win32/darksma.x

Hi

Your system clock is wrong, please correct it.

Leftover:

O16 - DPF: {ff348b6e-fd21-11d4-a3f0-00c04fa32518} -

Related to yahoo toolbar:

O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.comp...bio5_1_6_0.cab

Bad entries:

O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O20 - Winlogon Notify: __c00F1BA4 - C:\WINNT\system32\__c00F1BA4.dat


Did you run killbox as instructed?

I mean that these files are still there:

C:\WINNT\system32\__c00C9AF9.dat
C:\WINNT\system32\__c00F1BA4.dat

If not, please do so now.
 
Last edited:
hmmm... killbox couldn't get rid of
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat

Logfile of HijackThis v1.99.1
Scan saved at 5:35:06 PM, on 5/29/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Hijackthis\scanner.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\system32\HPZipm12.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
KillBox couldn't get rid of:
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat

When I run KillBox and click on "Delete on Reboot" and "Delete File" ... up pops "File will be removed at reboot, do you want to reboot now" I then say "tes"... then up pops "verifying Registry entries..." then up pops another box with:

PendingFileRenameOperations Registry Data has been Removed by External Process!

After I reboot, HJT still lists
O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat
 
Hi

Yes, it looks like 50 % success.

Please download Process Explorer by Systernals from HERE

Then boot up in SAFE MODE

The rest of this fix must be done in safe mode.

Unzip Process Explorer and double click on procexp.exe

In the top section of the Process Explorer screen double click on winlogon.exe to bring up the winlogon.exe properties screen. Click on the Threads tab at the top.

Once you see this screen click on each instance of __c00C9AF9.dat once and then click the kill button.

After you have killed all of the __c00C9AF9.dat under winlogon click OK.

Click on the Threads tab at the top.

Once you have done that click OK again.

Next run HijackThis and place a check beside each of the following.

O20 - Winlogon Notify: __c00C9AF9 - C:\WINNT\system32\__c00C9AF9.dat

Now click fix checked and close HijackThis.

Double click on Killbox.exe and check the Delete on Reboot button.

When done Copy/Paste this into the "Full path of file to delete" box:

C:\WINNT\system32\__c00C9AF9.dat

Click the red and white "Delete File" button.
Click "Yes" at the first prompt .
Click "Yes" at the second.

Reboot.

After your computer has rebooted please run Hijackthis again and post a new HijackThis log.
 
so I'm on another PC making this post ...

In "Safe Mode" I got thru
1) procep.exe (stopped 2 processes of c00C9AF9.dat)
2) HJT .. killed c00C9AF9.dat
3) While still in Safe Mode, I pulled up Killbox .. browsed for the c00C9AF9.dat file ... selected it for "file to delete" .... hit 'delete' ... window popped up to "Confirm Delete" ... Selected "Yes"... up popped a window "File Access... file could not be deleted"

Here is what procep says is running on my malware pc:
winlogon.exe
ntdll
RPCRT4.dll
ntdll
winlogon.exe
WINMM.dll
winlogon.exe
cscdll
WINMM.dll
RPCRT4.dll
 
Hi

Ok, time for more powerful tools:

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINNT\system32\__c00C9AF9.dat
Click to expand...

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply
 
:bigthumb:
fixed ?????

---------------------------------------------------------------

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tskhapcb

*******************

Script file located at: \??\C:\WINNT\system32\qvihqyim.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINNT\system32\__c00C9AF9.dat deleted successfully.

Completed script processing.

*******************

Finished! Terminate.





