Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Privacy Protector?, Error Cleaner, Spyware&malware,


  • Please log in to reply
8 replies to this topic

#1 chics

chics

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 04 June 2008 - 06:46 AM

Hi Guys,

In advance i would like to say thanks for your time with this little problem. A friends PC as been infacted with Malware viruses, Keyloggers and olther nasty bugs. I have managed to remove most of the affending items, less the Privacy Protector & error cleaner plus i'm sure there are a few more lurking on the system. They seem to hijack the active desktop, redirect his webpages and download and install system_defender installer which auto runs. There is also a VIRUS ALERT label in the Task Bar area, which also displayes it's shelf on all system mesg boxes.

Below are the Kaspersky Log & DSS log.

Regards

Paul

KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 11:45:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 3/06/2008
Kaspersky Anti-Virus database records: 826461


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 60330
Number of viruses found 8
Number of infected objects 35
Number of suspicious objects 0
Duration of the scan process 00:47:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080603_Time-222722281_EnterceptExceptions.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080603_Time-222722281_EnterceptRules.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_HILL-5817C1253E.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_HILL-5817C1253E.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped

C:\Documents and Settings\Hill Family\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped

C:\Documents and Settings\Hill Family\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe/WISE0004.BIN/data0000.cab/wanadoo2.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe/WISE0004.BIN/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe/WISE0004.BIN Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe WiseSFXDropper: infected - 3 skipped

C:\Documents and Settings\Hill Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Hill Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Hill Family\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Hill Family\Local Settings\History\History.IE5\MSHist012008060320080604\index.dat Object is locked skipped

C:\Documents and Settings\Hill Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Hill Family\Local Settings\Temporary Internet Files\Content.IE5\SHY3KLA7\orange1setup[1].exe/WISE0004.BIN/data0000.cab/orange1.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Documents and Settings\Hill Family\Local Settings\Temporary Internet Files\Content.IE5\SHY3KLA7\orange1setup[1].exe/WISE0004.BIN/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Documents and Settings\Hill Family\Local Settings\Temporary Internet Files\Content.IE5\SHY3KLA7\orange1setup[1].exe/WISE0004.BIN Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Documents and Settings\Hill Family\Local Settings\Temporary Internet Files\Content.IE5\SHY3KLA7\orange1setup[1].exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Hill Family\Local Settings\Temporary Internet Files\Content.IE5\SHY3KLA7\orange1setup[1].exe WiseSFXDropper: infected - 3 skipped

C:\Documents and Settings\Hill Family\ntuser.dat Object is locked skipped

C:\Documents and Settings\Hill Family\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Orange\1\orange1setup.exe/data0000.cab/orange1.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Orange\1\orange1setup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Orange\1\orange1setup.exe Rsrc-Package: infected - 2 skipped

C:\Program Files\Orange\OBar\orange3setup.exe/data0000.cab/orange3.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Orange\OBar\orange3setup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Orange\OBar\orange3setup.exe Rsrc-Package: infected - 2 skipped

C:\Program Files\Orange\setup\Orange_icons.EXE/WISE0005.BIN/data0000.cab/orange3.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Orange\setup\Orange_icons.EXE/WISE0005.BIN/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Orange\setup\Orange_icons.EXE/WISE0005.BIN Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Orange\setup\Orange_icons.EXE WiseSFX: infected - 3 skipped

C:\Program Files\orange1\orange1.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\orange3\orange3.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Wanadoo\2\wanadoo2setup.exe/data0000.cab/wanadoo2.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Wanadoo\2\wanadoo2setup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\Program Files\Wanadoo\2\wanadoo2setup.exe Rsrc-Package: infected - 2 skipped

C:\Program Files\wanadoo2\wanadoo2.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP106\A0021592.exe Infected: Trojan-Downloader.Win32.Agent.qpc skipped

C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP106\A0021593.exe Infected: Trojan-Downloader.Win32.Agent.qpc skipped

C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP106\A0021595.exe Infected: Trojan-Downloader.Win32.Agent.qpc skipped

C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP110\A0021891.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.e skipped

C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP111\A0022106.dll Infected: Worm.Win32.AutoRun.dwi skipped

C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP111\A0022107.dll Infected: Trojan.Win32.Vapsup.fqr skipped

C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP111\change.log Object is locked skipped

C:\WINNT\boqnrwdmstg.dll Infected: Trojan.Win32.Vapsup.fqu skipped

C:\WINNT\CSC\00000001 Object is locked skipped

C:\WINNT\Debug\PASSWD.LOG Object is locked skipped

C:\WINNT\edwf.exe Infected: Trojan.Win32.Vapsup.fqs skipped

C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINNT\Internet Logs\HILL-5817C1253E.ldb Object is locked skipped

C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped

C:\WINNT\SchedLgU.Txt Object is locked skipped

C:\WINNT\Sti_Trace.log Object is locked skipped

C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped

C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped

C:\WINNT\system32\config\default Object is locked skipped

C:\WINNT\system32\config\default.LOG Object is locked skipped

C:\WINNT\system32\config\SAM Object is locked skipped

C:\WINNT\system32\config\SAM.LOG Object is locked skipped

C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped

C:\WINNT\system32\config\SECURITY Object is locked skipped

C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped

C:\WINNT\system32\config\software Object is locked skipped

C:\WINNT\system32\config\software.LOG Object is locked skipped

C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped

C:\WINNT\system32\config\system Object is locked skipped

C:\WINNT\system32\config\system.LOG Object is locked skipped

C:\WINNT\system32\h323log.txt Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINNT\Temp\ZLT0518a.TMP Object is locked skipped

C:\WINNT\vregfwlx.dll Infected: Trojan.Win32.Vapsup.fqt skipped

C:\WINNT\wiadebug.log Object is locked skipped

C:\WINNT\wiaservc.log Object is locked skipped

Scan process completed.


