BleepingComputer.com: Have Recycler & Trojan Horse FakeAlert.KH

Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

Have Recycler & Trojan Horse FakeAlert.KH Can't get rid of either one of these.

#1 User is offline   Baybadoll 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 35
  • Joined: 23-May 09
  • Gender:Female
  • Location:Illinois

Posted 27 May 2009 - 04:54 PM

I have a Trojan Horse FakeAlert.KH, which AVG has removed 3 times now, that keeps coming back. I have a recycler virus also (don't know which one since its hidden), which is on my partitioned drive (D: and E:), my external drive, and my jump drive, and I can't get rid of it - AVG doesn't even find it. Computer drives: Partitioned [C: NTFS, D: FAT32, E: FAT32]; Other Internal [H: NTFS]; External [J: FAT32]; Jump [I:FAT32].

My internet browser keeps getting redirected. I'm getting multiple warning messages of: 'Are you sure you want to navigate away from this page?' when my brower isn't even open. The Screen has frozen completely a few times now - and had to restart. Random websites pop up, random music plays, and random people speak - when no browser is open. Often it says something like, "Congratulations, you won". I can't get my dvd burner [G:] to work - nero doesn't even find it. I can't defragment two of my drives, C: and H:. AVG says I'm clean and then the next day FakeAlert is back.

I don't have any idea how to get rid of either of these.

Thanks in advance, Katilyn


DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 15:21:20.96 on Wed 05/27/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13

============== Pseudo HJT Report ===============

uStart Page = hxxp://gridcom.net/IClient/Login.aspx?ReturnUrl=%2fiClient%2fdefault.aspx
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - e:\program files\ws_ftp pro\wsbho2k0.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [SmileboxTray] "c:\documents and settings\owner\application data\smilebox\SmileboxTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRun: [RegistryMechanic] c:\program files\registry mechanic\RegMech.exe /H
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\1.bin\M3PLUGIN.DLL,UPF
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=0
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm265YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://onlinedesigner.hgtv.com/images/app/view22rte.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.227,85.255.112.166
TCP: {FE72FDC3-D6F2-48AD-8472-F23492B6DE8B} = 85.255.112.227,85.255.112.166
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\z9528hve.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.sitesell.com/|http://www.essential-oil-mama.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\z9528hve.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-05-26 12:36 <DIR> --d----- c:\program files\Cobian Backup 8
2009-05-24 17:44 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-23 18:18 159,600 a------- c:\windows\system32\drivers\pctgntdi.sys
2009-05-23 18:09 130,936 a------- c:\windows\system32\drivers\PCTCore.sys
2009-05-23 18:09 73,840 a------- c:\windows\system32\drivers\PCTAppEvent.sys
2009-05-23 18:07 64,392 a------- c:\windows\system32\drivers\pctplsg.sys
2009-05-23 18:07 <DIR> --d----- c:\program files\common files\PC Tools
2009-05-23 18:06 <DIR> --d----- c:\program files\Spyware Doctor
2009-05-23 18:06 <DIR> --d----- c:\docume~1\owner\applic~1\PC Tools
2009-05-23 18:06 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PC Tools
2009-05-23 10:06 341 ---shr-- C:\autorun.inf
2009-05-06 03:00 <DIR> --d----- c:\windows\system32\KB905474
2009-05-04 15:42 <DIR> --d----- c:\program files\common files\SWF Studio

==================== Find3M ====================

2009-05-27 09:05 21 a------- C:\qpmd8376.bin
2009-05-19 09:45 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 09:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2007-06-23 17:08 284 -c------ c:\docume~1\owner\applic~1\ViewerApp.dat
2004-04-28 00:19 233,160 ac------ c:\program files\LISTOOL.EXE
2004-02-11 16:32 257,189 ac------ c:\program files\LISTOOL.CHM
2008-09-23 03:06 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat

============= FINISH: 15:22:05.40 ===============

Attached File(s)


#2 User is offline   SifuMike 

  • malware expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 15,385
  • Joined: 08-January 05
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA

Posted 28 May 2009 - 11:30 PM

Hello Baybadoll,

Download Security Check by screen317 from here or here.
Save it to your Desktop.
Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
A Notepad document should open automatically called checkup.txt.
Please post the contents of that document.


Please disable Spyware Doctor as it will prevent Malwarebytes from working.
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

Please download Malwarebytes' Anti-Malware from one of these places:
http://download.cnet.com/Malwarebytes-Anti...&tag=button
http://www.majorgeeks.com/Malwarebytes_Ant...ware_d5756.html
http://www.besttechie.net/mbam/mbam-setup.exe

Double Click mbam-setup.exe to install the application.

* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply along with a fresh HijackThis log.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.

This post has been edited by SifuMike: 28 May 2009 - 11:33 PM

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 User is offline   Baybadoll 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 35
  • Joined: 23-May 09
  • Gender:Female
  • Location:Illinois

Posted 29 May 2009 - 09:37 AM

Hi! Thank you for such a quick response.

I am now on my laptop. My desktop computer crashed this morning. It is sitting on one of the startup screens... the motherboard screen. It says to press DEL to enter SETUP. But it won't respond to anything. I had just finished getting the checkup.txt, but I can't post it, obviously.

