Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan !update.exe


  • Please log in to reply
7 replies to this topic

#1 whiteshoes

whiteshoes

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 16 October 2006 - 11:56 AM

hi...i am hoping somebody can help me.i keep getting the same trojan coming up on my pc . i am using avg anti-virus which keeps detecting it ,i then heal the virus but then some hours later it reappears,this has been going on for over a week now and i dont know how to permanently get rid of this pest.when avg detects it the file name it gives is !update.exe.i have followed all the steps in the preparation guide before i have posted my hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 17:54:32, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Zonelabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ECI Telecoms\ECI USB ADSL\dslmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\johnny\My Documents\poker\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R3 - URLSearchHook: (no name) - {D0A8BFAA-5669-7DBC-4570-5EF077BA6C90} - C:\WINDOWS\system32\rnfzz.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {D0A8BFAA-5669-7DBC-4570-5EF077BA6C90} - C:\WINDOWS\system32\rnfzz.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll.exe
O4 - HKCU\..\Run: [Ooaa] "C:\DOCUME~1\johnny\MYDOCU~1\CROSOF~1.NET\dllhost.exe" -vt yazb
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: DSLMON.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PokerTime Poker - {7220F1C9-B7E0-47a6-A0BD-D5B3940BCC79} - C:\Program Files\PokerTimeMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra 'Tools' menuitem: Noble Poker - {B723B1B8-9788-4684-ADA7-D1DB02E1D516} - C:\Program Files\Noble Poker\casino.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\Villa\MANSION.exe
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\Villa\MANSION.exe
O9 - Extra button: PokerTime.net Poker - {E28AB5C9-B58F-4512-AF80-29001BC5A29D} - C:\Program Files\PokerTimeGuestMPP\MPPoker.exe (file missing)
O9 - Extra button: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: AbsolutePoker.com - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F98} (CR64Loader Object) - http://www.miniclip.com/puzzlepirates/miniclipGameLoader.dll
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promotion...anner371050.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {AED98630-0251-4E83-917D-43A23D66D507} (Download Helper Class) - http://activex.microgaming.com/DLhelper/ve...n7/dlhelper.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B655B0A6-1D79-4C01-89F8-6B6DD7A8F737}: NameServer = 213.130.128.32 213.130.128.33
O20 - Winlogon Notify: WgaLogon - WgaLogon.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Crypkey License - Kenonic Controls Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\Zonelabs\vsmon.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2006 - 04:51 AM

Hi whiteshoes and Welcome to the Bleeping Computer!


Please download Combofix to your desktop.
http://download.bleepingcomputer.com/sUBs/combofix.exe

Doubleclick combo.exe to launch the application.

Follow the prompts that will be displayed on the screen.

Don't click on the window while the fix is running, because that will cause your system to hang.

When finished, it should produce a log, combofix.txt

Please post that log in the next reply.

#3 whiteshoes

whiteshoes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  

Posted 17 October 2006 - 05:18 AM

thanks for your reply cretemonster here is the combofix log you asked for
johnny - 06-10-17 11:08:23.53 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\Documents and Settings\johnny\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-17 to 2006-10-17 ))))))))))))))))))))))))))))))))))