Deckard's System Scanner v20071014.68
Run by Hill Family on 2008-06-04 12:19:42
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
39: 2008-06-04 11:19:48 UTC - RP112 - Deckard's System Scanner Restore Point
38: 2008-06-03 09:03:20 UTC - RP111 - Installed McAfee VirusScan Enterprise
37: 2008-06-02 15:14:03 UTC - RP110 - Installed AVG 7.5
36: 2008-06-02 15:13:23 UTC - RP109 - Removed AVG 7.5
35: 2008-06-02 13:45:46 UTC - RP108 - Restore Operation


-- First Restore Point --
1: 2008-06-02 13:45:43 UTC - RP74 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-04 12:22:34
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Network Associates\VirusScan\shstat.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Hill Family\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=...6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DC7CE95-C171-45C7-9225-8B0C40C14A18} - C:\WINNT\system32\tuvSkIba.dll (file missing)
O2 - BHO: (no name) - {46537D1F-3FF3-4429-81B0-1FE9B6FED0ED} - C:\WINNT\system32\mlJDsTJD.dll (file missing)
O2 - BHO: (no name) - {48F0B738-34A6-4113-B966-33C4EF85BCD9} - C:\WINNT\system32\awtussqN.dll
O2 - BHO: Wanadoo - {4E7BD74F-2B8D-469E-A0F1-F068B59BBB2A} - C:\Program Files\wanadoo2\wanadoo2.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\Program Files\orange3\orange3.dll
O2 - BHO: Orange - {4E7BD74F-2B8D-469E-A3FB-F862B587B57D} - C:\Program Files\orange1\orange1.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar1.dll
O2 - BHO: QXK Olive - {B33B96B9-E0C2-4648-9819-A38DDCAFA33C} - C:\WINNT\boqnrwdmstg.dll
O2 - BHO: (no name) - {B8DBFEB3-306C-46A2-93C3-D55BDD32FFF3} - C:\WINNT\system32\efcASmMc.dll
O3 - Toolbar: Wanadoo - {4E7BD74F-2B8D-469E-A0F1-F068B59BBB2A} - C:\Program Files\wanadoo2\wanadoo2.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\Program Files\orange3\orange3.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A3FB-F862B587B57D} - C:\Program Files\orange1\orange1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [0878631b] rundll32.exe "C:\WINNT\system32\fntsgndy.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [internat.exe] internat.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [internat.exe] internat.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [internat.exe] internat.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [internat.exe] internat.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Monitor.lnk = ?
O4 - Global Startup: Sweex WiFi Utility.lnk = ?
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE1\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Wanadoo Search - file://C:\Program Files\WANADOO2\Cache\SelectedContextSearch.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1105034927578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1166971086109
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab
O20 - Winlogon Notify: awtussqN - C:\WINNT\system32\awtussqN.dll
O21 - SSODL: vregfwlx - {6BAEE709-273F-4EDA-8143-8C722DA9A61F} - C:\WINNT\vregfwlx.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


--
End of file - 8940 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsvsd - c:\winnt\system32\drivers\cdrbsvsd.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 NaiAvTdi1 - c:\winnt\system32\drivers\mvstdi5x.sys <Not Verified; McAfee Inc.; VirusScan>
R1 StarOpen - c:\winnt\system32\drivers\staropen.sys
R3 Afc (PPdus ASPI Shell) - c:\winnt\system32\drivers\afc.sys <Not Verified; Arcsoft, Inc.; Arcsoft® ASPI Shell>
R3 EntDrv51 - c:\winnt\system32\drivers\entdrv51.sys <Not Verified; McAfee, Inc; VirusScan>
R3 NaiAvFilter1 - c:\winnt\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>
R3 pfc (Padus ASPI Shell) - c:\winnt\system32\drivers\pfc.sys <Not Verified; Padus, Inc.; Padus® ASPI Shell>

S2 Ca536av (DigitalCam Pro Video Camera Device) - c:\winnt\system32\drivers\ca536av.sys <Not Verified; Digital Camera; Digital Camera Driver>
S3 HAM (Ambient HaM Data Fax) - c:\winnt\system32\drivers\ham.sys <Not Verified; Ambient Technologies, Inc.; Ambient Technologies® Hardware accelerated Modem Driver>
S3 PCANDIS5 (PCANDIS5 NDIS Protocol Driver) - c:\winnt\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>
S3 RT73 (Sweex Wireless Lan USB2.0 Adapter 54Mbps) - c:\winnt\system32\drivers\rt73.sys <Not Verified; Ralink Technology, Corp.; Ralink 802.11 Wireless Adapters>
S3 USBCamera (DigitalCam Pro Still Camera Device) - c:\winnt\system32\drivers\bulk536.sys <Not Verified; USB BULK; Platform SDK Sample Code>
S3 usbhub20 (USB 2.0 Root Hub Support) - c:\winnt\system32\drivers\usbhub20.sys <Not Verified; Microsoft Corporation; Microsoft® Windows ® 2000 Operating System>
S4 Parallel (Parallel class driver) - c:\winnt\system32\drivers\parallel.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - c:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "c:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2008-05-04 and 2008-06-04 -----------------------------

