Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Coolwwwsearch.aff.ledll /.bootconf And .svcint


  • This topic is locked This topic is locked
2 replies to this topic

#1 schleprocker

schleprocker

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:51 AM

Posted 27 June 2008 - 11:59 PM

got this infection using a peer to peer program to download a document. lol i was so happy to find it i didnt evan look at the file size and clicked to download it. immediately it executed a program that opened a dos window on the desktop and wrote a quick program then closed just as fast as it opened.> the wallpaper on the desktop turned white and warning messages about malware appeared telling u to click here and do a series of things. then the desktop began disappearing then loading back at regular intervals so u dont have time to access files or investigate the problem before it cycles again. anyway ran spybot adaware windows defender avg virus > cleaned all but 3 according to spybot > coolwwwsearch.aff.ledll coolwwwsearch.bootconf and coolwwwsearch.svcint. malware wont allow u to access windows task manager either. ( had to log in as administrator in windows safe mode to run spybot) . i have two hard drives installed on this computer each with its own windows xp os.> i use a program called gac that allows u to choose which one to use at boot up.> i was able to run scans on the infected drive from the good drive.> ive scoured the internet looking for a silver bullet but there isnt one soooo... here i am :thumbsup:
i place my computer in your hands * sigh* lol hope u can help me here is the scans i ran i dont know if they are anygood becuause i had no desktop u had to access everything thru windows task manager ( i discovered if u cont alt delete soon as windows comes on and stop process guard. the desktop would stop the cycling but i noticed in the processes in task manager nothing was moving accept the files i accessed and none were utilizing any cpu).anyways this is what i got.....Deckard's System Scanner v20071014.68
Run by Mike on 2008-06-27 20:45:40
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
12: 2008-06-28 03:45:49 UTC - RP1538 - Deckard's System Scanner Restore Point
11: 2008-06-27 05:04:31 UTC - RP1537 - Restore Operation
10: 2008-06-26 22:55:33 UTC - RP1536 - Last known good configuration
9: 2008-06-26 20:34:22 UTC - RP1535 - Software Distribution Service 3.0
8: 2008-06-26 02:04:06 UTC - RP1534 - System Checkpoint


-- First Restore Point --
1: 2008-06-16 22:39:35 UTC - RP1527 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Mike.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:54:53 PM, on 6/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Documents and Settings\Mike\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Mike\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Mike.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\iftuyszv.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64B74A5E-6EFF-43BE-BB8C-9CBC72B60CB8} - C:\WINDOWS\system32\byXQGyya.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {bc97b254-b2b9-4d40-971d-78e0978f5f26} - (no file)
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O2 - BHO: (no name) - {e3eebbe8-9cab-4c76-b26a-747e25ebb4c6} - (no file)
O2 - BHO: (no name) - {E4D70BE3-401C-4466-979D-4D37E7404976} - C:\WINDOWS\system32\efcBurOg.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [Host Process] C:\Documents and Settings\Mike\svchost.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [cdloader] "C:\Documents and Settings\Mike\Application Data\mjusbsp\cdloader2.exe" MAGICJACK
O4 - Startup: MP3 Rocket (silent).lnk = C:\RECYCLER\S-1-5-21-507921405-299502267-725345543-1004\Df32.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: symsupportutil - https://www-secure.symantec.com/techsupp/ac...supportutil.CAB
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {B69F2A9C-E470-11D3-AFA3-525400DB7692} -
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup144.cab
O20 - Winlogon Notify: byXQGyya - C:\WINDOWS\SYSTEM32\byXQGyya.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--
End of file - 7332 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 MCSTRM - c:\windows\system32\drivers\mcstrm.sys <Not Verified; RealNetworks, Inc.; RealNetworks Virtual Path ManagerŪ (32-bit)>