Logfile of HijackThis v1.99.1
Scan saved at 11:03:34 PM, on 5/30/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\vanguard.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Hijackthis\scanner.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\autodown.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
Hi

Yes, looks like so :)

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report
 
KASPERSKY ONLINE SCANNER REPORT
Thursday, May 31, 2007 8:56:22 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/05/2007
Kaspersky Anti-Virus database records: 334594


Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 45731
Number of viruses found: 21
Number of infected objects: 45
Number of suspicious objects: 31
Duration of the scan process: 01:57:20

Infected Object Name / Virus Name / Last Action
C:\!KillBox\__c00C9AF9.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\!KillBox\__c00C9AF9.dat( 1) Suspicious: Packed.Win32.Morphine.a skipped
C:\!KillBox\__c00C9AF9.dat( 2) Suspicious: Packed.Win32.Morphine.a skipped
C:\!KillBox\__c00C9AF9.dat( 3) Suspicious: Packed.Win32.Morphine.a skipped
C:\!KillBox\__c00C9AF9.dat( 4) Suspicious: Packed.Win32.Morphine.a skipped
C:\avenger\backup.zip/avenger/__c00C9AF9.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\avenger\backup.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Desktop\update.exe/EXE-file Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Desktop\update.exe Embedded EXE: suspicious - 1 skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Desktop\update.exe.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\cleanup.log Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{7403742A-09EB-49E3-AF81-0206CFDB60A1}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{B16B7DC4-0412-45A2-9627-F28DF0E69755}\Microsoft\Outlook Express\EZ Anti-Spam.dbx/[From Volksbanken Raiffeisenbanken AG][Date Sat, 02 Sep 2006 06:37:34 -0400 (EDT)]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{B16B7DC4-0412-45A2-9627-F28DF0E69755}\Microsoft\Outlook Express\EZ Anti-Spam.dbx/[From Volksbanken Raiffeisenbanken AG][Date Sat, 02 Sep 2006 06:37:34 -0400 (EDT)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Identities\{B16B7DC4-0412-45A2-9627-F28DF0E69755}\Microsoft\Outlook Express\EZ Anti-Spam.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Application Data\QurbOE\MsgInfo.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\History\History.IE5\MSHist012007053020070531\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Temp\~DFB6A9.tmp Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Temp\~DFCBFF.tmp Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\TRANTGP.GPTNOTEBOOK\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Common Files\Companion Wizard\WapCHK.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
C:\QooBox\Quarantine\C\WINNT\b122.exe.vir NSIS: infected - 2 skipped
C:\QooBox\Quarantine\C\WINNT\retadpu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINNT\retadpu2000219.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINNT\system32\ddcyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINNT\system32\dikstldr.dll.vir Infected: Packed.Win32.Klone.j skipped
C:\QooBox\Quarantine\C\WINNT\system32\dwckcacl.dll.vir Infected: Trojan.Win32.BHO.o skipped
C:\QooBox\Quarantine\C\WINNT\system32\iiihe.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINNT\system32\leiancrv.dll.vir Infected: Trojan.Win32.BHO.o skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir/unknown2.bin Infected: not-a-virus:AdWare.Win32.Ucmore.e skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir/UCMTSAIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir ZIP: infected - 3 skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lb66.exe.vir WiseSFX Dropper: infected - 3 skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lib06.exe.vir Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\QooBox\Quarantine\C\WINNT\system32\smpi1\lib67.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\WINNT\system32\tuvtrol.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINNT\system32\uqmryanc.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kb skipped
C:\QooBox\Quarantine\C\WINNT\system32\ydjfmydl.dll.vir Infected: Packed.Win32.Klone.j skipped
C:\QooBox\Quarantine\C\WINNT\VTTC.exe.vir/data0004 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINNT\VTTC.exe.vir NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc1 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc11.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc12 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc13 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc14 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc15.dat Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc16 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc2 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc3 Suspicious: Packed.Win32.Morphine.a skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc4.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc5 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc6 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc7 Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc8.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\RECYCLER\S-1-5-21-1652376794-1690639982-1337592118-1002\Dc9 Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\TTC.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\VundoFix Backups\csvpfhxg.dll.bad Object is locked skipped
C:\VundoFix Backups\ddcyv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\leiancrv.dll.bad Infected: Trojan.Win32.BHO.o skipped
C:\VundoFix Backups\musuloyk.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\nnnli.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\pjcmhmeo.dll.bad Object is locked skipped
C:\VundoFix Backups\qomjk.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\rqroo.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\VundoFix Backups\tuvtrol.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\vwqnffih.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\ydwfcnnu.dll.bad Object is locked skipped
C:\WINNT\Cache32\Business Card Designer Plus 7.9.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\C&C Generals_crack.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\GetRight 5.0a.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\Hot Babes XXX Screen Saver.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\IrfanView 4.5.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\Network Cable e ADSL Speed 2.0.5.exe Suspicious: Type_Win32 skipped
C:\WINNT\Cache32\TweakAll 3.8.exe Suspicious: Type_Win32 skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Downloaded Program Files\SbCIe026.dll Infected: not-a-virus:AdWare.Win32.SideStep.c skipped
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\WINNT\Drivers\TPP\tppun.exe Suspicious: Type_Win32 skipped
C:\WINNT\Internet Logs\BLACKDELL.ldb Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\SBO\SB1065.exe Infected: Trojan-Downloader.Win32.VB.fn skipped
C:\WINNT\Temp\ZLT01175.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\yc.exe/EXE-file Suspicious: Packed.Win32.Morphine.a skipped
C:\WINNT\yc.exe Embedded EXE: suspicious - 1 skipped
C:\WINNT\yc.exe.dat Suspicious: Packed.Win32.Morphine.a skipped
D:\Program Files\KaZaA Lite\TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
D:\Program Files\ShareMonkey\unins000.exe Suspicious: Type_Win32 skipped