2006-10-16 17:23 77,824 --a------ C:\WINDOWS\system32\driverif.dll
2006-10-16 17:23 733,236 --a------ C:\WINDOWS\system32\vete.dll
2006-10-16 17:23 541,733 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-10-16 17:23 21,605 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2006-10-16 17:23 15,668 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2006-10-16 17:23 12,288 --a------ C:\WINDOWS\system32\vetntmsg.dll
2006-10-16 17:23 108,453 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-10-13 22:29 81,920 --a------ C:\WINDOWS\system32\SGUserInfo.dll
2006-10-13 22:29 37,224 --a------ C:\WINDOWS\system32\SageStorage.dll
2006-10-13 22:29 356,352 --a------ C:\WINDOWS\system32\SGINFMR.dll
2006-10-13 22:29 348,216 --a------ C:\WINDOWS\system32\SW9DBC32.dll
2006-10-13 22:29 253,952 --a------ C:\WINDOWS\system32\SageBankReconciliation.dll
2006-10-13 22:29 167,936 --a------ C:\WINDOWS\system32\SGXMLQry.dll
2006-10-13 22:29 143,360 --a------ C:\WINDOWS\system32\SageNatWestBankline.dll
2006-10-13 22:29 143,360 --a------ C:\WINDOWS\system32\SageBarclaysBusinessMasterII.dll
2006-10-13 22:29 139,264 --a------ C:\WINDOWS\system32\SGISAQry.dll
2006-10-13 22:29 139,264 --a------ C:\WINDOWS\system32\SageBankPayments.dll
2006-10-13 22:29 135,168 --a------ C:\WINDOWS\system32\SageNatWestOnline.dll
2006-10-13 22:29 135,168 --a------ C:\WINDOWS\system32\SageBarclaysOnline.dll
2006-10-13 22:29 127,352 --a------ C:\WINDOWS\system32\SageSoftwareUpdate.dll
2006-10-13 22:29 126,976 --a------ C:\WINDOWS\system32\SGInfProgressBar.dll
2006-10-13 22:29 126,976 --a------ C:\WINDOWS\system32\sageebanking.dll
2006-10-13 22:29 126,976 --a------ C:\WINDOWS\system32\SageBankBalances.dll
2006-10-13 22:29 119,160 --a------ C:\WINDOWS\system32\SageFolderBrowse.dll
2006-10-02 14:11 52,224 --a------ C:\WINDOWS\system32\Crypserv.exe
2006-10-02 14:11 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2006-10-02 14:11 24,608 --a------ C:\WINDOWS\system32\Ckldrv.sys
2006-10-02 14:11 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2006-10-02 14:11 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2006-10-02 14:11 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2006-10-01 18:08 2 --a------ C:\WINDOWS\system32\wnsapiit.exe
2006-10-01 18:08 126,976 --a------ C:\WINDOWS\system32\rnfzz.dll
2006-09-27 19:52 295,952 --a------ C:\WINDOWS\SCRANTIC.SCR
2006-09-21 18:08 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-17 11:07 -------- d-------- C:\Documents and Settings\johnny\Application Data\Vso
2006-10-16 23:00 -------- d-------- C:\Program Files\Absolute Poker
2006-10-16 17:43 -------- d-------- C:\Program Files\Noble Poker
2006-10-16 17:36 -------- d-------- C:\Documents and Settings\johnny\Application Data\MailFrontier
2006-10-15 12:42 -------- d-------- C:\Program Files\Mystery Case Files - Prime Suspects
2006-10-13 22:30 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-13 22:29 -------- d-------- C:\Program Files\Sage EBanking
2006-10-13 22:29 -------- d-------- C:\Program Files\Informer50
2006-10-13 22:28 -------- d-------- C:\Program Files\Sage
2006-10-13 22:28 -------- d-------- C:\Program Files\Common Files\Sage Line50
2006-10-13 22:28 -------- d-------- C:\Program Files\Common Files
2006-10-13 22:06 -------- d-------- C:\Program Files\PacificPoker
2006-10-13 14:10 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-10 18:27 -------- d-------- C:\Program Files\Morpheus
2006-10-10 18:20 -------- d-------- C:\Documents and Settings\johnny\Application Data\Morpheus
2006-10-08 18:55 -------- d-------- C:\Program Files\FinalAlert 2 Yuri's Revenge
2006-10-08 17:56 441328 --a------ C:\Documents and Settings\johnny\Application Data\NMM-MetaData.db
2006-10-06 22:20 -------- d-------- C:\Documents and Settings\johnny\Application Data\Microgaming
2006-10-06 13:34 -------- d-------- C:\Program Files\LimeWire
2006-10-05 17:37 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-05 16:44 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-05 16:44 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-10-04 14:42 -------- d-------- C:\Program Files\SmartDraw 7
2006-10-04 01:45 -------- d-------- C:\Documents and Settings\johnny\Application Data\dvdcss
2006-10-02 14:26 -------- d-------- C:\Program Files\Mystery Case Files Huntsville
2006-10-01 18:08 -------- d-------- C:\Documents and Settings\johnny\Application Data\àppPatch
2006-09-29 19:18 -------- d-------- C:\Program Files\PokerTimeMPP
2006-09-27 09:27 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-24 15:44 -------- d-------- C:\Program Files\ACD Systems
2006-09-21 18:22 -------- d-------- C:\Program Files\vso
2006-09-21 18:08 81920 --a------ C:\Documents and Settings\johnny\Application Data\ezpinst.exe
2006-09-21 18:08 7176 --a------ C:\Documents and Settings\johnny\Application Data\pcouffin.cat
2006-09-21 18:08 47360 --a------ C:\Documents and Settings\johnny\Application Data\pcouffin.sys
2006-09-21 18:08 34 --a------ C:\Documents and Settings\johnny\Application Data\pcouffin.log
2006-09-21 18:08 1144 --a------ C:\Documents and Settings\johnny\Application Data\pcouffin.inf
2006-09-19 13:00 -------- d---s---- C:\Documents and Settings\johnny\Application Data\Microsoft
2006-09-17 00:31 -------- d-------- C:\Program Files\American Conquest
2006-09-16 19:13 -------- d-------- C:\Program Files\Sierra
2006-09-13 16:25 -------- d-------- C:\Documents and Settings\johnny\Application Data\VSO_HWE
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-10 10:24 -------- d-------- C:\Documents and Settings\johnny\Application Data\SmartDraw
2006-09-08 19:22 -------- d-------- C:\Program Files\Collectorz.com
2006-09-05 11:52 -------- d-------- C:\Program Files\e-PDF To Word Converter
2006-09-05 11:45 -------- d-------- C:\Documents and Settings\johnny\Application Data\Adobe
2006-09-05 11:36 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-09-05 11:34 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-29 12:58 -------- d-------- C:\Documents and Settings\johnny\Application Data\Nokia Multimedia Player
2006-08-29 12:57 -------- d-------- C:\Documents and Settings\johnny\Application Data\Datalayer
2006-08-28 21:01 -------- d-------- C:\Program Files\Poker.com
2006-08-28 15:32 -------- d-------- C:\Documents and Settings\johnny\Application Data\Atari
2006-08-27 20:31 -------- d-------- C:\Program Files\LDC Theory Test 2005
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 07:04 -------- d-------- C:\Documents and Settings\johnny\Application Data\AVG7
2006-08-23 23:38 75776 --a------ C:\WINDOWS\zllsputility.exe
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 09:55 -------- d-------- C:\Program Files\Flight3
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-14 14:10 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"rundll32"="C:\\WINDOWS\\rundll.exe"
"Ooaa"="\"C:\\DOCUME~1\\johnny\\MYDOCU~1\\CROSOF~1.NET\\dllhost.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
@=""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm Pro.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ZoneAlarm Pro.lnk"
"backup"="C:\\WINDOWS\\pss\\ZoneAlarm Pro.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zapro.exe -nopopup"
"item"="ZoneAlarm Pro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^johnny^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
"path"="C:\\Documents and Settings\\johnny\\Start Menu\\Programs\\Startup\\RollerCoaster Tycoon 3 Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\RollerCoaster Tycoon 3 Registration.lnkStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\johnny\\Local Settings\\Temp\\{1575BDB2-E6D6-45D8-A92F-E27FC698A11F}\\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\\ATR1.exe /remind /language=ENG /PRNM=\"RollerCoaster Tycoon 3\"/PRMP=\"RCT3\"/SKUN=\"PCXX\"/GTYP=\"STRY\""
"item"="RollerCoaster Tycoon 3 Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OEMReset"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Options\\OEMReset.exe /Audit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CXTPLS~1"
"hkey"="HKLM"
"command"="\"C:\\temp\\CXTPLS~1.EXE\" /PC=CP.CDT4 /ShowLegalNote=nonbranded /ForSupportedBrowsers /HideUninstall /HideDir"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bargains"
"hkey"="HKLM"
"command"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dlkav]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="n?tdde"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\johnny\\Application Data\\?ppPatch\\n?tdde.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMprocess]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IM-svr"
"hkey"="HKLM"
"command"="C:\\Program Files\\IM Names\\IM-svr.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBt3RQd9h]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="helsink"
"hkey"="HKCU"
"command"="helsink.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Pass]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaPassK"
"hkey"="HKLM"
"command"="C:\\Program Files\\Media Pass\\MediaPassK.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LAUNCH~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="salm"
"hkey"="HKLM"
"command"="c:\\temp\\salm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VVSN"
"hkey"="HKLM"
"command"="C:\\Program Files\\VVSN\\VVSN.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-17 11:13:37.21
C:\ComboFix.txt ... 06-10-17 11:13