Don't know if this is important, but.. Yesterday i restarted and it went to a blue screen that said a problem had been detected and windows was shut down to prevent damage. This was part of the message: IRQL_NOT_LESS_OR_EQUAL
***STOP: 0x0000000A (0x00000019, 0x00000002, 0x00000000, 0x804F35A2)

Thank you for your help!
Katilyn

#4 User is offline   SifuMike 

  • malware expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 15,385
  • Joined: 08-January 05
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA

Posted 29 May 2009 - 10:52 AM

Hi Katilyn,


Looks like you probably have a hardware or driver problem. :thumbup2:
I am not a Windows expert so I am going to refer you to another forum.


Read these:
You receive a "Stop 0x0000000A" error message in Windows XP
http://support.microsoft.com/kb/314063

How to fix a Stop 0×0000000A error in Windows XP
http://www.lancelhoff.com/stop-0x0000000a-error/

STOP 0x0000000A, 0x000000A (Parameter 1, Parameter 2, Parameter 3, Parameter 4) IRQL_NOT_LESS_OR_EQUAL
http://www.geekswhoknow.com/articles/stop-...ss_or_equal.htm


HijackThis does not have the capability to analyze performance, hardware or application issues.

For the type of issue(s) you describe I would suggest posting to the
Windows XP Home and Professional forum. The techs in that forum specialize in matters pertaining to Windows issues.
Let them know that you have been to this forum and that I have refered you to their forum.

When posting to any other forum, do not post a HijackThis log or the post will simply be moved back to this forum for infection analysis. That is what HijackThis is used for and that is what we specialize in here in this forum.

Also, when posting in any other forum for assistance, give as much detail as possible regarding any issues that are occurring. The more information they have, the better the techs can analyze the issue and make any recommendations for resolving it.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 User is offline   Baybadoll 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 35
  • Joined: 23-May 09
  • Gender:Female
  • Location:Illinois

Posted 30 May 2009 - 03:22 PM

My computer booted back up. But will not run malwarebytes.

Here are the other logs.

checkup:

Results of screen317's Security Check version 0.98.3
Windows XP Service Pack 3
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Enabled!
AVGFree8.5
Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Malwarebytes' Anti-Malware
Java™ 6 Update 13
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
AVG avgwdsvc.exe
AVG avgtray.exe
AVG avgrsx.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````