2008-06-03 22:38:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-06-03 22:38:50 0 d-------- C:\WINNT\system32\Kaspersky Lab
2008-06-03 22:32:40 95232 --a------ C:\WINNT\system32\fntsgndy.dll
2008-06-03 22:32:01 245869 --ahs---- C:\WINNT\system32\cMmSAcfe.ini2
2008-06-03 22:31:54 324352 --a------ C:\WINNT\system32\efcASmMc.dll
2008-06-03 21:10:28 246305 --ahs---- C:\WINNT\system32\DJTsDJlm.ini2
2008-06-03 19:58:59 0 d-------- C:\WINNT\privacy_danger
2008-06-03 13:55:53 0 d-------- C:\Documents and Settings\chics\Application Data\Google
2008-06-03 11:17:49 4212 ---h----- C:\WINNT\system32\zllictbl.dat
2008-06-03 11:17:00 0 d-------- C:\WINNT\system32\ZoneLabs
2008-06-03 11:16:25 0 d-------- C:\WINNT\Internet Logs
2008-06-03 10:21:55 0 d-------- C:\Documents and Settings\Administrator\Application Data\Google
2008-06-03 10:04:54 0 d-------- C:\Program Files\Common Files\Cisco Systems
2008-06-03 10:04:32 117024 --a------ C:\WINNT\system32\drivers\naiavf5x.sys <Not Verified; McAfee Inc.; VirusScan>
2008-06-03 10:04:32 59904 --a------ C:\WINNT\system32\drivers\mvstdi5x.sys <Not Verified; McAfee Inc.; VirusScan>
2008-06-03 10:03:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Network Associates
2008-06-03 10:03:15 0 d-------- C:\Program Files\Network Associates
2008-06-03 10:03:15 0 d-------- C:\Program Files\Common Files\Network Associates
2008-06-03 10:01:49 0 d-------- C:\Documents and Settings\Administrator\Application Data\TmpRecentIcons
2008-06-03 10:01:47 0 d-------- C:\Documents and Settings\Administrator\Application Data\Teleca
2008-06-03 10:01:31 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-03 09:28:59 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-03 09:28:59 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-03 09:28:59 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-03 09:28:59 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-03 09:28:59 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-03 09:28:59 2097152 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-03 09:28:59 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-03 09:28:59 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-03 09:28:59 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-03 09:28:59 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-03 09:28:59 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-03 09:28:59 0 d---s---- C:\Documents and Settings\Administrator\Cookies
2008-06-03 09:28:59 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-03 09:28:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2008-06-03 09:28:59 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-03 09:13:20 0 d-------- C:\Documents and Settings\chics\Application Data\TmpRecentIcons
2008-06-03 09:13:16 0 d-------- C:\Documents and Settings\chics\Application Data\Teleca
2008-06-03 09:12:58 0 d-------- C:\Documents and Settings\chics\Application Data\Identities
2008-06-03 09:12:40 0 d-------- C:\Documents and Settings\chics\Application Data\AVG7
2008-06-03 09:12:39 0 d--h----- C:\Documents and Settings\chics\Templates
2008-06-03 09:12:39 0 dr------- C:\Documents and Settings\chics\Start Menu
2008-06-03 09:12:39 0 dr-h----- C:\Documents and Settings\chics\SendTo
2008-06-03 09:12:39 0 dr-h----- C:\Documents and Settings\chics\Recent
2008-06-03 09:12:39 0 d--h----- C:\Documents and Settings\chics\PrintHood
2008-06-03 09:12:39 2097152 --ah----- C:\Documents and Settings\chics\NTUSER.DAT
2008-06-03 09:12:39 0 d--h----- C:\Documents and Settings\chics\NetHood
2008-06-03 09:12:39 0 dr------- C:\Documents and Settings\chics\My Documents
2008-06-03 09:12:39 0 d--h----- C:\Documents and Settings\chics\Local Settings
2008-06-03 09:12:39 0 dr------- C:\Documents and Settings\chics\Favorites
2008-06-03 09:12:39 0 d-------- C:\Documents and Settings\chics\Desktop
2008-06-03 09:12:39 0 d---s---- C:\Documents and Settings\chics\Cookies
2008-06-03 09:12:39 0 dr-h----- C:\Documents and Settings\chics\Application Data
2008-06-03 09:12:39 0 d-------- C:\Documents and Settings\chics\Application Data\Symantec
2008-06-03 09:12:39 0 d---s---- C:\Documents and Settings\chics\Application Data\Microsoft
2008-06-02 16:44:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-02 16:14:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-06-02 14:53:19 0 d-------- C:\Documents and Settings\Hill Family\Application Data\TmpRecentIcons
2008-05-25 17:04:38 247169 --ahs---- C:\WINNT\system32\abIkSvut.ini2
2008-05-25 16:59:32 29312 --a------ C:\WINNT\system32\awtussqN.dll
2008-05-25 16:59:19 323584 --a------ C:\WINNT\vregfwlx.dll
2008-05-25 16:59:18 159744 --a------ C:\WINNT\edwf.exe
2008-05-25 16:59:18 266240 --a------ C:\WINNT\boqnrwdmstg.dll
2008-05-18 11:31:41 0 d-------- C:\Program Files\Full Marks


-- Find3M Report ---------------------------------------------------------------

2008-06-03 21:01:24 0 d-------- C:\Program Files\wanadoo2
2008-06-03 21:01:24 0 d-------- C:\Program Files\orange3
2008-06-03 21:01:23 0 d-------- C:\Program Files\orange1
2008-06-03 10:04:54 0 d-a------ C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DC7CE95-C171-45C7-9225-8B0C40C14A18}]
C:\WINNT\system32\tuvSkIba.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46537D1F-3FF3-4429-81B0-1FE9B6FED0ED}]
C:\WINNT\system32\mlJDsTJD.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48F0B738-34A6-4113-B966-33C4EF85BCD9}]
25/05/2008 16:59: VIRUS ALERT! 29312 --a------ C:\WINNT\system32\awtussqN.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4E7BD74F-2B8D-469E-A3FB-F862B587B57D}]
30/05/2006 12:26: VIRUS ALERT! 1369600 --a------ C:\PROGRA~1\orange1\orange1.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}]
24/05/2008 16:19: VIRUS ALERT! 266240 --a------ C:\WINNT\boqnrwdmstg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8DBFEB3-306C-46A2-93C3-D55BDD32FFF3}]
03/06/2008 22:31: VIRUS ALERT! 324352 --a------ C:\WINNT\system32\efcASmMc.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{4E7BD74F-2B8D-469E-A3FB-F862B587B57D}"= C:\PROGRA~1\orange1\orange1.dll [30/05/2006 12:26: VIRUS ALERT! 1369600]

[-HKEY_CLASSES_ROOT\CLSID\{4E7BD74F-2B8D-469E-A3FB-F862B587B57D}]
[HKEY_CLASSES_ROOT\orange1.ORANGE1]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03/08/2004 23:56: VIRUS ALERT! C:\WINNT\system32\mobsync.exe]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [24/03/2004 10:04: VIRUS ALERT!]
"C-Media Mixer"="Mixer.exe" [15/10/2002 19:00: VIRUS ALERT! C:\WINNT\mixer.exe]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [31/10/2003 19:42: VIRUS ALERT!]
"NeroCheck"="C:\WINNT\system32\NeroCheck.exe" [09/07/2001 11:50: VIRUS ALERT!]
"@"="" []
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 17:17: VIRUS ALERT!]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [26/10/2006 16:47: VIRUS ALERT!]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [09/03/2007 12:09: VIRUS ALERT!]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16: VIRUS ALERT!]
"RegistryMechanic"="" []
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [22/09/2004 08:00: VIRUS ALERT!]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [06/08/2004 03:50: VIRUS ALERT!]
"Network Associates Error Reporting Service"="C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe" [07/10/2003 09:48: VIRUS ALERT!]
"Zone Labs Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [15/11/2005 00:51: VIRUS ALERT!]
"0878631b"="C:\WINNT\system32\fntsgndy.dll" [03/06/2008 22:32: VIRUS ALERT!]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="" []
"PowerBar"="" []
"CTFMON.EXE"="C:\WINNT\system32\ctfmon.exe" [03/08/2004 23:56: VIRUS ALERT!]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24: VIRUS ALERT!]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"internat.exe"=internat.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [17/02/1999 21:05:56]
Monitor.lnk - C:\Program Files\ArcSoft\Media Card Companion\MCC Monitor.exe [07/03/2002 19:22:08]
Sweex WiFi Utility.lnk - C:\Program Files\Sweex\Installer\WINXP\SWU.exe [23/12/2006 15:20:48]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)
"DisableRegistryTools"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=1 (0x1)
"StartMenuLogoff"=1 (0x1)
"NoStartMenuMorePrograms"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{48F0B738-34A6-4113-B966-33C4EF85BCD9}"= C:\WINNT\system32\awtussqN.dll [25/05/2008 16:59: VIRUS ALERT! 29312]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"vregfwlx"= {6BAEE709-273F-4EDA-8143-8C722DA9A61F} - C:\WINNT\vregfwlx.dll [24/05/2008 16:19: VIRUS ALERT! 323584]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtussqN]
awtussqN.dll 25/05/2008 16:59: VIRUS ALERT! 29312 C:\WINNT\system32\awtussqN.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\efcASmMc