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2006 - 05:39 AM

I need you to get a file scanned please.

C:\WINDOWS\system32\wnsapiit.exe

Have that file scanned here
http://www.virustotal.com/en/indexf.html

Save any results to notepad and post them in the next reply,please.


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R3 - URLSearchHook: (no name) - {D0A8BFAA-5669-7DBC-4570-5EF077BA6C90} - C:\WINDOWS\system32\rnfzz.dll

O2 - BHO: (no name) - {D0A8BFAA-5669-7DBC-4570-5EF077BA6C90} - C:\WINDOWS\system32\rnfzz.dll

O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll.exe

O4 - HKCU\..\Run: [Ooaa] "C:\DOCUME~1\johnny\MYDOCU~1\CROSOF~1.NET\dllhost.exe" -vt yazb

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


I need you to move combofix.exe to your primary C:\ drive please.

It must be there for the next step to work.


Click Start--> Click Run--> Copy&Paste the bold text below into the open Run Box and Click OK.

%systemdrive%\combofix.exe /v rnfzz

Let combofix run and save the resulting log.


Make sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp

Search for and Delete if found

C:\WINDOWS\rundll.exe<-- Match the name exactly as I have listed and make sure you only look in the Windows folder!



Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply along with the new ComboFix log.

Edited by Cretemonster, 17 October 2006 - 05:40 AM.


#5 whiteshoes

whiteshoes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:05:19 AM

Posted 17 October 2006 - 01:14 PM

thanks again cretemonster the info you required are below but before that 2 of the 4 items you asked me to check and delete in hijackthis were not present
O4 - HKCU\..\Run: [rundll32] C:\WINDOWS\rundll.exe

O4 - HKCU\..\Run: [Ooaa] "C:\DOCUME~1\johnny\MYDOCU~1\CROSOF~1.NET\dllhost.exe" -vt yazb
here are the 3 logs you requested

1
VirusTotalVirusTotal is a free file analisys service that works using several antivirus engines.


Select file : DistributeSSL

Enter your email, choose the file to be scanned with multiple antivirus engines and click Send.Menu:
News Hot news in the virus/antivirus sector.
Estadisticas Statistics of VirusTotal procesing.
Virustotal More info about Virustotal.