Scan took 9 seconds.
`````````End of Log```````````






dds:

DDS (Ver_09-05-14.01) - NTFSx86
Run by Owner at 15:15:58.10 on Sat 05/30/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.592 [GMT -5:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
svchost.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
H:\Essential Essence\Site Build It\Cold Fusion\runtime\bin\jrunsvc.exe
H:\Essential Essence\Site Build It\Cold Fusion\runtime\bin\jrun.exe
H:\Essential Essence\Site Build It\Cold Fusion\db\slserver52\bin\swagent.exe
H:\Essential Essence\Site Build It\Cold Fusion\db\slserver52\bin\swstrtr.exe
H:\Essential Essence\Site Build It\Cold Fusion\db\slserver52\bin\swsoc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\WINDOWS\SYSTEM32\USRshutA.exe
C:\WINDOWS\SYSTEM32\USRmlnkA.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Lexmark X6100 Series\lxbfbmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACDaemon.exe
C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ArcCon.ac
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Documents and Settings\Owner\Application Data\Smilebox\SmileboxTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
E:\Program Files\PayPal Payment Request Wizard\Outlook Wizard\OEHook.exe
E:\Program Files\PhAutoRun.exe
E:\Program Files\QBOOKS\Components\QBAgent\QBDAgent.exe
C:\WINDOWS\system32\mrtMngr.EXE
C:\Documents and Settings\Owner\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://gridcom.net/IClient/Login.aspx?ReturnUrl=%2fiClient%2fdefault.aspx
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: AVG Safe Search: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - c:\program files\avg\avg8\avgssie.dll
BHO: WsftpBrowserHelper Class: {601ed020-fb6c-11d3-87d8-0050da59922b} - e:\program files\ws_ftp pro\wsbho2k0.dll
BHO: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - c:\progra~1\avg\avg8\AVGTOO~1.DLL
TB: {07B18EA9-A523-4961-B6BB-170DE4475CCA} - No File
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "c:\program files\common files\ahead\lib\NMBgMonitor.exe"
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\WCESCOMM.EXE"
uRun: [SmileboxTray] "c:\documents and settings\owner\application data\smilebox\SmileboxTray.exe"
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
mRun: [USRpdA] c:\windows\system32\usrmlnka.exe runservices \device\3cpipe-USRpdA
mRun: [High Definition Audio Property Page Shortcut] HDAShCut.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [Lexmark X6100 Series] "c:\program files\lexmark x6100 series\lxbfbmgr.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.2\apps\apdproxy.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [AVG8_TRAY] c:\progra~1\avg\avg8\avgtray.exe
mRun: [MyWebSearch Plugin] rundll32 c:\progra~1\mywebs~1\bar\1.bin\M3PLUGIN.DLL,UPF
mRun: [My Web Search Bar Search Scope Monitor] "c:\progra~1\mywebs~1\bar\1.bin\m3SrchMn.exe" /m=0
mRun: [MyWebSearch Email Plugin] c:\progra~1\mywebs~1\bar\1.bin\mwsoemon.exe
mRun: [ArcSoft Connection Service] c:\program files\common files\arcsoft\connection service\bin\ACDaemon.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
StartupFolder: c:\docume~1\owner\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\outloo~1.lnk - e:\program files\paypal payment request wizard\outlook wizard\OEHook.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\photof~1.lnk - e:\program files\PhAutoRun.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\quickb~1.lnk - e:\program files\qbooks\components\qbagent\QBDAgent.exe
IE: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZUxdm265YYUS
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\program files\microsoft activesync\INETREPL.DLL
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - e:\progra~1\micros~1\office11\REFIEBAR.DLL
DPF: DirectAnimation Java Classes - file://c:\windows\java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} - hxxp://support.asus.com/common/asusTek_sys_ctrl.cab
DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - hxxp://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/MyFunCardsFWBInitialSetup1.0.1.0.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {BCBC9371-595D-11D4-A96D-00105A1CEF6C} - hxxp://onlinedesigner.hgtv.com/images/app/view22rte.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
TCP: NameServer = 85.255.112.227,85.255.112.166
TCP: {FE72FDC3-D6F2-48AD-8472-F23492B6DE8B} = 85.255.112.227,85.255.112.166
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: mctp - {d7b95390-b1c5-11d0-b111-0080c712fe82} - c:\program files\microsoft activesync\AATP.DLL
WinCE Filter: image/bmp - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/gif - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/jpeg - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: image/xbm - {86F59FAE-FB3A-11D1-AA72-00C04FAE2D4B} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/asp - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
WinCE Filter: text/html - {6C5C3074-FFAB-11d1-8EC4-00C04F98D57A} - c:\program files\microsoft activesync\CENETFLT.DLL
Notify: AtiExtEvent - Ati2evxx.dll
Notify: avgrsstarter - avgrsstx.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\owner\applic~1\mozilla\firefox\profiles\z9528hve.default\
FF - prefs.js: browser.startup.homepage - hxxp://login.sitesell.com/|http://www.essential-oil-mama.com/
FF - component: c:\program files\avg\avg8\firefox\components\avgssff.dll
FF - component: c:\program files\avg\avg8\toolbarff\components\vmAVGConnector.dll
FF - plugin: c:\documents and settings\owner\application data\mozilla\firefox\profiles\z9528hve.default\extensions\moveplayer@movenetworks.com\platform\winnt_x86-msvc\plugins\npmnqmp071303000006.dll
FF - plugin: c:\program files\mozilla firefox\plugins\NPMyWebS.dll

---- FIREFOX POLICIES ----
FF - user.js: yahoo.homepage.dontask - true
============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2008-5-28 325896]
R1 AvgMfx86;AVG On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2007-9-17 27784]
R2 avg8wd;AVG8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-1-31 298776]
R2 ColdFusion MX ODBC Agent;ColdFusion MX ODBC Agent;h:\essential essence\site build it\cold fusion\db\slserver52\bin\swagent.exe "coldfusion mx odbc agent" --> h:\essential essence\site build it\cold fusion\db\slserver52\bin\swagent.exe ColdFusion MX ODBC Agent [?]
S2 MyWebSearchService;My Web Search Service;c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe --> c:\progra~1\mywebs~1\bar\1.bin\mwssvc.exe [?]
S3 US122;US122 Driver;c:\windows\system32\drivers\US122.sys [2008-3-9 215708]
S3 US122DL;US122 Firmware Downloader;c:\windows\system32\drivers\US122DL.sys [2008-3-9 17263]
S3 Us122WdmService;US122 Wdm Audio;c:\windows\system32\drivers\US122Wdm.sys [2008-3-9 84092]

=============== Created Last 30 ================

2009-05-30 11:57 40,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-30 11:57 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-05-30 11:57 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-05-30 11:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-05-26 12:36 <DIR> --d----- c:\program files\Cobian Backup 8
2009-05-24 17:44 <DIR> --d----- c:\windows\system32\appmgmt
2009-05-23 10:06 437 ---shr-- C:\autorun.inf
2009-05-06 03:00 <DIR> --d----- c:\windows\system32\KB905474
2009-05-04 15:42 <DIR> --d----- c:\program files\common files\SWF Studio

==================== Find3M ====================

2009-05-30 11:55 21 a------- C:\qpmd8376.bin
2009-05-19 09:45 325,896 a------- c:\windows\system32\drivers\avgldx86.sys
2009-05-19 09:45 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-06 09:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-02 19:18 826,368 a------- c:\windows\system32\wininet.dll
2007-06-23 17:08 284 -c------ c:\docume~1\owner\applic~1\ViewerApp.dat
2004-04-28 00:19 233,160 ac------ c:\program files\LISTOOL.EXE
2004-02-11 16:32 257,189 ac------ c:\program files\LISTOOL.CHM
2008-09-23 03:06 32,768 ac-sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092320080924\index.dat

============= FINISH: 15:16:17.85 ===============

Attached File(s)


#6 User is offline   SifuMike 

  • malware expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 15,385
  • Joined: 08-January 05
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA

Posted 30 May 2009 - 04:49 PM

Hi Baybadoll,

Make sure you disabe Spyware Doctor as it will prevent Malwarebytes from working.
To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a Full scan.

Post the Malwarebytes log.

This post has been edited by SifuMike: 30 May 2009 - 04:52 PM

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 User is offline   Baybadoll 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 35
  • Joined: 23-May 09
  • Gender:Female
  • Location:Illinois

Posted 30 May 2009 - 06:22 PM

mbam log:

Malwarebytes' Anti-Malware 1.37
Database version: 2182
Windows 5.1.2600 Service Pack 3

5/30/2009 6:16:14 PM
mbam-log-2009-05-30 (18-16-13).txt

Scan type: Full Scan (C:\|D:\|E:\|H:\|)
Objects scanned: 429556
Time elapsed: 45 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 29
Registry Values Infected: 4
Registry Data Items Infected: 6