S0 ElbyVCD - c:\windows\system32\drivers\elbyvcd.sys (file missing)
S1 DAC2W2KK - c:\windows\system32\drivers\dac2w2kk.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 NMSCFG (NIC Management Service Configuration Driver) - c:\windows\system32\drivers\nmscfg.sys (file missing)
S3 PacketNTx (Packet helper driver) - c:\windows\system32\drivers\packetntx.sys <Not Verified; Sumix Co.; Sumix Packet Helper Driver>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 UTSCSI (CLCV0) - c:\windows\system32\utscsi.exe <Not Verified; ; UTSCSI Application>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-06-25 20:57:00 388 --a------ C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1186026951.job
2008-06-14 11:17:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-06 17:15:00 388 --a------ C:\WINDOWS\Tasks\1-Click Maintenance.job


-- Files created between 2008-05-27 and 2008-06-27 -----------------------------

2008-06-27 20:54:42 0 d-------- C:\Program Files\Trend Micro
2008-06-26 22:28:55 0 --ah----- C:\Documents and Settings\Administrator\hpothb07.dat
2008-06-26 22:28:43 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-06-26 22:28:43 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-06-26 22:28:43 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-06-26 22:28:43 0 dr-h----- C:\Documents and Settings\Administrator\Recent
2008-06-26 22:28:43 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-06-26 22:28:43 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-06-26 22:28:43 0 dr------- C:\Documents and Settings\Administrator\My Documents
2008-06-26 22:28:43 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-06-26 22:28:43 0 dr------- C:\Documents and Settings\Administrator\Favorites
2008-06-26 22:28:43 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-06-26 22:28:43 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-06-26 22:28:43 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-06-26 22:28:43 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-06-26 22:28:43 0 d-------- C:\Documents and Settings\Administrator\Application Data\Identities
2008-06-26 22:28:42 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-06-26 22:07:08 0 d--hs---- C:\Documents and Settings\Stacy\!
2008-06-26 17:32:37 0 d--h----- C:\$AVG8.VAULT$
2008-06-26 16:00:39 15872 --a------ C:\WINDOWS\y.exe
2008-06-26 16:00:39 9216 --a------ C:\WINDOWS\xplugin.dll
2008-06-26 16:00:39 21504 --a------ C:\WINDOWS\x.exe
2008-06-26 16:00:39 26624 --a------ C:\WINDOWS\winmgnt.exe
2008-06-26 16:00:38 27648 --a------ C:\WINDOWS\window.exe
2008-06-26 16:00:38 19200 --a------ C:\WINDOWS\winajbm.dll
2008-06-26 16:00:38 14080 --a------ C:\WINDOWS\win64.exe
2008-06-26 16:00:38 17152 --a------ C:\WINDOWS\win32e.exe
2008-06-26 16:00:37 8448 --a------ C:\WINDOWS\waol.exe
2008-06-26 16:00:37 25600 --a------ C:\WINDOWS\users32.exe
2008-06-26 16:00:37 18944 --a------ C:\WINDOWS\time.exe