STATUS: FINISHEDComplete scanning result of "wnsapiit.exe", received in VirusTotal at 10.17.2006, 18:13:07 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.30 10.17.2006 no virus found
Authentium 4.93.8 10.16.2006 no virus found
Avast 4.7.892.0 10.17.2006 no virus found
AVG 386 10.17.2006 no virus found
BitDefender 7.2 10.17.2006 no virus found
CAT-QuickHeal 8.00 10.17.2006 no virus found
ClamAV devel-20060426 10.17.2006 no virus found
DrWeb 4.33 10.17.2006 no virus found
eTrust-InoculateIT 23.73.24 10.17.2006 no virus found
eTrust-Vet 30.3.3139 10.17.2006 no virus found
Ewido 4.0 10.17.2006 no virus found
Fortinet 2.82.0.0 10.17.2006 no virus found
F-Prot 3.16f 10.16.2006 no virus found
F-Prot4 4.2.1.29 10.16.2006 no virus found
Ikarus 0.2.65.0 10.17.2006 no virus found
Kaspersky 4.0.2.24 10.17.2006 no virus found
McAfee 4874 10.16.2006 no virus found
Microsoft 1.1603 10.17.2006 no virus found
NOD32v2 1.1807 10.17.2006 no virus found
Norman 5.80.02 10.16.2006 no virus found
Panda 9.0.0.4 10.17.2006 no virus found
Sophos 4.10.0 10.15.2006 no virus found
TheHacker 6.0.1.099 10.16.2006 no virus found
UNA 1.83 10.16.2006 no virus found
VBA32 3.11.1 10.17.2006 no virus found
VirusBuster 4.3.7:9 10.17.2006 no virus found


Aditional Information
File size: 2 bytes
MD5: 4f3dd0ffb3e41c5f74b5b0d8c1f10bb5
SHA1: e688cf7414fb701c4495010d43a4eaaaeac71768

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-06:: e-mail [email protected]



2
johnny - 06-10-17 17:29:55.53 Service Pack 2
ComboFix 06.10.16 - Running from: "C:\"
Command switches used :: /v rnfzz

((((((((((((((((((((((((((((((( Files Created from 2006-09-17 to 2006-10-17 ))))))))))))))))))))))))))))))))))