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\screensavercontrol.screensaverinstaller.1 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1E0DE227-5CE4-4ea3-AB0C-8B03E1AA76BC} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{53ced2d0-5e9a-4761-9005-648404e6f7e5} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{adb01e81-3c79-4272-a0f1-7b2be7a782dc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{07b18eab-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\MenuExt\&Search\ (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media\WMSDK\Sources\f3PopularScreensavers (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.227,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{fe72fdc3-d6f2-48ad-8472-f23492b6de8b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.227,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.227,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip\Parameters\Interfaces\{fe72fdc3-d6f2-48ad-8472-f23492b6de8b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.227,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.227,85.255.112.166 -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{fe72fdc3-d6f2-48ad-8472-f23492b6de8b}\NameServer (Trojan.DNSChanger) -> Data: 85.255.112.227,85.255.112.166 -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\program files\mozilla firefox\plugins\NPMyWebS.dll (Adware.MyWeb) -> Quarantined and deleted successfully.
c:\WINDOWS\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job (Trojan.FakeAlert) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-171046.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-206828.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-251234.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.
c:\WINDOWS\Temp\tempo-282046.tmp (Trojan.DNSChanger) -> Quarantined and deleted successfully.

#8 User is offline   SifuMike 

  • malware expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 15,385
  • Joined: 08-January 05
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA

Posted 30 May 2009 - 06:32 PM

Hi,

Please tell me how the computer is running.


Please disable any running anti-virus program before running Kaspersky Online Scanner.
If you are unsure how to do this, see this topic: http://www.bleepingcomputer.com/forums/topic114351.html
Close any open browsers

Please do a scan with Kaspersky Online Scanner

You can refer to this animation by sundavis.


Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer.
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • In the drop down box labeled Files of type change the type to Text file.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
This scanner will only scan. It does not remove any malware it finds.

This post has been edited by SifuMike: 30 May 2009 - 06:35 PM

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 User is offline   Baybadoll 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 35
  • Joined: 23-May 09
  • Gender:Female
  • Location:Illinois

Posted 31 May 2009 - 07:48 AM

Hi!

Computer isn't slow anymore. Opening and closing folders and files normally.
I still can't defragment the C: and H: drives. And Nero still doesn't find my DVD drives.

No internet warning messages so far. No random pop ups or music.
But it is still redirecting my browser from a google search.

Here's another problem. From the Explorer My Computer page, every one of my hard drive icon links don't work. If I click on the address bar and select it that way I can open the drive. But when I click on the drive I get this error:
---------------------------
RECYCLER\S-2-3-33-100031774-100031622-100017864-7182.com
---------------------------
Windows cannot find 'RECYCLER\S-2-3-33-100031774-100031622-100017864-7182.com'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
---------------------------

Here is the Kaspersky log:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Sunday, May 31, 2009
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Sunday, May 31, 2009 03:53:07
Records in database: 2282082
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan statistics:
Files scanned: 323282
Threat name: 41
Infected objects: 360
Suspicious objects: 47
Duration of the scan: 04:58:48


File name / Threat name / Threats count
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MNZN595I\cuplecha_com[1].htm Infected: Exploit.JS.Agent.aif 1
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WISS68NR\120600_dyn[1].htm Infected: Trojan-Clicker.JS.Agent.fp 1
C:\WINDOWS\Temp\tempo-108346546.tmp Infected: Trojan-Clicker.Win32.Agent.hni 1
C:\WINDOWS\Temp\tempo-337767375.tmp Infected: Trojan-Downloader.Win32.CodecPack.hss 1
H:\computer\{03F399F2-F0B4-4EFE-AEC1-6499ADAEE3E0}\Microsoft\Outlook Express\Java.dbx Infected: Hoax.JS.BadJoke.RJump 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0008618B.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\000F3584.tmp Infected: Trojan-Clicker.HTML.IFrame.xr 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\00B04D84.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\00DF5200.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\032607D5.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0437153A.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0486375B.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\04AA7474.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\04B71C65.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\04BD011E.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\04C86E53.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\04CE424C.tmp Infected: Email-Worm.Win32.Mabutu.a 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\05570B4E.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\05715B31.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\058E5511.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\05B222E9.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\05D91ABE.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\076A3ACA.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\07D2228D.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\098121E2.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0984153D.tmp Infected: Email-Worm.Win32.NetSky.t 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09B13C08.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09C10DF6.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09C861EE.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09D25FE4.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09D833DC.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09DF07D5.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09EC2FC7.tmp Infected: Email-Worm.Win32.Klez.h 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09F62DBC.tmp Infected: Email-Worm.Win32.Klez.h 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\09FC01B5.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0A1A7B95.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0A2A4D83.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0A30217B.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0B831364.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0B9F3B92.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0BCB2F15.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0BDF2AFF.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0BF97AE3.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0BFF4EDB.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0C1B6674.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0C320C5B.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0C4C5C3E.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0EAC3E34.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0EDA0A02.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\0EF703E1.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\13EC3D27.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\14047652.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\14B44BAB.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\151D0B38.tmp Infected: Trojan-PSW.Win32.Papras.ac 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\156D0B44.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\15972D15.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\15D01072.tmp Infected: Trojan-PSW.Win32.Papras.ac 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\15F61A93.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\16AE2A1F.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\16AE2A1F.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\16EB6785.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\176722FD.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\178A08F9.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\17E27698.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\181F7A3B.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\18920E4C.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\18B23228.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\19DE49B6.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1A8B7AF7.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1CA85255.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1D37176C.