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - ENTDRV51



-- Hosts -----------------------------------------------------------------------

127.0.0.1 .archivioadulti.com
127.0.0.1 .internet-explorer.name
127.0.0.1 .katasearch.com
127.0.0.1 .preferiti-windows.com
127.0.0.1 .qoogler.com
127.0.0.1 .tuttoavolonta.com
127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com

8594 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-04 12:24:11 ------------


Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Celeron® CPU 2.66GHz
Percentage of Memory in Use: 61%
Physical Memory (total/avail): 511.53 MiB / 198.07 MiB
Pagefile Memory (total/avail): 1250.27 MiB / 973.65 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1921.14 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 31.48 GiB total, 22.11 GiB free.
D: is CDROM (CDFS)

\\.\PHYSICALDRIVE0 - HDS722580VLAT20 - 31.49 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 31.48 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.

FW: ZoneAlarm Pro Firewall v6.1.737.000 (Zone Labs, Inc.) Disabled

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Hill Family\Application Data
CLASSPATH=C:\Program Files\QuickTime\QTSystem\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HILL-5817C1253E
ComSpec=C:\WINNT\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Hill Family
LOGONSERVER=\\HILL-5817C1253E
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\WBEM;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Samsung\Samsung PC Studio 3\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 4 Stepping 1, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0401
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\HILLFA~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\HILLFA~1\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=HILL-5817C1253E
USERNAME=Hill Family
USERPROFILE=C:\Documents and Settings\Hill Family
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Hill Family (admin)
chics (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINNT\INF\PCHealth.inf
Adobe Acrobat Reader 3.01 --> C:\WINNT\uninst.exe -fC:\Acrobat3\Reader\DeIsL1.isu
Adobe Flash Player ActiveX --> C:\WINNT\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Reader 8.1.2 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81200000003}
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
Ahead Nero Burning ROM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
ArcSoft Media Card Companion --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3580211E-3BB7-42C0-ADC3-9A8C1EFFF2CB}\SETUP.EXE" -l0x9
ArcSoft PhotoImpression 5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{93F599DF-519B-4706-A3F1-9530DF2590B4}\SETUP.EXE" -l0x9
ArcSoft Software Suite --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{24DE6EDD-AF14-48D7-AAE9-E998E3A3F1EE}\Setup.exe" -l0x9
Art Attack --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Europress\Art Attack\Uninst.isu"
Concord 3045 Camera Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8A11D564-8168-4496-985A-5C91DC6CEECB}\setup.exe" -l0x9
DeepBurner v1.6.0.198 --> "C:\Program Files\Astonsoft\DeepBurner\Uninstall.exe" "C:\Program Files\Astonsoft\DeepBurner\install.log"
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe"
Full Marks English Skills --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Full Marks\English Skills\Uninst.isu"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
Internet Explorer Q903235 --> C:\WINNT\ieuninst.exe C:\WINNT\INF\Q903235.inf
Kaspersky Online Scanner --> C:\WINNT\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
LiveUpdate BVRP Software --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{76E41F43-59D2-4F30-BA42-9A762EE1E8DE}\Setup.exe" -l0x9
McAfee VirusScan Enterprise --> MsiExec.exe /I{5DF3D1BB-894E-4DCD-8275-159AC9829B43}
Medi@Show --> C:\WINNT\IsUninst.exe -f"C:\Program Files\CyberLink DVD Solution\MediaShow\Uninst.isu"
Microsoft Office 2000 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
mobile PhoneTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F18E8A0F-BE99-4305-96A5-6C0FD9D7D999}\setup.exe" -l0x9
MP3 Player Utilities --> MsiExec.exe /I{5BBFB0E4-2250-49C3-A8A3-65BE2197D13B}
Multimedia Launcher --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{1FBF6C24-C1FD-4101-A42B-0C564F9E8E79}\setup.exe" -uninstall
NVIDIA Display Driver --> C:\WINNT\system32\nvudisp.exe Uninstall C:\WINNT\system32\nvdisp.nvu,NVIDIA Display Driver
Orange Search Toolbar --> C:\Program Files\orange1\uninstall.exe -uninstall -prompt
Orange Search Toolbar --> C:\Program Files\orange3\uninstall.exe -uninstall -prompt
PCI Audio Applications --> C:\WINNT\IsUninst.exe -f"C:\Program Files\PCI Audio Applications\Uninst.isu"
PCI Audio Driver --> cmuninst.exe
PMP DV --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CFF7157F-A33F-477F-909E-FBD39DAE6C2A}\Setup.exe"
Power2Go 3.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{40BF1E83-20EB-11D8-97C5-0009C5020658}\setup.exe" -uninstall
PowerDirector --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{CB099890-1D5F-11D5-9EA9-0050BAE317E1}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
Pro Pinball : Fantastic Journey --> C:\PROGRA~1\PROPIN~1\FANTAS~1\UNWISE.EXE C:\PROGRA~1\PROPIN~1\FANTAS~1\INSTALL.LOG
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653} /l1033
Registry Mechanic 5.2 --> "C:\Program Files\Registry Mechanic\unins000.exe"
Rugrats Print Shop --> C:\WINNT\UNINST.EXE -f"C:\THEKID~1\RUGRAT~1.0\DeIsL1.isu" -c"C:\THEKID~1\RUGRAT~1.0\psfinst.dll"
SAMSUNG CDMA Modem Driver Set --> C:\WINNT\system32\Samsung_USB_Drivers\3\SSCDUninstall.exe
SAMSUNG Mobile Composite Device Software --> C:\WINNT\system32\Samsung_USB_Drivers\6\SSBCUninstall.exe
Samsung Mobile phone USB driver Software --> C:\WINNT\system32\Samsung_USB_Drivers\5\SSSDUninstall.exe
SAMSUNG Mobile USB Modem 1.0 Software --> C:\WINNT\system32\Samsung_USB_Drivers\1\SS_Uninstall.exe
SAMSUNG Mobile USB Modem Software --> C:\WINNT\system32\Samsung_USB_Drivers\2\SSM_Uninstall.exe
Samsung PC Studio 3 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C4A4722E-79F9-417C-BD72-8D359A090C97}\setup.exe" -l0x9 -removeonly
Samsung PC Studio 3 USB Driver Installer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe" -l0x9 -removeonly
SiS 900 PCI Fast Ethernet Adapter Driver --> C:\Progra~1\SiSLan\Uninst.exe
Smurfs' Workshop --> C:\PROGRA~1\INFOSCHT\UNWISE.EXE C:\PROGRA~1\INFOSCHT\INSTALL.LOG
Snood Towers for Windows version 1.02 --> "C:\Program Files\Snood Towers\unins000.exe"
Sony Ericsson PC Suite --> MsiExec.exe /I{26B5D684-75D6-44B9-BBFF-D4100F43092A}
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Sweex WiFi Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{356D234E-3AD4-4495-B5CD-9AC1C05A19C8}\setup.exe" -l0x9 -removeonly
The Simpsons Hit & Run ™ Demo --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F79AAB3A-B8B4-4AC7-94AB-1C4C076C6A89}\setup.exe" -l0x9
Wanadoo Search Toolbar --> C:\Program Files\wanadoo2\uninstall.exe -uninstall -prompt
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type6839 / Warning
Event Submitted/Written: 06/04/2008 00:23:49 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from HILL-5817C1253E IP 192.168.1.5 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type6838 / Warning
Event Submitted/Written: 06/04/2008 00:23:49 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from HILL-5817C1253E IP 192.168.1.5 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type6837 / Warning
Event Submitted/Written: 06/04/2008 00:23:46 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: Would be blocked by behaviour blocking rule (rule is currently in warn mode) (warn only mode!).(from HILL-5817C1253E IP 192.168.1.5 user SYSTEM running VirusScan Enter 8.0 OAS)