2006-10-17 11:06 276,886 --a------ C:\combofix.exe
2006-10-16 17:23 77,824 --a------ C:\WINDOWS\system32\driverif.dll
2006-10-16 17:23 733,236 --a------ C:\WINDOWS\system32\vete.dll
2006-10-16 17:23 541,733 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2006-10-16 17:23 21,605 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2006-10-16 17:23 15,668 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2006-10-16 17:23 12,288 --a------ C:\WINDOWS\system32\vetntmsg.dll
2006-10-16 17:23 108,453 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2006-10-13 22:29 81,920 --a------ C:\WINDOWS\system32\SGUserInfo.dll
2006-10-13 22:29 37,224 --a------ C:\WINDOWS\system32\SageStorage.dll
2006-10-13 22:29 356,352 --a------ C:\WINDOWS\system32\SGINFMR.dll
2006-10-13 22:29 348,216 --a------ C:\WINDOWS\system32\SW9DBC32.dll
2006-10-13 22:29 253,952 --a------ C:\WINDOWS\system32\SageBankReconciliation.dll
2006-10-13 22:29 167,936 --a------ C:\WINDOWS\system32\SGXMLQry.dll
2006-10-13 22:29 143,360 --a------ C:\WINDOWS\system32\SageNatWestBankline.dll
2006-10-13 22:29 143,360 --a------ C:\WINDOWS\system32\SageBarclaysBusinessMasterII.dll
2006-10-13 22:29 139,264 --a------ C:\WINDOWS\system32\SGISAQry.dll
2006-10-13 22:29 139,264 --a------ C:\WINDOWS\system32\SageBankPayments.dll
2006-10-13 22:29 135,168 --a------ C:\WINDOWS\system32\SageNatWestOnline.dll
2006-10-13 22:29 135,168 --a------ C:\WINDOWS\system32\SageBarclaysOnline.dll
2006-10-13 22:29 127,352 --a------ C:\WINDOWS\system32\SageSoftwareUpdate.dll
2006-10-13 22:29 126,976 --a------ C:\WINDOWS\system32\SGInfProgressBar.dll
2006-10-13 22:29 126,976 --a------ C:\WINDOWS\system32\sageebanking.dll
2006-10-13 22:29 126,976 --a------ C:\WINDOWS\system32\SageBankBalances.dll
2006-10-13 22:29 119,160 --a------ C:\WINDOWS\system32\SageFolderBrowse.dll
2006-10-02 14:11 52,224 --a------ C:\WINDOWS\system32\Crypserv.exe
2006-10-02 14:11 27,648 -ra------ C:\WINDOWS\Setup_ck.exe
2006-10-02 14:11 24,608 --a------ C:\WINDOWS\system32\Ckldrv.sys
2006-10-02 14:11 18,432 --a------ C:\WINDOWS\Setup_ck.dll
2006-10-02 14:11 165,888 --a------ C:\WINDOWS\Ckconfig.exe
2006-10-02 14:11 11,776 --a------ C:\WINDOWS\Ckrfresh.exe
2006-10-01 18:08 2 --a------ C:\WINDOWS\system32\wnsapiit.exe
2006-09-27 19:52 295,952 --a------ C:\WINDOWS\SCRANTIC.SCR
2006-09-21 18:08 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-17 16:02 -------- d-------- C:\Program Files\PacificPoker
2006-10-17 12:59 -------- d-------- C:\Documents and Settings\johnny\Application Data\Vso
2006-10-17 11:46 -------- d-------- C:\Program Files\Morpheus
2006-10-17 11:41 -------- d-------- C:\Program Files\LimeWire Acceleration Patch
2006-10-16 23:00 -------- d-------- C:\Program Files\Absolute Poker
2006-10-16 17:43 -------- d-------- C:\Program Files\Noble Poker
2006-10-16 17:36 -------- d-------- C:\Documents and Settings\johnny\Application Data\MailFrontier
2006-10-15 12:42 -------- d-------- C:\Program Files\Mystery Case Files - Prime Suspects
2006-10-13 22:30 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-13 22:29 -------- d-------- C:\Program Files\Sage EBanking
2006-10-13 22:29 -------- d-------- C:\Program Files\Informer50
2006-10-13 22:28 -------- d-------- C:\Program Files\Sage
2006-10-13 22:28 -------- d-------- C:\Program Files\Common Files\Sage Line50
2006-10-13 22:28 -------- d-------- C:\Program Files\Common Files
2006-10-13 14:10 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-10-10 18:20 -------- d-------- C:\Documents and Settings\johnny\Application Data\Morpheus
2006-10-08 18:55 -------- d-------- C:\Program Files\FinalAlert 2 Yuri's Revenge
2006-10-08 17:56 441328 --a------ C:\Documents and Settings\johnny\Application Data\NMM-MetaData.db
2006-10-06 22:20 -------- d-------- C:\Documents and Settings\johnny\Application Data\Microgaming
2006-10-06 13:34 -------- d-------- C:\Program Files\LimeWire
2006-10-05 17:37 -------- d-------- C:\Program Files\Spyware Doctor
2006-10-05 16:44 51072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2006-10-05 16:44 30592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2006-10-04 14:42 -------- d-------- C:\Program Files\SmartDraw 7
2006-10-04 01:45 -------- d-------- C:\Documents and Settings\johnny\Application Data\dvdcss
2006-10-02 14:26 -------- d-------- C:\Program Files\Mystery Case Files Huntsville
2006-10-01 18:08 -------- d-------- C:\Documents and Settings\johnny\Application Data\àppPatch
2006-09-29 19:18 -------- d-------- C:\Program Files\PokerTimeMPP
2006-09-27 09:27 778656 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-09-24 15:44 -------- d-------- C:\Program Files\ACD Systems
2006-09-21 18:22 -------- d-------- C:\Program Files\vso
2006-09-21 18:08 81920 --a------ C:\Documents and Settings\johnny\Application Data\ezpinst.exe
2006-09-21 18:08 7176 --a------ C:\Documents and Settings\johnny\Application Data\pcouffin.cat
2006-09-21 18:08 47360 --a------ C:\Documents and Settings\johnny\Application Data\pcouffin.sys
2006-09-21 18:08 34 --a------ C:\Documents and Settings\johnny\Application Data\pcouffin.log
2006-09-21 18:08 1144 --a------ C:\Documents and Settings\johnny\Application Data\pcouffin.inf
2006-09-19 13:00 -------- d---s---- C:\Documents and Settings\johnny\Application Data\Microsoft
2006-09-17 00:31 -------- d-------- C:\Program Files\American Conquest
2006-09-16 19:13 -------- d-------- C:\Program Files\Sierra
2006-09-13 16:25 -------- d-------- C:\Documents and Settings\johnny\Application Data\VSO_HWE
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-09-10 10:24 -------- d-------- C:\Documents and Settings\johnny\Application Data\SmartDraw
2006-09-08 19:22 -------- d-------- C:\Program Files\Collectorz.com
2006-09-05 11:52 -------- d-------- C:\Program Files\e-PDF To Word Converter
2006-09-05 11:45 -------- d-------- C:\Documents and Settings\johnny\Application Data\Adobe
2006-09-05 11:36 -------- d-------- C:\Program Files\Common Files\Adobe Systems Shared
2006-09-05 11:34 -------- d-------- C:\Program Files\Common Files\Adobe
2006-08-29 12:58 -------- d-------- C:\Documents and Settings\johnny\Application Data\Nokia Multimedia Player
2006-08-29 12:57 -------- d-------- C:\Documents and Settings\johnny\Application Data\Datalayer
2006-08-28 21:01 -------- d-------- C:\Program Files\Poker.com
2006-08-28 15:32 -------- d-------- C:\Documents and Settings\johnny\Application Data\Atari
2006-08-27 20:31 -------- d-------- C:\Program Files\LDC Theory Test 2005
2006-08-25 16:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-24 07:04 -------- d-------- C:\Documents and Settings\johnny\Application Data\AVG7
2006-08-23 23:38 75776 --a------ C:\WINDOWS\zllsputility.exe
2006-08-21 13:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 10:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-21 09:55 -------- d-------- C:\Program Files\Flight3
2006-08-16 12:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-14 14:10 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-07-27 14:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PinnacleDriverCheck"="C:\\WINDOWS\\system32\\PSDrvCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
@=""
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
"Spyware Doctor"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoColorChoice"=dword:00000000
"NoSizeChoice"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"NoDispScrSavPage"=dword:00000000
"NoDispCPL"=dword:00000000
"NoVisualStyleChoice"=dword:00000000
"NoDispSettingsPage"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000000
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"ClassicShell"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-0000-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZoneAlarm Pro.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ZoneAlarm Pro.lnk"
"backup"="C:\\WINDOWS\\pss\\ZoneAlarm Pro.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zapro.exe -nopopup"
"item"="ZoneAlarm Pro"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^johnny^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
"path"="C:\\Documents and Settings\\johnny\\Start Menu\\Programs\\Startup\\RollerCoaster Tycoon 3 Registration.lnk"
"backup"="C:\\WINDOWS\\pss\\RollerCoaster Tycoon 3 Registration.lnkStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\johnny\\Local Settings\\Temp\\{1575BDB2-E6D6-45D8-A92F-E27FC698A11F}\\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\\ATR1.exe /remind /language=ENG /PRNM=\"RollerCoaster Tycoon 3\"/PRMP=\"RCT3\"/SKUN=\"PCXX\"/GTYP=\"STRY\""
"item"="RollerCoaster Tycoon 3 Registration"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OEMReset"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Options\\OEMReset.exe /Audit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoLoaderAproposClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CXTPLS~1"
"hkey"="HKLM"
"command"="\"C:\\temp\\CXTPLS~1.EXE\" /PC=CP.CDT4 /ShowLegalNote=nonbranded /ForSupportedBrowsers /HideUninstall /HideDir"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bargains"
"hkey"="HKLM"
"command"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CloneCDTray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\SlySoft\\CloneCD\\CloneCDTray.exe\" /s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dlkav]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="n?tdde"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\johnny\\Application Data\\?ppPatch\\n?tdde.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMprocess]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IM-svr"
"hkey"="HKLM"
"command"="C:\\Program Files\\IM Names\\IM-svr.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KBt3RQd9h]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="helsink"
"hkey"="HKCU"
"command"="helsink.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Media Pass]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaPassK"
"hkey"="HKLM"
"command"="C:\\Program Files\\Media Pass\\MediaPassK.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsnMsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NBJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NBJ"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Ahead\\Nero BackItUp\\NBJ.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LAUNCH~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\salm]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="salm"
"hkey"="HKLM"
"command"="c:\\temp\\salm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VVSN]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VVSN"
"hkey"="HKLM"
"command"="C:\\Program Files\\VVSN\\VVSN.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-17 17:31:37.01
C:\ComboFix.txt ... 06-10-17 17:31
C:\ComboFix2.txt ... 06-10-17 11:13