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1D443F5E.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1D4A1357.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1D825D1A.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1DB779AF.tmp Infected: Email-Worm.Win32.Banwarum.l 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1EB5128B.tmp Infected: Email-Worm.Win32.Zhelatin.o 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\1FEC6C35.tmp Infected: Trojan-PSW.Win32.Papras.ac 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\20A30692.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\20B02E84.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\20C6546A.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\20CD2863.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\20D72658.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\22766B77.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\227C3F6F.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\22831368.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\242575DF.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\243675C3.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\243C1BC6.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\24436FBF.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\245D3FA2.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\24673D98.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\24746589.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\247E637E.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\24810D7B.tmp Infected: Trojan-Clicker.HTML.IFrame.xr 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\24CD387C.tmp Infected: Email-Worm.Win32.Sober.p 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\25A4535B.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\25AA2754.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\25B74F46.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\25C14D3B.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\26A37D46.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\26B77930.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\26BD4D29.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\26FD697B.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\27ED631F.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\281A2EED.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2902207C.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\29266E54.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\296B6009.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\299F7FCF.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\29E15A8C.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\29E37184.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\29E57644.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\29FB2A6F.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\29FD55FC.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2A0B7C5D.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2A157A53.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2A1B4E4B.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2A361E2F.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2A3907DB.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2A434620.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2A7328E6.tmp Infected: Trojan-PSW.Win32.Papras.ac 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2AF222EE.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2B450A1F.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2BB747A1.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2C32436D.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2C526749.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2CB5306A.tmp Infected: Trojan-PSW.Win32.Papras.ac 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2D8376FE.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2D9D46E1.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2DE2448F.tmp Infected: Net-Worm.Win32.Mytob.bi 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2DEB1A7B.tmp Infected: Net-Worm.Win32.Mytob.fm 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2DF96A76.tmp Infected: Net-Worm.Win32.Mytob.bi 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2DFD7922.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2DFF1666.tmp Infected: Net-Worm.Win32.Mytob.fm 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2E0A3C64.tmp Infected: Net-Worm.Win32.Mytob.bi 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2E131250.tmp Infected: Net-Worm.Win32.Mytob.fm 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\2E133A59.tmp Infected: Net-Worm.Win32.Mytob.bi 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\30CA24C5.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\30D422BA.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\30DE20AF.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\30E06B98.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\30F87093.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\30FE448B.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\344901E5.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\344901E5.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\345A53D3.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\351B7D4D.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\35427521.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\35F65DA1.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\36221971.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\36676513.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\369206E4.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\369B04D9.tmp Infected: Trojan-Clicker.HTML.IFrame.sz 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\369F2ED5.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\37A41E1F.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\37AA7218.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\37C86BF8.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\37CE3FF1.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\389D2FE4.tmp Infected: Email-Worm.Win32.Luder.a 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\38BA16E4.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\39013295.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\39013295.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3A2C627E.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3A835DFC.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3B157570.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3B1C018A.tmp Infected: Trojan-PSW.Win32.Papras.w 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3B221D62.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3B25475E.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3BCF06C4.tmp Infected: Trojan-PSW.Win32.Papras.w 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3C040342.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3CD6375B.tmp Infected: Trojan-Downloader.Win32.Bagle.at 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3CF45BA2.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3CFB2F9B.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3CFE5997.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3D467548.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3E405563.tmp Infected: Email-Worm.Win32.Bagle.at 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\3E6B61C9.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\42764ED8.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\42804CCD.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\429D46AD.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\42A41AA6.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\43167F22.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\43525E20.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\43B05A0D.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\43B62E06.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\43BD01FF.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\43C355F8.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\43CA29F0.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\440D7B29.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4418199A.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\441E4D17.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\44203D15.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\44242110.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\443472FE.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\44381CFB.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\443E70F3.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\445B30D5.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\44A1797C.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\44D75771.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\47DE17C1.tmp Infected: Email-Worm.Win32.Bagle.bn 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\48083992.tmp Infected: Email-Worm.Win32.Bagle.bn 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\49DE1DF4.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\49E81BE9.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\49F219DE.