\DBAE.mdb Object is locked skipped
I:\IRMS5\DB\DbData.ldb Object is locked skipped
I:\IRMS5\DB\DbData.mdb Object is locked skipped
I:\IRMS5\DB\DbReqs.ldb Object is locked skipped
I:\IRMS5\DB\DbReqs.mdb Object is locked skipped
J:\PHSG\Exit Info\Turnover\2008 Turnover Analysis - SOS.xls Object is locked skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST/Personal Folders/Inbox/22 Nov 2001 06:28 from CECEAug2@aol.com
no subject)/message.ZIP/MI48244.txt/[Date Sat, 17 Nov 2001 22:28:32 -0800]/START.EXE Infected: Email-Worm.Win32.Magistr.a skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST/Personal Folders/Inbox/22 Nov 2001 06:28 from CECEAug2@aol.comno subject)/message.ZIP/MI48244.txt Infected: Email-Worm.Win32.Magistr.a skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST/Personal Folders/Inbox/22 Nov 2001 06:28 from CECEAug2@aol.comno subject)/message.ZIP Infected: Email-Worm.Win32.Magistr.a skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST Mail MS Mail: infected - 3 skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Deleted Items/05 Jul 2001 17:09 to 'auntdean@hotmail.com':FW: July Newsletter .rtf Infected: Email-Worm.VBS.KakWorm skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Deleted Items/05 Jul 2001 16:27 to 'Hackler':RE: .rtf Infected: Email-Worm.VBS.KakWorm skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Inbox/MSLs/American Red Cross/06 Jul 2000 20:15 from Lowry, Scott:Metric Schmetric!!!!/Lowry Metric June 2000 Infected: Virus.MSOffice.Triplicate.c skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Inbox/MSLs/American Red Cross/08 Jun 2000 17:53 from Lowry, Scott:RE: Metric from Lowry/Metric West 5 2000 Infected: Virus.MSOffice.Triplicate.c skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Inbox/MSLs/American Red Cross/09 May 2000 17:12 from Lowry, Scott:Bi weekly report + Metric/Metric lowry 4 00 Infected: Virus.MSOffice.Triplicate.c skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Inbox/MSLs/Resumes/Recruiters, etc./30 Oct 2000 14:07 from Matt Scully
harmacy Today.rtf Infected: Email-Worm.VBS.KakWorm skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST Mail MS Mail: infected - 6 skipped
S:\ARCHIVE (Master)\Proposal templates\LCM Proposal.doc Object is locked skipped
S:\ARCHIVE (Master)\Proposal templates\Med Svcs PSA Template.doc Object is locked skipped
S:\ARCHIVE (Master)\Proposal templates\MSL Proposal.doc Object is locked skipped
S:\ARCHIVE (Master)\Proposal templates\MSL Training Program Proposal.doc Object is locked skipped
S:\ARCHIVE (Master)\SOS Capabilities.pps Object is locked skipped
S:\BUSINESS DEVELOPMENT (Master)\FORMS\FORM profile.ppt Object is locked skipped
S:\IT (Master)\backup\Evan\Backup-(2006-02-23).ipd Object is locked skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\az.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\ce1pt.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\cept.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\dnx.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\fdld.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\ldfl.exe Infected: IM-Worm.Win32.Kelvir.ab skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\rofl.exe Infected: IM-Worm.Win32.Kelvir.az skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf MTF: infected - 7 skipped
S:\IT (Master)\backup\restore\Egwu\EgwuBackup-(2006-05-25).ipd Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\.NetworkShare\LimeWirePackedJars4.10.9.7z Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\.NetworkShare\LimeWireWin4.10.9.exe Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire On Startup.lnk Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire.exe Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire.ico Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire.jar Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire20.dll Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\root\magnet10\limewire.gif Object is locked skipped
Monday, March 31, 2008 4:55:59 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 31/03/2008
Kaspersky Anti-Virus database records: 605479
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
I:\
J:\
N:\
P:\
S:\
U:\
Z:\
Scan Statistics
Total number of scanned objects 253008
Number of viruses found 10
Number of infected objects 24
Number of suspicious objects 8
Duration of the scan process 07:02:22
Infected Object Name Virus Name Last Action
C:\99gcpf.exe Infected: Trojan-Downloader.Win32.Tiny.alr skipped
C:\Documents and Settings\ABrown\Application Data\PreCast\terrapin.xdb Object is locked skipped