Scan process completed.
 
Logfile of HijackThis v1.99.1
Scan saved at 8:58:09 PM, on 5/31/2007
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\ati2evxx.exe
C:\WINNT\System32\drivers\CDAC11BA.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
C:\WINNT\System32\DRIVERS\dcfssvc.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\wanmpsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\program files\google\googletoolbar6.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\program files\google\googletoolbar6.dll
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [QOELOADER] "C:\Program Files\CA\eTrust EZ Armor\eTrust Anti-Spam\QSP-2.1.215.5\QOELoader.exe"
O4 - Startup: Greetings Workshop Reminders.lnk.disabled
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\Netscape\Communicator\Program\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1135782094636
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://webchat.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} (ZPA_HRTZ Object) - http://zone.msn.com/bingame/zpagames/zpa_hrtz.cab58570.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30155.www3.hp.com/ediags/hpfix/aio/en/check/qdiagh.cab?326
O20 - Winlogon Notify: NavLogon - C:\WINNT\System32\NavLogon.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\System32\ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINNT\System32\drivers\CDAC11BA.EXE
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: dcfssvc (Dcfssvc) - Eastman Kodak Company - C:\WINNT\System32\DRIVERS\dcfssvc.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINNT\wanmpsvc.exe
 
Hi

Delete these:

C:\TTC.dll
C:\WINNT\Cache32\Business Card Designer Plus 7.9.exe
C:\WINNT\Cache32\C&C Generals_crack.exe
C:\WINNT\Cache32\GetRight 5.0a.exe
C:\WINNT\Cache32\Hot Babes XXX Screen Saver.exe
C:\WINNT\Cache32\IrfanView 4.5.exe
C:\WINNT\Cache32\Network Cable e ADSL Speed 2.0.5.exe
C:\WINNT\Cache32\TweakAll 3.8.exe (delete entire Cache32 folder if you don't recognize anything inside it)
C:\WINNT\Downloaded Program Files\SbCIe026.dll
C:\WINNT\Downloaded Program Files\UWA7P_0001_N91M0809NetInstaller.exe
C:\WINNT\Drivers\TPP\tppun.exe
C:\WINNT\system32\SBO\SB1065.exe
C:\WINNT\yc.exe
C:\WINNT\yc.exe.dat
D:\Program Files\KaZaA Lite\TopSearch.dll
D:\Program Files\ShareMonkey\unins000.exe

Empty these folders:

C:\!KillBox\
C:\avenger\
C:\QooBox\Quarantine\
C:\VundoFix Backups\

Empty Recycle Bin

Re-scan with kaspersky

Post:

- a fresh HijackThis log
- kaspersky report
 
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top