3
Scanning Report
Tuesday, October 17, 2006 17:46:27 - 18:53:24
Computer name: WHITESHOES-1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 30 malware found
Adware.2Search (spyware)
System (Disinfected)
Adware.Pop (spyware)
System (Disinfected)
Adware.WeirWeb (spyware)
System (Disinfected)
SpyFalcon (spyware)
System (Disinfected)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
System
TrustCleaner (spyware)
System (Disinfected)
W32/Agent.AJAK.dropper (virus)
C:\DOCUMENTS AND SETTINGS\JOHNNY\MY DOCUMENTS\BRANDON\RANDOM MUSIC\ACCESS.EXE (Submitted)
W32/DLoader.LJP (virus)
C:\WINDOWS\DOWNLOADED PROGRAM FILES\MINICLIPGAMELOADER.DLL (Submitted)
W32/DLoader.UGN (virus)
C:\PROGRAM FILES\IM NAMES\IMNAMES.EXE (Submitted)
W32/Dialer.MWN (virus)
C:\WINDOWS\ADIRAS.EXE (Submitted)
WinAD (spyware)
System (Disinfected)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 41517
System: 5027
Not scanned: 3
Actions:
Disinfected: 7
Renamed: 0
Deleted: 0
None: 23
Submitted: 4
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{AAB0EEFA-873D-4378-A160-3A2D4EAF194E}.BIN