C:\Documents and Settings\ABrown\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{89C66A0C-3DAA-4B4D-8FA9-59F06D3CFE35} Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\ABrown\Local Settings\History\History.IE5\MSHist012008033120080401\index.dat Object is locked skipped
C:\Documents and Settings\ABrown\ntuser.dat Object is locked skipped
C:\Documents and Settings\ABrown\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\EmailOnDeliveryLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\DesktopProtection\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03272008-153837.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_GA125-110321.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_GA125-110321.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/updatetc.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant2.zip/180ax.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant3.zip/sais.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango2.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\f34z2n.exe Infected: Trojan-Downloader.Win32.Tiny.alr skipped
C:\Program Files\lotus\notes\data\as_ABrown.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\bookmark.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\Cache.NDK Object is locked skipped
C:\Program Files\lotus\notes\data\desktop6.ndk Object is locked skipped
C:\Program Files\lotus\notes\data\headline.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\IBM_TECHNICAL_SUPPORT\console.log Object is locked skipped
C:\Program Files\lotus\notes\data\log.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\names.nsf Object is locked skipped
C:\Program Files\lotus\notes\data\perweb.nsf Object is locked skipped
C:\Program Files\Microsoft Office\OFFICE11\STARTUP\PDFMaker.dot Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{EA486083-850A-442C-89A8-CC22CCC15A5A}\RP5\change.log Object is locked skipped
C:\Temp\NAILogs\UpdaterUI_GA125-110321.log Object is locked skipped
C:\Temp\NLPgaa.tmp Object is locked skipped
C:\Temp\NLPhaa.tmp Object is locked skipped
C:\Temp\NLPiaa.tmp Object is locked skipped
C:\Temp\rsyncini.exe Infected: Trojan.Win32.Shutdowner.em skipped
C:\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Temp\~DF5366.tmp Object is locked skipped
C:\Temp\~DF5E25.tmp Object is locked skipped
C:\Temp\~DF632C.tmp Object is locked skipped
C:\Temp\~DFF80E.tmp Object is locked skipped
C:\Temp\~WRF0001.tmp Object is locked skipped
C:\Temp\~WRS0000.tmp Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\dvvid32.exe Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\L98ZGS3E\backsp32[1].exe Infected: not-virus:Hoax.Win32.Renos.bhz skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\sbwltbxa.exe Infected: not-virus:Hoax.Win32.Renos.bhz skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
I:\IRMS5\DB\DBAE.ldb Object is locked skipped
I:\IRMS5\DB\DBAE.mdb Object is locked skipped
I:\IRMS5\DB\DbData.ldb Object is locked skipped
I:\IRMS5\DB\DbData.mdb Object is locked skipped
I:\IRMS5\DB\DbReqs.ldb Object is locked skipped
I:\IRMS5\DB\DbReqs.mdb Object is locked skipped
J:\PHSG\Exit Info\Turnover\2008 Turnover Analysis - SOS.xls Object is locked skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST/Personal Folders/Inbox/22 Nov 2001 06:28 from CECEAug2@aol.com
no subject)/message.ZIP/MI48244.txt/[Date Sat, 17 Nov 2001 22:28:32 -0800]/START.EXE Infected: Email-Worm.Win32.Magistr.a skipped S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST/Personal Folders/Inbox/22 Nov 2001 06:28 from CECEAug2@aol.com
no subject)/message.ZIP/MI48244.txt Infected: Email-Worm.Win32.Magistr.a skipped S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST/Personal Folders/Inbox/22 Nov 2001 06:28 from CECEAug2@aol.com
no subject)/message.ZIP Infected: Email-Worm.Win32.Magistr.a skipped S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST Mail MS Mail: infected - 3 skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Deleted Items/05 Jul 2001 17:09 to 'auntdean@hotmail.com':FW: July Newsletter .rtf Infected: Email-Worm.VBS.KakWorm skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Deleted Items/05 Jul 2001 16:27 to 'Hackler':RE: .rtf Infected: Email-Worm.VBS.KakWorm skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Inbox/MSLs/American Red Cross/06 Jul 2000 20:15 from Lowry, Scott:Metric Schmetric!!!!/Lowry Metric June 2000 Infected: Virus.MSOffice.Triplicate.c skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Inbox/MSLs/American Red Cross/08 Jun 2000 17:53 from Lowry, Scott:RE: Metric from Lowry/Metric West 5 2000 Infected: Virus.MSOffice.Triplicate.c skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Inbox/MSLs/American Red Cross/09 May 2000 17:12 from Lowry, Scott:Bi weekly report + Metric/Metric lowry 4 00 Infected: Virus.MSOffice.Triplicate.c skipped