Event Record #/Type6826 / Error
Event Submitted/Written: 06/03/2008 07:50:50 PM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application IEXPLORE.EXE, version 6.0.2900.2180, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type6825 / Error
Event Submitted/Written: 06/03/2008 07:45:06 PM
Event ID/Source: 257 / Alert Manager Event Interface
Event Description:
VirusScan Enterprise: The file C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP106\A0021591.exe is infected with Generic.dx Trojan. The file was successfully deleted.(from HILL-5817C1253E IP 192.168.1.5 user NT AUTHORITY\SYSTEM running VirusScan Enter 8.0 OAS)



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type39958 / Error
Event Submitted/Written: 06/04/2008 00:17:22 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort1, did not respond within the timeout period.

Event Record #/Type39947 / Error
Event Submitted/Written: 06/04/2008 00:16:59 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DigitalCam Pro Video Camera Device service failed to start due to the following error:
%%1058

Event Record #/Type39917 / Error
Event Submitted/Written: 06/03/2008 10:27:14 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The DigitalCam Pro Video Camera Device service failed to start due to the following error:
%%1058

Event Record #/Type39901 / Warning
Event Submitted/Written: 06/03/2008 09:54:17 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 00112FBC57A0. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type39898 / Error
Event Submitted/Written: 06/03/2008 09:06:23 PM
Event ID/Source: 9 / atapi
Event Description:
The device, \Device\Ide\IdePort1, did not respond within the timeout period.



-- End of Deckard's System Scanner: finished at 2008-06-04 12:24:11 ------------

Thanks

BC AdBot (Login to Remove)

 


m

#2 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:24 PM

Posted 05 June 2008 - 03:51 PM

Hello chics and welcome to BC. Let's see what we can find. Please follow the steps below in order:

Before running a new scan let's clean out the temporary folders.

Download ATF Cleaner to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Click Select All found at the bottom of the list.
  • Click the Empty Selected button.
If you use Firefox browser, do this also:
  • Click Firefox at the top and choose Select All from the list.
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser, do this also:
  • Click Opera at the top and choose Select All from the list.
  • Close ALL Internet browsers (very important).
  • Click the Empty Selected button.
  • NOTE : If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Now download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program (if you are running on Vista then right-click the program and choose Run as Administrator).
  • In the Drivers section click on Non-Microsoft.
  • Under Additional Scans click the checkboxes in front of the following items to select them:
    • Reg - BotCheck
      Reg - Software Policy Settings
      File - Additional Folder Scans
  • copy/paste the text in the codebox below into the Custon Scans box:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
    HKEY_CURRENT_USER\Control Panel\International
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  • Save the file to your desktop or other location where you can find it back.
Use the Add Reply button and attach the file in your next post (do not try to copy/paste it into the post).

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#3 chics

chics
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 06 June 2008 - 10:38 AM

OT,

Cheers for the replay, Please find attached log as requested.

Regards

Paul

Attached Files



#4 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:24 PM

Posted 06 June 2008 - 11:13 AM

Hi chics. Let's see what we can do. Follow the steps below in order:

Step #1

Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
%systemroot%\boqnrwdmstg.dll
%systemroot%\edwf.exe
%systemroot%\system32\abiksvut.ini
%systemroot%\system32\abiksvut.ini2
%systemroot%\system32\askpayvs.ini
%systemroot%\system32\awtussqn.dll
%systemroot%\system32\ccfpemtg.ini
%systemroot%\system32\cmmsacfe.ini
%systemroot%\system32\cmmsacfe.ini2
%systemroot%\system32\djtsdjlm.ini
%systemroot%\system32\djtsdjlm.ini2
%systemroot%\system32\efcasmmc.dll
%systemroot%\system32\guxltici.ini
%systemroot%\system32\icitlxug.dll
%systemroot%\system32\ydngstnf.ini
%systemroot%\vregfwlx.dll
%userprofile%\desktop\privacy protector.url
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat
c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat
Folders to delete:
%systemroot%\privacy_danger

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Now, start The Avenger program by clicking on its icon on your desktop.
  • Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
  • Click the Execute button
  • Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Step #2