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure AVP: 6.0.171, 2006-10-17
F-Secure Libra: 2.4.1, 2006-10-17
F-Secure Orion: 1.2.37, 2006-10-16
F-Secure Blacklight: 1.0.31, 0000-00-00
F-Secure Draco: 1.0.35, 0259-24-212
F-Secure Pegasus: 1.19.0, 2006-08-29
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2006 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
tia :thumbsup: :flowers:

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 17 October 2006 - 03:07 PM

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):


    C:\WINDOWS\DOWNLOADED PROGRAM FILES\MINICLIPGAMELOADER.DLL
    C:\DOCUMENTS AND SETTINGS\JOHNNY\MY DOCUMENTS\BRANDON\RANDOM MUSIC\ACCESS.EXE


  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.



Is this something you installed??

C:\PROGRAM FILES\IM NAMES\IMNAMES.EXE



Please post an uninstall list,
  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file.
  • When you press Save button a notepad will open with the contents of that file.
  • Simply copy and paste the contents of that notepad into this topic please.
Please run the Bit Defender Online Scan
http://www.bitdefender.com/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it back here

#7 whiteshoes

whiteshoes
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  

Posted 18 October 2006 - 09:13 AM

hi
i didnt receive any message you referred to on killbox.the file you mentioned(C:\PROGRAM FILES\IM NAMES\IMNAMES.EXE) i dont recall installing this but 1 of the kids may have...is this a dubious file?
the 2 logs you requested are below once again thank you for your time and effort cretemonster.....
p.s. my daily avg scan didnt pick up any virus this morning for the 1st time in a while. :thumbsup:


7-Zip 4.32
Absolute Poker
Adobe Acrobat 4.0
Adobe Acrobat 7.0 Professional
Adobe Photoshop Elements 2.0
Adobe Reader 7.0
American Conquest
AVG Free Edition
Avi2Dvd 0.4.3 beta
AviSynth 2.5
Blitzkrieg
Call of Duty® 2
Canon MP Drivers
CD to WAV and MP3 Ripper
CloneCD
Collectorz.com Movie Collector
Command & Conquer Red Alert 2
Command && Conquer Red Alert 2 - Yuri's Revenge
ConvertMovie 3.0
ConvertXtoDVD 2.1.1
coverXP (remove only)
dBpowerAMP Music Converter
dBpowerAMP WMA V9.1 Codec
Disney's Extremely Goofy Skateboarding
DivX
DivX Player
DivX Web Player
Driving Test Success 2003-2004
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVD2SVCD 1.2.2 Build 1
DVDFab Decrypter 2.9.5.2
dvdSanta 4.00
EasyStudio PIM & File Manager
ECI USB ADSL
e-PDF To Word Converter
ffdshow
FinalAlert 2 Yuri's Revenge
Flight Unlimited III
Forté Agent
Google Earth
GrabIt 1.5.3 Beta (build 909)
Haali Media Splitter
Hallmark Comedy Card Studio
Hazard Perception Training 2003-2004
HijackThis 1.99.1
Homeworld2
Hotel Giant
IBM PerfectPhoto 1.0
Intel® PRO Network Adapters and Drivers
iPhoto Plus 4
IsoBuster 1.7
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_06
LDC Theory Test 2005
LimeWire 4.12.6
Macromedia Flash Player 8
Macromedia Shockwave Player
MANSION
Matroska Pack
MGI PhotoSuite 4 (Remove Only)
Microsoft Office Professional Edition 2003
Microsoft Windows Media Video 9 VCM
Microsoft Zoo Tycoon
MP3 Player Utilities
Mystery Case Files - Prime Suspects (remove only)
Mystery Case Files Huntsville
Nero 6 Ultra Edition
Nero Media Player
NeroVision Express 3
Noble Poker
Nokia Connectivity Cable Driver
Nokia PC Connectivity Solution
Nokia PC Suite
NVIDIA Drivers
Ogg Vorbis Redistributable V 1.0b (vorbis1_0_public_release)
Pacific Poker
Play4Fun Version 2.0.6.48
PokerStars
PokerTime Poker
PowerDVD
QuickPar 0.9
QuickTime
ratDVD 0.6.1117
Rayman3
RCT3 Soaked
RealPlayer
Return to Mysterious Island
RollerCoaster Tycoon® 3
Sage Accounts
Sage MIS 3.01
SAMSUNG Mobile USB Modem 1.0 Software
Scooby-Doo 2 - Monsters Unleashed
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Shockwave
Skype 1.4
Soldier of Fortune
SONIC ADVENTURE DX-Director's Cut
SONIC HEROES
Spybot - Search & Destroy 1.4
Spyware Doctor 3.8
Srt2Sup a4.03
Star Wars Battlefront II
SureThing CD Labeler
The Entente
The Simpsons Hit & Run™
TMPGEnc DVD Author 1.5
TMPGEnc Plus 2.5
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VCDEasy
VideoLAN VLC media player 0.8.1
Westwood Shared Internet Components
Windows Driver Package - Nokia Modem (06/12/2006 6.81.0.21)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinRAR archiver
WinZip
WMA To MP3 Converter
XoftSpy
ZoneAlarm Security Suite
Zoo Tycoon 2