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST/Personal Folders/Inbox/MSLs/Resumes/Recruiters, etc./30 Oct 2000 14:07 from Matt Scully
harmacy Today.rtf Infected: Email-Worm.VBS.KakWorm skipped S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\DTEPSIC.PST Mail MS Mail: infected - 6 skipped
S:\ARCHIVE (Master)\Proposal templates\LCM Proposal.doc Object is locked skipped
S:\ARCHIVE (Master)\Proposal templates\Med Svcs PSA Template.doc Object is locked skipped
S:\ARCHIVE (Master)\Proposal templates\MSL Proposal.doc Object is locked skipped
S:\ARCHIVE (Master)\Proposal templates\MSL Training Program Proposal.doc Object is locked skipped
S:\ARCHIVE (Master)\SOS Capabilities.pps Object is locked skipped
S:\BUSINESS DEVELOPMENT (Master)\FORMS\FORM profile.ppt Object is locked skipped
S:\IT (Master)\backup\Evan\Backup-(2006-02-23).ipd Object is locked skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\az.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\ce1pt.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\cept.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\dnx.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\fdld.exe Infected: IM-Worm.Win32.Kelvir.al skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\ldfl.exe Infected: IM-Worm.Win32.Kelvir.ab skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf/\rofl.exe Infected: IM-Worm.Win32.Kelvir.az skipped
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf MTF: infected - 7 skipped
S:\IT (Master)\backup\restore\Egwu\EgwuBackup-(2006-05-25).ipd Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\.NetworkShare\LimeWirePackedJars4.10.9.7z Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\.NetworkShare\LimeWireWin4.10.9.exe Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire On Startup.lnk Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire.exe Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire.ico Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire.jar Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\LimeWire20.dll Object is locked skipped
S:\IT (Master)\backups\RMurphy\My Documents\LimeWire\root\magnet10\limewire.gif Object is locked skipped
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:58:45 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ocucom\PreCast\tmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\NCDaemon.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medicalaffairs.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [DvVideo32] C:\WINDOWS\dvvid32.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - Global Startup: PreCast Monitor.lnk = C:\Program Files\Ocucom\PreCast\tmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.lbcity.biz
O15 - Trusted Zone: http://armyproject.leoburnett.com
O15 - Trusted Zone: http://www.missioncontrolglobal.com
O15 - Trusted Zone: http://itproject.publicisgroupe.com
O15 - Trusted Zone: http://resourcesutility.publicisgroupe.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O17 - HKLM\Software\..\Telephony: DomainName = nelsoncomm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O21 - SSODL: dlNgAOspMTJf - {74DABDC7-DE70-176D-8285-3B3E840361B5} - C:\WINDOWS\system32\lh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 9365 bytes
Scan saved at 4:58:45 PM, on 3/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
c:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
c:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Timbuktu Pro\tb2launch.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\TightVNC\WinVNC.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Network Associates\Common Framework\naPrdMgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\BacsTray.exe
C:\Program Files\Network Associates\Common Framework\UdaterUI.exe
C:\Program Files\Timbuktu Pro\tb2logon.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Ocucom\PreCast\tmon.exe
C:\Program Files\Network Associates\Common Framework\McTray.exe
C:\Program Files\Timbuktu Pro\minitb2.exe
C:\Program Files\lotus\notes\NLNOTES.EXE
C:\Program Files\lotus\notes\NCDaemon.exe
C:\Program Files\lotus\notes\ntaskldr.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Java\jre1.5.0_11\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
c:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
c:\Program Files\Microsoft Office\OFFICE11\EXCEL.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.medicalaffairs.com/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [bacstray] BacsTray.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [TLogonPath] "C:\Program Files\Timbuktu Pro\tb2logon.exe"
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TightVNC\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKLM\..\Policies\Explorer\Run: [DvVideo32] C:\WINDOWS\dvvid32.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe (User 'Default user')
O4 - Global Startup: PreCast Monitor.lnk = C:\Program Files\Ocucom\PreCast\tmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Translate with &Babylon - res://C:\Program Files\Babylon\Babylon-Pro\Utils\BabylonIEPI.dll/Translate.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.lbcity.biz
O15 - Trusted Zone: http://armyproject.leoburnett.com
O15 - Trusted Zone: http://www.missioncontrolglobal.com
O15 - Trusted Zone: http://itproject.publicisgroupe.com
O15 - Trusted Zone: http://resourcesutility.publicisgroupe.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O17 - HKLM\Software\..\Telephony: DomainName = nelsoncomm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = nelsoncomm.com
O21 - SSODL: dlNgAOspMTJf - {74DABDC7-DE70-176D-8285-3B3E840361B5} - C:\WINDOWS\system32\lh.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - c:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: Tb2 Launch (Tb2Launch) - Netopia, Inc. - C:\Program Files\Timbuktu Pro\tb2launch.exe
O23 - Service: VNC Server (winvnc) - Constantin Kaplinsky - C:\Program Files\TightVNC\WinVNC.exe
O24 - Desktop Component 0: (no name) - (no file)
--
End of file - 9365 bytes
You have some problems including this nasty:
C:\WINDOWS\system32\sbwltbxa.exe
Looks like this: http://www.prevx.com/filenames/46269534975273348-X1/SBWLTBXA.EXE.html
First we need to deal with infections in the Kaspersky Online Scan and that will be tricky.
KASPERSKY ONLINE SCANNER REPORT Monday, March 31, 2008 4:55:59 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of that folder in red
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
If you can't see these files, look at this information:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
C:\99gcpf.exe <<< delete that file
C:\f34z2n.exe <<< delete that file
C:\Temp\rsyncini.exe <<< delete that file and the contents of that Temp folder
(the backup is infected with that worm, delete it)
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf ------> IM-Worm.Win32.Kelvir.al
(I am only showing you one of these, if you want to see the rest, look at the KOS scan, personally I suggest you delete that archive, there are about ten (10) infected email there)
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST/Personal Folders/Inbox/22 Nov 2001 06:28 fromno subject)/message.ZIP/MI48244.txt/[Date Sat, 17 Nov 2001 22:28:32 -0800]/START.EXE ------> Email-Worm.Win32.Magistr.a
___________________________________________________
Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log
Thanks
C:\WINDOWS\system32\sbwltbxa.exe
Looks like this: http://www.prevx.com/filenames/46269534975273348-X1/SBWLTBXA.EXE.html
First we need to deal with infections in the Kaspersky Online Scan and that will be tricky.
KASPERSKY ONLINE SCANNER REPORT Monday, March 31, 2008 4:55:59 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of that folder in red
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
If you can't see these files, look at this information:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
C:\99gcpf.exe <<< delete that file
C:\f34z2n.exe <<< delete that file
C:\Temp\rsyncini.exe <<< delete that file and the contents of that Temp folder
(the backup is infected with that worm, delete it)
S:\IT (Master)\backup\Jason\Marlon\Oct182006.bkf ------> IM-Worm.Win32.Kelvir.al
(I am only showing you one of these, if you want to see the rest, look at the KOS scan, personally I suggest you delete that archive, there are about ten (10) infected email there)
S:\ARCHIVE (Master)\Past Employee User Folders\Deana\I T\Profiles\jcarozza\My Documents\PST folders\CHARPER.PST/Personal Folders/Inbox/22 Nov 2001 06:28 from
no subject)/message.ZIP/MI48244.txt/[Date Sat, 17 Nov 2001 22:28:32 -0800]/START.EXE ------> Email-Worm.Win32.Magistr.a ___________________________________________________
Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log
Thanks
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.
- Status