Start OTScanIt. Copy/Paste the information in the codebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> ~EmptyValue -> []
YY -> 0878631b -> %SystemRoot%\system32\icitlxug.dll [rundll32.exe "C:\WINNT\system32\icitlxug.dll",b]
YN -> RegistryMechanic -> []
< Run [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YN -> Power2GoExpress -> []
YN -> PowerBar -> []
< SSODL [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
YY -> {E833183C-443C-4721-BC5D-7F4D1110C867} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\vregfwlx.dll [vregfwlx]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {48F0B738-34A6-4113-B966-33C4EF85BCD9} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\awtussqN.dll []
< Winlogon\Notify settings [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YY -> awtussqN -> %SystemRoot%\system32\awtussqN.dll
< CurrentVersion Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoToolbarCustomize -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives -> 12
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\StartMenuLogoff -> 1
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoStartMenuMorePrograms -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSetFolders -> 0
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> 
< Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
YN -> HKEY_CURRENT_USER\: Main\\Start Page -> http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
< BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {0DC7CE95-C171-45C7-9225-8B0C40C14A18} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\tuvSkIba.dll [Reg Error: Value  does not exist or could not be read.]
YN -> {46537D1F-3FF3-4429-81B0-1FE9B6FED0ED} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\mlJDsTJD.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {48F0B738-34A6-4113-B966-33C4EF85BCD9} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\awtussqN.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {6D216B4A-FC4C-4057-B2B3-D95475B698D9} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\system32\efcASmMc.dll [Reg Error: Value  does not exist or could not be read.]
YY -> {B33B96B9-E0C2-4648-9819-A38DDCAFA33C} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\boqnrwdmstg.dll [QXK Olive]
< Internet Explorer Bars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\
YN -> {32683183-48a0-441b-a342-7c2a440a9478} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
< Internet Explorer ToolBars [HKEY_CURRENT_USER\] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\
YN -> WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
YN -> WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
[Registry - Additional Scans - Non-Microsoft Only]
< BotCheck > -> 
*Authentication Packages* -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages
YY -> C:\WINNT\system32\efcASmMc -> %SystemRoot%\system32\efcASmMc.dll
< BotCheck > -> 
< Software Policy Settings [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\policies\
YN -> HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\\NoBrowserOptions -> 0
YN -> HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\\DisableCMD -> 0
[Files/Folders - Created Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> abIkSvut.ini -> %SystemRoot%\System32\abIkSvut.ini
NY -> abIkSvut.ini2 -> %SystemRoot%\System32\abIkSvut.ini2
NY -> askpayvs.ini -> %SystemRoot%\System32\askpayvs.ini
NY -> awtussqN.dll -> %SystemRoot%\System32\awtussqN.dll
NY -> ccfpemtg.ini -> %SystemRoot%\System32\ccfpemtg.ini
NY -> cMmSAcfe.ini -> %SystemRoot%\System32\cMmSAcfe.ini
NY -> cMmSAcfe.ini2 -> %SystemRoot%\System32\cMmSAcfe.ini2
NY -> DJTsDJlm.ini -> %SystemRoot%\System32\DJTsDJlm.ini
NY -> DJTsDJlm.ini2 -> %SystemRoot%\System32\DJTsDJlm.ini2
NY -> efcASmMc.dll -> %SystemRoot%\System32\efcASmMc.dll
NY -> guxltici.ini -> %SystemRoot%\System32\guxltici.ini
NY -> icitlxug.dll -> %SystemRoot%\System32\icitlxug.dll
NY -> 2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp
NY -> ydngstnf.ini -> %SystemRoot%\System32\ydngstnf.ini
NY -> boqnrwdmstg.dll -> %SystemRoot%\boqnrwdmstg.dll
NY -> edwf.exe -> %SystemRoot%\edwf.exe
NY -> 7 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp
NY -> privacy_danger -> %SystemRoot%\privacy_danger
NY -> vregfwlx.dll -> %SystemRoot%\vregfwlx.dll
[Files Created - Additional Folder Scans - Non-Microsoft Only]
NY -> Privacy Protector.url -> %UserProfile%\Desktop\Privacy Protector.url
[Files/Folders - Modified Within 30 days]
NY -> 1 C:\*.tmp files -> C:\*.tmp
NY -> abIkSvut.ini -> %SystemRoot%\System32\abIkSvut.ini
NY -> abIkSvut.ini2 -> %SystemRoot%\System32\abIkSvut.ini2
NY -> askpayvs.ini -> %SystemRoot%\System32\askpayvs.ini
NY -> awtussqN.dll -> %SystemRoot%\System32\awtussqN.dll
NY -> 2 C:\WINNT\System32\*.tmp files -> C:\WINNT\System32\*.tmp
NY -> ccfpemtg.ini -> %SystemRoot%\System32\ccfpemtg.ini
NY -> cMmSAcfe.ini -> %SystemRoot%\System32\cMmSAcfe.ini
NY -> cMmSAcfe.ini2 -> %SystemRoot%\System32\cMmSAcfe.ini2
NY -> DJTsDJlm.ini -> %SystemRoot%\System32\DJTsDJlm.ini
NY -> DJTsDJlm.ini2 -> %SystemRoot%\System32\DJTsDJlm.ini2
NY -> efcASmMc.dll -> %SystemRoot%\System32\efcASmMc.dll
NY -> guxltici.ini -> %SystemRoot%\System32\guxltici.ini
NY -> icitlxug.dll -> %SystemRoot%\System32\icitlxug.dll
NY -> ydngstnf.ini -> %SystemRoot%\System32\ydngstnf.ini
NY -> 7 C:\WINNT\*.tmp files -> C:\WINNT\*.tmp
NY -> boqnrwdmstg.dll -> %SystemRoot%\boqnrwdmstg.dll
NY -> edwf.exe -> %SystemRoot%\edwf.exe
NY -> privacy_danger -> %SystemRoot%\privacy_danger
NY -> vregfwlx.dll -> %SystemRoot%\vregfwlx.dll
NY -> qmgr0.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
NY -> qmgr1.dat -> C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
NY -> Privacy Protector.url -> %UserProfile%\Desktop\Privacy Protector.url
[Extra Registry Entries]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ProductId|reg_sz:55274-645-2775716-23960 /e  -> 
HKEY_CURRENT_USER\Control Panel\International\\sTimeFormat|reg_sz:hh:mm:ss tt /e  -> 
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup either telling you that it is finished, or that a reboot is needed to complete the fix. If the fix is complete, click the Ok button and Notepad will open with a log of actions taken during the fix. Post that log back here in your next reply.
If a reboot is required, click the "Yes" button to reboot the machine. After the reboot, OTScanIt will finish moving any files that could not be moved during the fix and NotePad will open with the final results at that time. Post that log back here in your next reply.

Step #3

Now let's run an online virus scan. Both of these require Internet Explorer. Try F-Secure first. Sometimes it doesn't play nice with other system components so if it cannot complete then try the Kaspersky scan. You only need to complete one of the two.