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\49F543DB.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\49FF41D0.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4A002055.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4A2963A1.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4A34401C.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4A5139FB.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4A685FE2.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4A8659C2.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4A9C7FA9.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4ABD2385.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4E7139D9.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4E9F092D.tmp Infected: Email-Worm.Win32.Luder.a 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4ECC2EBC.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4ED62CB1.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4EDD00AA.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4EE02AA6.tmp Infected: Trojan-Clicker.HTML.IFrame.xr 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4F393E84.tmp Infected: Email-Worm.Win32.Luder.a 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4F595919.tmp Infected: Email-Worm.Win32.NetSky.ghc 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4F62570E.tmp Infected: Email-Worm.Win32.NetSky.ghc 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\4FBF77F1.tmp Infected: Email-Worm.Win32.Luder.a 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\50C669E9.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\514079A8.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\51504B96.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\51814160.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\51881558.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5192134E.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\519C1143.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\519F3B3F.tmp Infected: Trojan-Clicker.HTML.IFrame.sz 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52101930.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\523E07B0.tmp Infected: Trojan-Downloader.Win32.Bagle.p 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52AA184A.tmp Infected: Email-Worm.Win32.Zhelatin.a 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52C56105.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52DC06EC.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52DD77D1.tmp Infected: Email-Worm.Win32.Bagle.ba 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52E775C6.tmp Infected: Email-Worm.Win32.Bagle.ba 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52EC6002.tmp Infected: Email-Worm.Win32.Zhelatin.a 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52ED49BF.tmp Infected: Email-Worm.Win32.Bagle.ba 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\52F41DB7.tmp Infected: Email-Worm.Win32.Bagle.ba 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\530A52B9.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\531350AE.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\53444679.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\534E446E.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\53551867.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\535B6C5F.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\53681451.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\536C3E4D.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\53721246.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\537C103B.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5450407A.tmp Infected: Trojan-Proxy.Win32.Lager.dp 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\55D87F83.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\567019A0.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\56806B8E.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5683158A.tmp Infected: Trojan-Clicker.HTML.IFrame.sz 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\56A76363.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\56B73551.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\56BE094A.tmp Infected: Trojan-Clicker.HTML.IFrame.xr 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\57483188.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\574F0581.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\57580377.tmp Infected: Email-Worm.Win32.Klez.h 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\57832548.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\57897941.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\578D233D.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\57F63FA9.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5820049B.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\58290291.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\585D3F4E.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\589D7FD1.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\58D1190C.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\58EC7D46.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5A174DFE.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5AD073EB.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5AED4EB1.tmp Infected: Email-Worm.Win32.Bagle.z 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5AF441C4.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5B2A6318.tmp Infected: Email-Worm.Win32.Luder.a 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5B6930F9.tmp Infected: Email-Worm.Win32.Bagle.at 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5B7902E7.tmp Infected: Email-Worm.Win32.Bagle.at 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\5C90484F.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\60FD64E2.tmp Infected: Trojan-PSW.Win32.Papras.ac 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\61404084.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\614D6876.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\61543C6F.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\61B21764.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\61ED0B23.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62212AE9.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\625D2B09.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62637F02.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62766E8C.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\628422DE.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62874CDB.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62914AD0.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\629E72C1.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62A1105D.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62A11CBE.tmp Infected: Trojan-Clicker.HTML.IFrame.sz 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62A80B25.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62C55E36.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\62DF2E19.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\64894B18.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\64894B18.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\64921989.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\64B33D65.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\67E11DBE.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\67E771B7.tmp Infected: Trojan-Clicker.HTML.IFrame.sz 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\67EE45AF.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\689773EF.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\68A0791E.exe Infected: Packed.Win32.PolyCrypt.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\68A745DD.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\68AE19D6.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\68E1259A.tmp Infected: Net-Worm.Win32.Mytob.fm 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6932242C.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69530177.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69774F4F.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6980396C.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69847741.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6988213D.tmp Infected: Trojan-Clicker.HTML.IFrame.sz 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\698D615E.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69900B5A.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\699A094F.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69B12F36.tmp Infected: Email-Worm.Win32.NetSky.c 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69B7032F.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69BB2D2B.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69F276EE.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69FC74E3.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\69FF1EE0.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6A1644C7.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6A3014AA.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6A39795D.tmp Infected: Email-Worm.Win32.Bagle.cl 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6A4A648D.