2008-06-26 16:00:37 22016 --a------ C:\WINDOWS\systemcritical.exe
2008-06-26 16:00:37 24832 --a------ C:\WINDOWS\systeem.exe
2008-06-26 16:00:36 21504 --a------ C:\WINDOWS\svcinit.exe
2008-06-26 16:00:36 13056 --a------ C:\WINDOWS\svchost32.exe
2008-06-26 16:00:36 30464 --a------ C:\WINDOWS\searchword.dll
2008-06-26 16:00:35 19712 --a------ C:\WINDOWS\rundll16.exe
2008-06-26 16:00:35 21504 --a------ C:\WINDOWS\quicken.exe
2008-06-26 16:00:35 25088 --a------ C:\WINDOWS\qttasks.exe
2008-06-26 16:00:34 24320 --a------ C:\WINDOWS\olehelp.exe
2008-06-26 16:00:34 17152 --a------ C:\WINDOWS\mswsc20.dll
2008-06-26 16:00:34 26112 --a------ C:\WINDOWS\mswsc10.dll
2008-06-26 16:00:33 12288 --a------ C:\WINDOWS\msspi.dll
2008-06-26 16:00:33 30464 --a------ C:\WINDOWS\msconfd.dll
2008-06-26 16:00:32 8960 --a------ C:\WINDOWS\internet.exe
2008-06-26 16:00:32 23808 --a------ C:\WINDOWS\inetinf.exe
2008-06-26 16:00:32 25856 --a------ C:\WINDOWS\helpcvs.exe
2008-06-26 16:00:32 15872 --a------ C:\WINDOWS\gfmnaaa.dll
2008-06-26 16:00:32 19200 --a------ C:\WINDOWS\funny.exe
2008-06-26 16:00:31 9728 --a------ C:\WINDOWS\funniest.exe
2008-06-26 16:00:31 8448 --a------ C:\WINDOWS\explorer32.exe
2008-06-26 16:00:31 30720 --a------ C:\WINDOWS\editpad.exe
2008-06-26 16:00:30 22016 --a------ C:\WINDOWS\dnsrelay.dll
2008-06-26 16:00:30 25344 --a------ C:\WINDOWS\directx32.exe
2008-06-26 16:00:30 11520 --a------ C:\WINDOWS\ctfmon32.exe
2008-06-26 16:00:30 18176 --a------ C:\WINDOWS\cpan.dll
2008-06-26 16:00:30 26624 --a------ C:\WINDOWS\clrssn.exe
2008-06-26 16:00:29 25856 --a------ C:\WINDOWS\accesss.exe
2008-06-26 15:55:17 649016 --ahs---- C:\WINDOWS\system32\gOruBcfe.ini2
2008-06-26 15:55:13 285696 --a------ C:\WINDOWS\system32\efcBurOg.dll
2008-06-26 15:54:14 34304 --a------ C:\WINDOWS\system32\nnnKayxY.dll
2008-06-26 15:51:20 34304 --a------ C:\WINDOWS\system32\khfCusPh.dll
2008-06-26 15:50:32 0 --a------ C:\WINDOWS\system32\taskkill.exe
2008-06-26 15:50:31 847 --a------ C:\WINDOWS\system32\winpfz33.sys
2008-06-26 15:50:29 0 d--hs---- C:\Documents and Settings\Mike\!
2008-06-26 15:50:23 2270208 ---hs---- C:\Documents and Settings\Stacy\svchost.exe
2008-06-26 15:50:23 2270208 ---hs---- C:\Documents and Settings\Mike\svchost.exe
2008-06-26 15:50:18 0 d--hs---- C:\WINDOWS\TWlrZQ
2008-06-26 15:50:12 4 --a------ C:\WINDOWS\system32\hljwugsf.bin
2008-06-26 15:50:10 0 d-------- C:\WINDOWS\system32\xsir
2008-06-26 15:50:10 0 d-------- C:\WINDOWS\system32\vec3
2008-06-26 15:50:10 0 d-------- C:\WINDOWS\system32\mp
2008-06-26 15:50:10 0 d-------- C:\WINDOWS\system32\f10
2008-06-26 15:50:10 34304 --a------ C:\WINDOWS\system32\byXQGyya.dll
2008-06-26 15:50:10 0 d-------- C:\WINDOWS\system32\bam
2008-06-26 15:50:08 0 d-------- C:\WINDOWS\system32\modtrux05
2008-06-22 16:05:44 0 d-------- C:\Documents and Settings\Tessa\Contacts
2008-06-01 14:55:41 0 d-------- C:\Program Files\Microsoft Picture It! 2002
2008-06-01 14:55:35 0 d-------- C:\Program Files\directx