Run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Click on Online Services and then Online Scanner
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
If the F-Secure scan did not work then try an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
    • Scan Options:Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
  • Click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #4

Run a new OTScanIt scan with the following options

Note: You must be logged on to the system with an account that has Administrator privileges to run this program.
  • Close ALL OTHER PROGRAMS.
  • Open the OTScanIt folder and double-click on OTScanIt.exe to start the program.
  • Just use the default settings.
  • Do not change any other settings.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it and close Notepad (save changes if necessary).
  • Close OTScanIt and locate the OTScanIt.txt file in the folder where OTScanIt.exe is located.
  • Attach that file back here in your next reply.
Step #5

Copy/paste the following back here in your next reply:
  • The Avenger report (c:\Avenger.txt)
  • The latest OTScanIt fix log (look in the OTScanIt folder for the MovedFiles folder. In that folder will be a file with a name in the form of mmddyyyy_hhmmss.log for month, day, year, hours, minutes, and seconds that the scan was run. )
  • The online virus scan report (whichever one you ran)
Attach the following back here in your next reply:
  • The new OTScanIt scan log
I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#5 chics

chics
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 06 June 2008 - 01:19 PM

OT, please see attched logs, the only problem i seem to have now is both kaspersky and mcafee are reporting more viruses.


Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINNT\boqnrwdmstg.dll" deleted successfully.
File "C:\WINNT\edwf.exe" deleted successfully.
File "C:\WINNT\system32\abiksvut.ini" deleted successfully.
File "C:\WINNT\system32\abiksvut.ini2" deleted successfully.
File "C:\WINNT\system32\askpayvs.ini" deleted successfully.
File "C:\WINNT\system32\awtussqn.dll" deleted successfully.
File "C:\WINNT\system32\ccfpemtg.ini" deleted successfully.
File "C:\WINNT\system32\cmmsacfe.ini" deleted successfully.
File "C:\WINNT\system32\cmmsacfe.ini2" deleted successfully.
File "C:\WINNT\system32\djtsdjlm.ini" deleted successfully.
File "C:\WINNT\system32\djtsdjlm.ini2" deleted successfully.
File "C:\WINNT\system32\efcasmmc.dll" deleted successfully.
File "C:\WINNT\system32\guxltici.ini" deleted successfully.
File "C:\WINNT\system32\icitlxug.dll" deleted successfully.
File "C:\WINNT\system32\ydngstnf.ini" deleted successfully.
File "C:\WINNT\vregfwlx.dll" deleted successfully.
File "C:\Documents and Settings\Hill Family\desktop\privacy protector.url" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr0.dat" deleted successfully.
File "c:\documents and settings\all users\application data\microsoft\network\downloader\qmgr1.dat" deleted successfully.
Folder "C:\WINNT\privacy_danger" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.



Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\~EmptyValue deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\0878631b deleted successfully.
File C:\WINNT\system32\icitlxug.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\RegistryMechanic deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\Power2GoExpress deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\PowerBar deleted successfully.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\\vregfwlx deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E833183C-443C-4721-BC5D-7F4D1110C867}\ deleted successfully.
File C:\WINNT\vregfwlx.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{48F0B738-34A6-4113-B966-33C4EF85BCD9} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48F0B738-34A6-4113-B966-33C4EF85BCD9}\ deleted successfully.
File C:\WINNT\system32\awtussqN.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtussqN\ deleted successfully.
File C:\WINNT\system32\awtussqN.dll not found.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\CDRAutoRun deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoToolbarCustomize deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDrives deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\StartMenuLogoff deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoStartMenuMorePrograms deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoSetFolders deleted successfully.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ deleted successfully.
Registry value HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\\Start Page deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0DC7CE95-C171-45C7-9225-8B0C40C14A18}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0DC7CE95-C171-45C7-9225-8B0C40C14A18}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{46537D1F-3FF3-4429-81B0-1FE9B6FED0ED}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{46537D1F-3FF3-4429-81B0-1FE9B6FED0ED}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{48F0B738-34A6-4113-B966-33C4EF85BCD9}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{48F0B738-34A6-4113-B966-33C4EF85BCD9}\ not found.
File C:\WINNT\system32\awtussqN.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6D216B4A-FC4C-4057-B2B3-D95475B698D9}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{6D216B4A-FC4C-4057-B2B3-D95475B698D9}\ not found.
File C:\WINNT\system32\efcASmMc.dll not found.
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B33B96B9-E0C2-4648-9819-A38DDCAFA33C}\ deleted successfully.
File C:\WINNT\boqnrwdmstg.dll not found.
Registry key HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{32683183-48a0-441b-a342-7c2a440a9478}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}\ not found.
Registry value HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}\ not found.
[Registry - Additional Scans - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\\Authentication Packages:C:\WINNT\system32\efcASmMc deleted successfully.
File C:\WINNT\system32\efcASmMc.dll not found.
Registry value HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Restrictions\\NoBrowserOptions deleted successfully.
Registry value HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System\\DisableCMD deleted successfully.
[Files/Folders - Created Within 30 days]
File C:\WINNT\System32\abIkSvut.ini not found!
File C:\WINNT\System32\abIkSvut.ini2 not found!
File C:\WINNT\System32\askpayvs.ini not found!
File C:\WINNT\System32\awtussqN.dll not found!
File C:\WINNT\System32\ccfpemtg.ini not found!
File C:\WINNT\System32\cMmSAcfe.ini not found!
File C:\WINNT\System32\cMmSAcfe.ini2 not found!
File C:\WINNT\System32\DJTsDJlm.ini not found!
File C:\WINNT\System32\DJTsDJlm.ini2 not found!
File C:\WINNT\System32\efcASmMc.dll not found!
File C:\WINNT\System32\guxltici.ini not found!
File C:\WINNT\System32\icitlxug.dll not found!
File C:\WINNT\System32\ydngstnf.ini not found!
File C:\WINNT\boqnrwdmstg.dll not found!
File C:\WINNT\edwf.exe not found!
C:\WINNT\msdownld.tmp folder deleted successfully.
C:\WINNT\msiinst.tmp folder deleted successfully.
File C:\WINNT\privacy_danger not found!
File C:\WINNT\vregfwlx.dll not found!
[Files Created - Additional Folder Scans - Non-Microsoft Only]
File C:\Documents and Settings\Hill Family\Desktop\Privacy Protector.url not found!
[Files/Folders - Modified Within 30 days]
File C:\WINNT\System32\abIkSvut.ini not found!
File C:\WINNT\System32\abIkSvut.ini2 not found!
File C:\WINNT\System32\askpayvs.ini not found!
File C:\WINNT\System32\awtussqN.dll not found!
File C:\WINNT\System32\ccfpemtg.ini not found!
File C:\WINNT\System32\cMmSAcfe.ini not found!
File C:\WINNT\System32\cMmSAcfe.ini2 not found!
File C:\WINNT\System32\DJTsDJlm.ini not found!
File C:\WINNT\System32\DJTsDJlm.ini2 not found!
File C:\WINNT\System32\efcASmMc.dll not found!
File C:\WINNT\System32\guxltici.ini not found!
File C:\WINNT\System32\icitlxug.dll not found!
File C:\WINNT\System32\ydngstnf.ini not found!
File C:\WINNT\boqnrwdmstg.dll not found!
File C:\WINNT\edwf.exe not found!
File C:\WINNT\privacy_danger not found!
File C:\WINNT\vregfwlx.dll not found!
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
[Files Modified - Additional Folder Scans - Non-Microsoft Only]
File C:\Documents and Settings\Hill Family\Desktop\Privacy Protector.url not found!
[Extra Registry Entries]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\\ProductId|reg_sz:55274-645-2775716-23960 /e : value set successfully!
HKEY_CURRENT_USER\Control Panel\International\\sTimeFormat|reg_sz:hh:mm:ss tt /e : value set successfully!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINNT\temp\ZLT058ff.TMP scheduled to be deleted on reboot.
Windows Temp folder emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.15.11 fix logfile created on 06062008_173733