<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >


<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
<p><font face="Arial" color=red><span style="font-size:14pt;"><b>BitDefender
Online Scanner</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>
<tr>
<td colspan="3" width="912">
<p><font face="Arial"><span style="font-size:11pt;"><B>Scan report generated
at: Wed, Oct 18, 2006 - 13:53:48</b></span></font></p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>Scan
path: </b></span><span style="font-size:10pt;">A:\;C:\;E:\;O:\;</span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Statistics</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Time</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">02:21:50</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">996539</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Folders</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">8558</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Boot Sectors</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">2</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">13378</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Packed Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">64879</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>



<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Results</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Identified Viruses </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">4</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Infected Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">11</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Suspect&nbsp;Files </font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Disinfected</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">0</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Deleted Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">11</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Engines Info</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Virus Definitions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">476976</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Engine build</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">13</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Archive plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">38</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Unpack plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">E-mail plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">6</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">System&nbsp;plugins</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">1</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scan Settings</b></font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">First Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Disinfect</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Second Action</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Delete</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Heuristics</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Enable Warnings</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scanned Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">*;</font></p>
</td>
</tr>

<tr>
<td width="57%">
<p><font face="Arial" size="2">Exclude Extensions</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">&nbsp;</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Emails</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Archives</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Packed</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Files</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">Scan Boot</font></p>
</td>
<td width="43%" align="right">
<p><font face="Arial" size="2">Yes</font></p>
</td>
</tr>
</table>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td colspan=2> &nbsp;
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
<p><font face="Arial" size="2"><B>Scanned File</b></font></p>
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
<p align="left"><b><font size="2" face="Arial">&nbsp;Status</font></b></p>
</td>
</tr>
<tr>
<td width="57%">
<p><font face="Arial" size="2">C:\!KillBox\Access.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Dropped:Trojan.MovieLand.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\!KillBox\Access.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\!KillBox\Access.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>NHInstall.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Trojan.Dloader.L</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>NHInstall.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>NHInstall.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Updated</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Detected with: Adware.Navexcel.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Update failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Detected with: Adware.Navexcel.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Update failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Detected with: Adware.Navexcel.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018=>(ZIP Sfx o)=>v2.0.4a.cab</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Update failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Documents and Settings\johnny\My Documents\poker\setupcdripper.exe=>wise0018</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Update failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>NHInstall.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Trojan.Dloader.L</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>NHInstall.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>NHInstall.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Updated</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Detected with: Adware.Navexcel.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHelper.dll</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Update failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Detected with: Adware.Navexcel.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUninstaller.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Update failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Detected with: Adware.Navexcel.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab=>NHUpdater.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe=>(ZIP Sfx o)=>v2.0.4a.cab</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Update failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\Program Files\CD to WAV and MP3 Ripper\NH20040517.4a.EE.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Update failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{D6A84301-EBE4-45BC-AF35-63FA04140EA8}\RP615\A0337599.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Dropped:Trojan.MovieLand.A</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{D6A84301-EBE4-45BC-AF35-63FA04140EA8}\RP615\A0337599.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\System Volume Information\_restore{D6A84301-EBE4-45BC-AF35-63FA04140EA8}\RP615\A0337599.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\Downloaded Program Files\nonadult.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Infected with: Trojan.Dialer.GlobalAcces</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\Downloaded Program Files\nonadult.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Disinfection failed</font></p>
</td>
</tr><tr>
<td width="57%">
<p><font face="Arial" size="2">C:\WINDOWS\Downloaded Program Files\nonadult.exe</font></p>
</td>
<td width="43%" align="left">
<p><font face="Arial" size="2">Deleted</font></p>
</td>
</tr>
</table>
</td>

<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

<tr>
<td width="458">
<p><font face="Arial"><span style="font-size:11pt;"><B>&nbsp;</b></span></font></p>
</td>
<td width="40%">
<p>&nbsp;</p>
</td>
<td width="10%">
<p>&nbsp;</p>
</td>
</tr>

</table>
<p>&nbsp;</p>

</body>
</html>

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 18 October 2006 - 03:34 PM

I have to trust what I read from the folks at Sunbelt.
http://research.sunbelt-software.com/threa...;threatid=44421

C:\PROGRAM FILES\IM NAMES


I think its a good idea to delete that folder,I dont see a entry in Add\Remove Programs

Speaking of kids,is Limewire being used on the machine?


If you will,run the F-Secure Online Scan once more and post back with those results.

Edited by Cretemonster, 18 October 2006 - 03:35 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users