-- Find3M Report ---------------------------------------------------------------

2008-06-26 22:02:42 0 d-------- C:\Documents and Settings\Mike\Application Data\mjusbsp
2008-06-26 19:00:50 0 d-------- C:\Program Files\MSN Messenger
2008-06-26 15:50:07 0 d-------- C:\Program Files\MP3 Rocket
2008-06-03 17:16:01 10646 --ahs--c- C:\WINDOWS\system32\KGyGaAvL.sys
2008-05-30 22:07:21 0 d-------- C:\Documents and Settings\Mike\Application Data\MP3Rocket
2008-05-26 14:59:04 0 d-------- C:\Program Files\HP
2008-04-07 16:16:17 45056 --a------ C:\WINDOWS\system32\UTSCSI.EXE <Not Verified; ; UTSCSI Application>


-- Registry Dump ---------------------------------------------------------------

Unable to run batchfile; The process cannot access the file because it is being used by another process.
ComSpec: C:\WINDOWS\system32\cmd.exe


-- Hosts -----------------------------------------------------------------------

127.0.0.1 desktop.kazaa.com
127.0.0.1 www.altnetp2p.com
127.0.0.1 alpha.kazaa.com
127.0.0.1 shop.kazaa.com
127.0.0.1 www.bonzi.com
127.0.0.1 www.brilliantdigital.com
127.0.0.1 www.b3d.com
127.0.0.1 media.altnet.com
127.0.0.1 www.altnet.com
127.0.0.1 dev.bde.com.au

8 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-27 20:55:48 ------------

KASPERSKY ONLINE SCANNER 7 REPORT
Friday, June 27, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, June 28, 2008 00:32:59
Records in database: 892846
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
F:\
K:\
Scan statistics
Files scanned 194497
Threat name 29
Infected objects 56
Suspicious objects 4
Duration of the scan 02:48:58

File name Threat name Threats count
C:\Documents and Settings\Mike\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Inbox.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\IC383Z64\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Homles.br 1
C:\Documents and Settings\Mike\Local Settings\Temporary Internet Files\Content.IE5\OFJOWIKU\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Homles.br 1
C:\Documents and Settings\Mike\Shared\03 Track 3.wma Infected: Trojan-Downloader.WMA.Wimad.l 1
C:\Documents and Settings\Mike\Shared\p90x part5 & 12 legs and back.zip Infected: not-a-virus:AdWare.Win32.Sahat.cd 1
C:\Documents and Settings\Stacy\Application Data\Sun\Java\Deployment\cache\6.0\49\49820371-149d7d4a Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Stacy\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-192da0ca.zip Infected: Exploit.Java.Gimsh.b 1
C:\Documents and Settings\Stacy\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.bak Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\Stacy\Local Settings\Application Data\Identities\{B81840D4-1844-4D89-A307-5402BFC1B327}\Microsoft\Outlook Express\Deleted Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\RECYCLER\S-1-5-21-2165517387-3757435101-538525854-1006\Dc17.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\RECYCLER\S-1-5-21-2165517387-3757435101-538525854-1006\Dc27.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1537\A0330846.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1537\A0330847.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1537\A0330852.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{21D7D692-4662-421F-93B0-877BC3820711}\RP1537\A0330853.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144074.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144075.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144076.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144077.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144078.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144080.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144081.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144082.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144083.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144084.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144085.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144086.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144087.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144088.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144089.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144090.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144091.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144092.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144093.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144094.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144095.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144096.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144097.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144098.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144099.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144100.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144101.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144102.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144103.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144134.exe Infected: Trojan-Downloader.Win32.Homles.br 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144135.exe Infected: Trojan-Downloader.Win32.Homles.br 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144136.exe Infected: Trojan.Win32.Agent.lom 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144137.sys Infected: Rootkit.Win32.Agent.aol 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144138.exe Infected: not-virus:Hoax.Win32.Renos.daw 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144139.exe Infected: not-virus:Hoax.Win32.Renos.daw 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144140.exe Infected: Trojan-Downloader.Win32.VB.fen 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144141.exe Infected: Trojan-Downloader.Win32.Small.xpq 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144142.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bn 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144143.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bo 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144144.exe Infected: Trojan-Downloader.Win32.Small.buy 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144145.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.bn 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144146.dll Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\System Volume Information\_restore{8B4052BB-FA65-4151-840B-EF4BDA497E0C}\RP736\A0144147.exe Infected: not-a-virus:AdWare.Win32.CommAd.a 1
C:\WINDOWS\mrofinu1188.exe.tmp Infected: Trojan-Downloader.Win32.Homles.br 1
The scan was stopped by the user.

i stopped the scan because it had scanned the infected drive and was starting the good drive plus it had been like close to 3 hours. thank u in advance for helping me

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:51 AM

Posted 29 June 2008 - 08:02 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.

Prior to running Combofix.exe you should disable your antivirus program and disconnect from the internet.

Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:10:51 AM

Posted 20 July 2008 - 09:42 AM

As there has been no response, this thread will now be closed.

If you need this topic reopened, please contact a member of the HJT Team and we will reopen it for you.
Include the address of this thread in your request.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users