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6A570C7F.tmp Infected: Trojan-Clicker.HTML.IFrame.xr 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6A741E69.tmp Infected: Email-Worm.Win32.NetSky.ghc 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6A81465B.tmp Infected: Email-Worm.Win32.NetSky.ghc 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6AE47BDC.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6AEE79D1.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6AFD2A08.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6B0175BC.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6B047E00.tmp Infected: Trojan-Clicker.HTML.IFrame.xr 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6B0E7BF6.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6B1571A6.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6B1B23E7.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6B2554BF.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6B393F7F.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6B8E47F8.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6C6C0E47.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6C793638.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6C800A31.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6D715A49.tmp Infected: Net-Worm.Win32.Mytob.fm 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6E5F007D.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6EC4160D.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6EE10FED.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6EF835D4.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6EFC6632.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6F066427.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6F0F5BBB.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6F2601A1.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6F641F5D.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\6F951527.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\702A4EC9.tmp Infected: Email-Worm.Win32.Bagle.fb 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\71A62D87.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\71D327DA.tmp Infected: Email-Worm.Win32.Nyxem.e 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\72D63D4E.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\72DC1147.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\72E36540.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\72EC6335.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\72F3372E.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\72FA1F00.tmp Infected: Email-Worm.Win32.NetSky.aa 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\72FD3523.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\730F5CE5.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\73320906.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\734B41C4.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\73553FB9.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\736267AB.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\736511A7.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\744305D6.tmp Infected: Email-Worm.Win32.Sober.y 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\744B2921.tmp Infected: Email-Worm.Win32.NetSky.d 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\748946DD.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\758F2CCF.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\75E42D0F.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\766355E5.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\770D5D2A.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7B2108FE.tmp Infected: Email-Worm.Win32.NetSky.b 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7B68155C.tmp Infected: Email-Worm.Win32.Warezov.ev 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7B900D31.tmp Infected: Email-Worm.Win32.Warezov.fb 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7B923B46.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7B980F3F.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7BA3091B.tmp Infected: Email-Worm.Win32.Warezov.fb 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7CBE34F3.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7CDF58CF.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7D3B62C7.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7D4136C0.tmp Infected: Trojan-Clicker.HTML.IFrame.sz 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7D6C5891.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7D837E78.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7D895271.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7D9D4E5C.tmp Infected: Email-Worm.Win32.Klez.h 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7DAD204A.tmp Infected: Email-Worm.Win32.Klez.h 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7DE81409.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7E2D05BD.tmp Infected: Trojan-Clicker.HTML.IFrame.sz 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7EC96511.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7ED36306.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7ED96B71.tmp Infected: Email-Worm.Win32.Bagle.gen 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7EDA36FF.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7F7F7E22.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7FA91FF4.tmp Infected: Email-Worm.Win32.NetSky.q 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7FB31DE9.tmp Suspicious: Exploit.HTML.Iframe.FileDownload 1
H:\Software\Application Data\Symantec\Norton AntiVirus\Quarantine\7FF80F9D.tmp Infected: Email-Worm.Win32.NetSky.q 1

The selected area was scanned.

#10 User is offline   SifuMike 

  • malware expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 15,385
  • Joined: 08-January 05
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA

Posted 31 May 2009 - 11:08 AM

Hi Baybadoll,

Please download GooredFix and save it to your Desktop.
Double-click Gooredfix.exe to run it. Select 1.
Find Goored (no fix) by typing 1 and pressing Enter.
A log will open, please post the contents of that log in your next reply (it can also be found on your desktop, called GooredLog.txt).
Note: Do not run Option #2 yet.

*************

Please download OTMoveIt3 by OldTimer and save it to your desktop.
Double click the icon on your desktop to run it.
(Note: If you are running on Vista, right-click on the file and choose Run As Administrator).


Copy the lines in the code box below to the clipboard by highlighting ALL of them and pressing CTRL + C[/b] (or, after highlighting, right-click and choose Copy):
Do not include the word "Code".


:files
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MNZN595I\cuplecha_com[1].htm 
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WISS68NR\120600_dyn[1].htm 
C:\WINDOWS\Temp\tempo-108346546.tmp 
C:\WINDOWS\Temp\tempo-337767375.tmp 
:commands
[emptytemp]
[Reboot]



Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

This post has been edited by SifuMike: 31 May 2009 - 11:09 AM

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 User is offline   Baybadoll 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 35
  • Joined: 23-May 09
  • Gender:Female
  • Location:Illinois

Posted 31 May 2009 - 03:43 PM

Hey.

The computer froze between the last instructions and these, but restarted fine. I did these instructions fine. Then after it rebooted (following OTMoveIt) it froze again. But again, restarted fine.
Here are the logs:



GooredFix v1.92 by jpshortstuff
Log created at 15:01 on 31/05/2009 running Option #1 (Owner)
Firefox version 3.0.10 (en-US)

=====Suspect Goored Entries=====

=====Dumping Registry Values=====

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Plugins"="C:\Program Files\Mozilla Firefox\plugins"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox 3.0.10\extensions]
"Components"="C:\Program Files\Mozilla Firefox\components"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"jqs@sun.com"="C:\Program Files\Java\jre6\lib\deploy\jqs\ff"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{1d5287d1-8a92-0001-1f31-1cec198018d8}"="C:\Program Files\AVG\AVG8\ToolbarFF"

[HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions]
"{3f963a5b-e555-4543-90e2-c3908898db71}"="C:\Program Files\AVG\AVG8\Firefox"



-------------------------------------



========== FILES ==========
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\MNZN595I\cuplecha_com[1].htm moved successfully.
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WISS68NR\120600_dyn[1].htm moved successfully.
C:\WINDOWS\Temp\tempo-108346546.tmp moved successfully.