Files moved on Reboot...
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat scheduled to be moved on reboot.
File move failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be moved on reboot.
File C:\WINNT\temp\ZLT058ff.TMP not found!



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 7:10:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/06/2008
Kaspersky Anti-Virus database records: 834559
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 42284
Number of viruses found: 8
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 00:45:11

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080606_Time-173909500_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\BOPDATA\_Date-20080606_Time-173909500_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\Agent_HILL-5817C1253E.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\Common Framework\Db\PrdMgr_HILL-5817C1253E.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\Hill Family\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Hill Family\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\Hill Family\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe/WISE0004.BIN/data0000.cab/wanadoo2.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe/WISE0004.BIN/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe/WISE0004.BIN Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\Hill Family\Desktop\wanadoo2setup.exe WiseSFXDropper: infected - 3 skipped
C:\Documents and Settings\Hill Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Hill Family\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Hill Family\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hill Family\Local Settings\History\History.IE5\MSHist012008060620080607\index.dat Object is locked skipped
C:\Documents and Settings\Hill Family\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Hill Family\ntuser.dat Object is locked skipped
C:\Documents and Settings\Hill Family\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Orange\1\orange1setup.exe/data0000.cab/orange1.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Orange\1\orange1setup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Orange\1\orange1setup.exe Rsrc-Package: infected - 2 skipped
C:\Program Files\Orange\OBar\orange3setup.exe/data0000.cab/orange3.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Orange\OBar\orange3setup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Orange\OBar\orange3setup.exe Rsrc-Package: infected - 2 skipped
C:\Program Files\Orange\setup\Orange_icons.EXE/WISE0005.BIN/data0000.cab/orange3.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Orange\setup\Orange_icons.EXE/WISE0005.BIN/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Orange\setup\Orange_icons.EXE/WISE0005.BIN Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Orange\setup\Orange_icons.EXE WiseSFX: infected - 3 skipped
C:\Program Files\orange1\orange1.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\orange3\orange3.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Wanadoo\2\wanadoo2setup.exe/data0000.cab/wanadoo2.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Wanadoo\2\wanadoo2setup.exe/data0000.cab Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\Program Files\Wanadoo\2\wanadoo2setup.exe Rsrc-Package: infected - 2 skipped
C:\Program Files\wanadoo2\wanadoo2.dll Infected: not-a-virus:AdWare.Win32.BHO.ahy skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP110\A0021891.exe Infected: not-a-virus:FraudTool.Win32.WinSpywareProtect.e skipped
C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP111\A0022106.dll Infected: Worm.Win32.AutoRun.dwi skipped
C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP111\A0022107.dll Infected: Trojan.Win32.Vapsup.fqr skipped
C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP113\A0028211.dll Infected: Trojan.Win32.Vapsup.fqu skipped
C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP113\A0028215.exe Infected: Trojan.Win32.Vapsup.fqs skipped
C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP113\A0028216.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.xue skipped
C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP113\A0028220.dll Infected: Trojan.Win32.Vapsup.fqt skipped
C:\System Volume Information\_restore{25EF164E-4B6D-40EA-99FD-7F75593CB348}\RP113\change.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINNT\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINNT\Internet Logs\HILL-5817C1253E.ldb Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\ZLT05f5f.TMP Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped

Scan process completed.


Regards

Paul

Attached Files



#6 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:24 PM

Posted 06 June 2008 - 01:32 PM

Hi chics. Everything looks fine. Kaspersky isn't finding anything except for what's still in the system restore. We'll take care of those when we do a final cleanup. The same would hold true for McAfee.

Go ahead and run the system normally for a couple of days and then get back with me and let me know if there are any continuing issues. If everything is Ok at that time, then we have some final cleanup to do and you'll be good to go.

Cheers.

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image

#7 chics

chics
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 06 June 2008 - 02:15 PM

OT,

Thanks for help and advice, i will run the machine over the weekend and post again on Monday.

Thanks again,

Regards

Paul

#8 chics

chics
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:11:24 PM

Posted 10 June 2008 - 11:45 AM

OT,

The machine as been running all weekend on the net with the browser open without any other problems that i can see, but it is a friends PC, so i wont honestly know until he takes it home next week. I think we can go a head and clean it up ready for he now.

Thanks for all your help; it’s been an enlightening process for me.

Regards

Paul

#9 OldTimer

OldTimer

    Malware Expert


  • Members
  • 11,092 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina
  • Local time:06:24 PM

Posted 10 June 2008 - 12:31 PM

Glad to hear it chics. Then let's do some final cleanup to reset the System Restore points and remove all of the tools we used during the fix and then you are all set.

Step #1

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

Step #2

To remove all of the tools we used and the files and folders they created do the following:
  • Start OTScanIt
    Click the CleanUp button
  • OTScanIt will download a small file from the Internet. If a security program or firewall warns you of this allow it to download.
  • OTScanIt will delete any tools downloaded and files/folders created and then ask you to reboot so it can remove itself. Click Yes.
After that you are good to go.

Cheers and Happy Computing!

OT
I do not respond to PM's requesting help. That's what the forums are here for. Please use them so that others may benefit from your questions and the responses you receive.
OldTimer

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users