C:\WINDOWS\Temp\tempo-337767375.tmp moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\Arj.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\avlib.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\Avp1.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\AvpMgr.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\CAB.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\dmap.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\dtreg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\FsDrvPlg.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\FSSync.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HashCont.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HashMD5.PPL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HCCMP.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\ichk2.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\iChkSA.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\IWGen.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kave.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kosglue-7.0.26.0.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\lha.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\L_llio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\mdb.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\minizip.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\MKavIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\msoe.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\nfio.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prKernel.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prLoader.dll scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\PrUtil.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\rar.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\ScanningProcess.exe scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\sfdb.PPL scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\TempFile.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\thpimpl.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\UniArc.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\WDiskIO.ppl scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\hsperfdata_Owner\2716 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\hsperfdata_Owner\3432 scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_3oSsLw0gojQobRPQsSUz scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_9c4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
File delete failed. C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\757e808e-2e0fafc8 scheduled to be deleted on reboot.
Java cache emptied.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05312009_150410

Files moved on Reboot...
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\Arj.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\avlib.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\Avp1.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\AvpMgr.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\CAB.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\dmap.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\dtreg.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\FsDrvPlg.ppl moved successfully.
DllUnregisterServer procedure not found in C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\FSSync.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\FSSync.dll NOT unregistered.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\FSSync.dll moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HashCont.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HashMD5.PPL moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\HCCMP.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\ichk2.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\iChkSA.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\IWGen.ppl moved successfully.
DllUnregisterServer procedure not found in C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kave.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kave.dll NOT unregistered.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kave.dll moved successfully.
DllUnregisterServer procedure not found in C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kosglue-7.0.26.0.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kosglue-7.0.26.0.dll NOT unregistered.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\kosglue-7.0.26.0.dll moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\lha.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\L_llio.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\mdb.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\minizip.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\MKavIO.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\msoe.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\nfio.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prKernel.ppl moved successfully.
DllUnregisterServer procedure not found in C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prLoader.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prLoader.dll NOT unregistered.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\prLoader.dll moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\PrUtil.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\rar.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\ScanningProcess.exe moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\sfdb.PPL moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\TempFile.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\thpimpl.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\UniArc.ppl moved successfully.
C:\DOCUME~1\Owner\LOCALS~1\Temp\jkos-Owner\binaries\WDiskIO.ppl moved successfully.
File C:\DOCUME~1\Owner\LOCALS~1\Temp\hsperfdata_Owner\2716 not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\hsperfdata_Owner\3432 not found!
File C:\DOCUME~1\Owner\LOCALS~1\Temp\etilqs_3oSsLw0gojQobRPQsSUz not found!
File C:\WINDOWS\temp\Perflib_Perfdata_9c4.dat not found!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\6.0\14\757e808e-2e0fafc8 moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\z9528hve.default\XUL.mfl moved successfully.

#12 User is offline   SifuMike 

  • malware expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 15,385
  • Joined: 08-January 05
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA

Posted 31 May 2009 - 05:51 PM

Hi Baybadoll,

We will run ComboFix.

You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.
Please read Combofix's Disclaimer.
Further, ComboFix logs are not permitted outside the HijackThis forums and then only when requested by a HJT Team member.

You need to disable your AVGFree Antivirus and Spyware Doctor before running ComboFix, as they will prevent it from running.


To disable Spyware Doctor from running on your system startup:
1. First, disable the OnGuard Tools. This way, when you exit Spyware Doctor, these tools won't stay resident in the background.
2. Click the "Settings" button on the left side.
3. Click the "Startup Settings" link.
4. Uncheck "Run at Windows Startup".
5. Click the "Apply" button.

To disable AVG antivirus:  
Please open the AVG Control Center program -> double-click on the "AVG Resident Shield" component (looks like this: Posted Image) -> deselect the "Turn on AVG Resident Shield" checkmark and save the setting.
When you need to enable the AVG Resident Shield, ( I’ll let you know when) just open the AVG Control Center program -> double-click on the "AVG Resident Shield" component -> select the "Turn on AVG Resident Shield" checkmark and save the setting.


Note: If you already have a copy of ComboFix on your system it is essential that you delete it before downloading this copy.

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

To work properly, you must install ComboFix on the Desktop..
Post the log from ComboFix in your next reply,

A caution - ComboFix may reset a number of Internet Explorer's settings, including making IE the default browser.
ComboFix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal and increase security. If this is an issue or makes it difficult for you -- please tell me.
Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
Do not run Combofix more than once.
Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 User is offline   Baybadoll 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 35
  • Joined: 23-May 09
  • Gender:Female
  • Location:Illinois

Posted 31 May 2009 - 08:21 PM

I removed SpyDoctor (it never worked).

And disabled AVG by unchecking the enable Resident Shield option.

I also turned off windows firewall.

Do I need to disable malwarebytes? If so, how?

#14 User is offline   SifuMike 

  • malware expert
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 15,385
  • Joined: 08-January 05
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA

Posted 31 May 2009 - 10:09 PM

Hi Baybadoll,


No, you dont need to disable Malwarebtes. That is run on demand.
You only need to disable your antivirus and and registry protectors (like Spybot Teatimer, Ad-Watch, Spyware Doctor, Winodws Defender, etc.)
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!


Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 User is offline   Baybadoll 

  • Member
  • PipPip
  • Find Topics
  • Group: Members
  • Posts: 35
  • Joined: 23-May 09
  • Gender:Female
  • Location:Illinois

Posted 31 May 2009 - 11:11 PM

combofix won't run.

When I double-click on the icon, the warning message pops up - and I clicked on RUN but nothing happens. I tried three times (waiting in between just in case it took a while).

Share this topic:


  • 3 Pages +
  • 1
  • 2
  • 3
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users